diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 14021740e8..956aa34a1f 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -57,8 +57,8 @@ # Update, troubleshoot, or recover HoloLens ## [Update HoloLens](hololens-update-hololens.md) -## [Restart, reset, or recover HoloLens](hololens-recovery.md) -## [Restart, reset, or recover HoloLens 1st Gen](hololens1-recovery.md) +## [Restart, reset, or recover HoloLens 2](hololens-recovery.md) +## [Restart, reset, or recover HoloLens (1st gen) ](hololens1-recovery.md) ## [Troubleshoot HoloLens issues](hololens-troubleshooting.md) ## [Collect diagnostic information from HoloLens devices](hololens-diagnostic-logs.md) ## [Known issues for HoloLens](hololens-known-issues.md) diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md index 08af92c386..e37c3e14ec 100644 --- a/devices/hololens/hololens-identity.md +++ b/devices/hololens/hololens-identity.md @@ -85,9 +85,9 @@ One way in which developing for HoloLens differs from developing for Desktop is ## Frequently asked questions -### Is Windows Hello for Business supported on HoloLens? +### Is Windows Hello for Business supported on HoloLens (1st Gen)? -Windows Hello for Business (which supports using a PIN to sign in) is supported for HoloLens. To allow Windows Hello for Business PIN sign-in on HoloLens: +Windows Hello for Business (which supports using a PIN to sign in) is supported for HoloLens (1st Gen). To allow Windows Hello for Business PIN sign-in on HoloLens: 1. The HoloLens device must be [managed by MDM](hololens-enroll-mdm.md). 1. You must enable Windows Hello for Business for the device. ([See instructions for Microsoft Intune.](https://docs.microsoft.com/intune/windows-hello)) @@ -96,13 +96,19 @@ Windows Hello for Business (which supports using a PIN to sign in) is supported > [!NOTE] > Users who sign in by using a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview). -#### Does the type of account change the sign-in behavior? +### How is Iris biometric authentication implemented on HoloLens 2? -Yes, the behavior for the type of account affects the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type: +HoloLens 2 supports Iris authentication. Iris is based on Windows Hello technology and is supported for use by both Azure Active Directory and Microsoft Accounts. Iris is implemented the same way as other Windows Hello technologies, and achieves biometrics security FAR of 1/100K. -- **Microsoft account**: signs in automatically -- **Local account**: always asks for password, not configurable in **Settings** -- **Azure AD**: asks for password by default, and configurable by **Settings** to no longer ask for password. +You can learn more about biometric requirements and specifications for Windows Hello [here](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). Learn more about [Windows Hello](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello) and [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification). + +### How does the type of account affect sign-in behavior? + +If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type: + +- **Azure AD**: asks for authentication by default, and configurable by **Settings** to no longer ask for authentication. +- **Microsoft account**: lock behavior is different allowing automatic unlock, however sign in authentication is still required on reboot. +- **Local account**: always asks for authentication in the form of a password, not configurable in **Settings** > [!NOTE] > Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is only respected when the device goes into StandBy. diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md index 8c3374807f..d8dd0ceb11 100644 --- a/devices/hololens/hololens-recovery.md +++ b/devices/hololens/hololens-recovery.md @@ -49,11 +49,11 @@ Under certain circumstances the customer may be required to manually reset the d ### Standard procedure 1. Disconnect the device from the power supply or the host PC by unplugging the Type-C cable. -2. Press and hold the power button for 15 seconds. All LEDs should be off. +2. Press and hold the **power button** for 15 seconds. All LEDs should be off. -3. Wait 2-3 seconds and Short press the power button, the LEDs close to the power button will light up and the device will start to boot. +3. Wait 2-3 seconds and Short press the **power button**, the LEDs close to the power button will light up and the device will start to boot. -4. Connect the device to the host PC, open Device Manager (for Windows 10 press the “Windows” key and then the “x” key and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the pictures below: +4. Connect the device to the host PC, open Device Manager (for Windows 10 press the **“Windows” key** and then the **“x” key** and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the pictures below: ![HoloLens 2 MicrosoftHoloLensRecovery](images/MicrosoftHoloLensRecovery.png) @@ -63,13 +63,13 @@ If the standard reset procedure does not work, you can use the hard-reset proced 1. Disconnect the device from the power supply or the host PC by unplugging the Type-C cable. -2. Hold volume down + power for 15 seconds. +2. Hold **volume down + power button** for 15 seconds. 3. The device will automatically reboot. -4. Connect the device to the host PC, open Device Manager (for Windows 10 press the “Windows” key and then the “x” key and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the pictures below. +4. Connect the device to the host PC, open Device Manager (for Windows 10 press the **“Windows” key** and then the **“x” key** and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the pictures below. -![HoloLens 2 MicrosoftHoloLensRecovery](images/MicrosoftHoloLensRecovery.png) +![HoloLens 2 MicrosoftHoloLensRecovery](images/MicrosoftHoloLens_DeviceManager.png) ## Clean reflash the device @@ -97,11 +97,11 @@ If the device does not boot correctly you may need to put the HoloLens 2 device 1. Disconnect the device from the power supply or the host PC by unplugging the Type-C cable. -2. Press and hold the power button for 15 seconds. All LEDs should turn off. +2. Press and hold the **power button** for 15 seconds. All LEDs should turn off. -3. While pressing the volume up button, press and release the power button to boot the device. Wait 10 seconds before releasing the volume up button. Out of the 5 LEDs on the device, only the middle LED will light up. +3. While pressing the **volume up button**, press and release the **power button** to boot the device. Wait 15 seconds before releasing the volume up button. Out of the 5 LEDs on the device, only the middle LED will light up. -4. Connect the device to the host PC, open Device Manager (for Windows 10 press the “Windows” key and then the “x” key and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the image below. +4. Connect the device to the host PC, open Device Manager (for Windows 10 press the **“Windows” key** and then the **“x” key** and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the image below. ![HoloLens 2 MicrosoftHoloLensRecovery](images/MicrosoftHoloLensRecovery.png) diff --git a/devices/hololens/hololens-troubleshooting.md b/devices/hololens/hololens-troubleshooting.md index b4d107902a..d0bd894a3e 100644 --- a/devices/hololens/hololens-troubleshooting.md +++ b/devices/hololens/hololens-troubleshooting.md @@ -27,14 +27,14 @@ This article describes how to resolve several common HoloLens issues. If your HoloLens won't start: -- If the LEDs next to the power button don't light up, or only one LED briefly blinks, you may need to charge your HoloLens. -- If the LEDs light up when you press the power button but you can't see anything on the displays, hold the power button until all five of the LEDs turn off. +- If the LEDs next to the power button don't light up, or only one LED briefly blinks, you may need to [charge your HoloLens.](hololens-recovery.md#charging-the-device) +- If the LEDs light up when you press the power button but you can't see anything on the displays, [preform a hard reset of the device](hololens-recovery.md#hard-reset-procedure). If your HoloLens becomes frozen or unresponsive: -- Turn off your HoloLens by pressing the power button until all five of the LEDs turn themselves off, or for 10 seconds if the LEDs are unresponsive. To start your HoloLens, press the power button again. +- Turn off your HoloLens by pressing the power button until all five of the LEDs turn themselves off, or for 15 seconds if the LEDs are unresponsive. To start your HoloLens, press the power button again. -If these steps don't work, you can try [recovering your device](hololens-recovery.md). +If these steps don't work, you can try [recovering your HoloLens 2 device](hololens-recovery.md) or [HoloLens (1st gen) device.](hololens1-recovery.md) ## Holograms don't look good @@ -92,6 +92,6 @@ You'll need to free up some storage space by doing one or more of the following: The most likely problem is that you're running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space. -## The HoloLens emulators isn't working +## The HoloLens emulator isn't working Information about the HoloLens emulator is located in our developer documentation. Read more about [troubleshooting the HoloLens emulator](https://docs.microsoft.com/windows/mixed-reality/using-the-hololens-emulator#troubleshooting). diff --git a/devices/hololens/images/MicrosoftHoloLens_DeviceManager.png b/devices/hololens/images/MicrosoftHoloLens_DeviceManager.png new file mode 100644 index 0000000000..ca2bd894a1 Binary files /dev/null and b/devices/hololens/images/MicrosoftHoloLens_DeviceManager.png differ diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md index 415aa6a9b9..f6b0b2998b 100644 --- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md +++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md @@ -17,16 +17,13 @@ ms.date: 06/26/2017 # Certificate Renewal - The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported. -> **Note**  Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered. - -  +> [!Note] +> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered. ## In this topic - - [Automatic certificate renewal request](#automatic-certificate-renewal-request) - [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration) - [Certificate renewal response](#certificate-renewal-response) @@ -35,12 +32,10 @@ The enrolled client certificate expires after a period of use. The expiration da ## Automatic certificate renewal request - In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal. -> **Note**  Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI. - -  +> [!Note] +> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI. Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate. @@ -54,7 +49,7 @@ During the automatic certificate renew process, the device will deny HTTP redire The following example shows the details of an automatic renewal request. -``` +``` xml @@ -106,7 +101,6 @@ The following example shows the details of an automatic renewal request. ``` - ## Certificate renewal schedule configuration @@ -116,11 +110,10 @@ For more information about the parameters, see the CertificateStore configuratio Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week. -> **Note**  For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval. +> [!Note] +> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval. > For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design. -  - ## Certificate renewal response When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment): @@ -133,12 +126,12 @@ When RequestType is set to Renew, the web service verifies the following (in add After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA. -> **Note**  The HTTP server response must not be chunked; it must be sent as one message. - +> [!Note] +> The HTTP server response must not be chunked; it must be sent as one message. The following example shows the details of an certificate renewal response. -``` +``` xml @@ -163,25 +156,15 @@ The following example shows the details of an certificate renewal response. ``` -> **Note**  The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time. - -  +> [!Note] +The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time. ## Configuration service providers supported during MDM enrollment and certificate renewal - The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider. - CertificateStore - w7 APPLICATION - DMClient - EnterpriseAppManagement - -  - - - - - - diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 0f2ec33a8f..0337dad577 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -14,17 +14,15 @@ ms.date: 02/28/2020 # ClientCertificateInstall CSP - -The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. +The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block. -> **Note**   -Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. +> [!Note] +> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. - The following image shows the ClientCertificateInstall configuration service provider in tree format. ![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png) @@ -63,7 +61,6 @@ The data type is an integer corresponding to one of the following values: | 3 | Install to software. | | 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified | - **ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail. @@ -107,9 +104,9 @@ Supported operations are Get, Add, and Replace. **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable** Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM. -> **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. +> [!Note] +> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. - The data type bool. Supported operations are Get, Add, and Replace. @@ -138,21 +135,20 @@ Supported operations are Add, Get, and Replace. **ClientCertificateInstall/SCEP** Node for SCEP. -> **Note**  An alert is sent after the SCEP certificate is installed. +> [!Note] +> An alert is sent after the SCEP certificate is installed. - **ClientCertificateInstall/SCEP/***UniqueID* A unique ID to differentiate different certificate installation requests. - **ClientCertificateInstall/SCEP/*UniqueID*/Install** A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests. Supported operations are Get, Add, Replace, and Delete. -> **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. +> [!Note] +> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. - **ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. @@ -191,9 +187,9 @@ Supported operations are Add, Get, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection** Optional. Specifies where to keep the private key. -> **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN. +> [!Note] +> Even if the private key is protected by TPM, it is not protected with a TPM PIN. - The data type is an integer corresponding to one of the following values: | Value | Description | @@ -203,7 +199,6 @@ The data type is an integer corresponding to one of the following values: | 3 | (Default) Private key saved in software KSP. | | 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. | - Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage** @@ -238,9 +233,9 @@ Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName** Optional. OID of certificate template name. -> **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it. +> [!Note] +> This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it. - Data type is string. Supported operations are Add, Get, Delete, and Replace. @@ -294,7 +289,6 @@ Valid values are: > **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. - Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits** @@ -302,9 +296,9 @@ Optional. Specifies the desired number of units used in the validity period. Thi Data type is string. ->**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. +> [!Note] +> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. - Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName** @@ -358,7 +352,6 @@ The only supported operation is Get. | 16 | Action failed | | 32 | Unknown | - **ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode** Optional. An integer value that indicates the HRESULT of the last enrollment error code. @@ -373,7 +366,6 @@ The only supported operation is Get. ## Example - Enroll a client certificate through SCEP. ```xml @@ -669,15 +661,4 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 0842fb0031..ecfd84d7fa 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -120,8 +120,6 @@ The following table describes the supported values: | 50 | Ransomware | | 51 | ASR Rule | - - Supported operation is Get. **Detections/*ThreatId*/CurrentStatus** @@ -179,9 +177,9 @@ An interior node to group information about Windows Defender health status. Supported operation is Get. **Health/ProductStatus** -Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. +Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. -Data type is integer. Supported operation is Get. +Data type is integer. Supported operation is Get. Supported product status values: - No status = 0 @@ -248,60 +246,60 @@ Supported operation is Get. **Health/DefenderEnabled** Indicates whether the Windows Defender service is running. -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/RtpEnabled** Indicates whether real-time protection is running. -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/NisEnabled** Indicates whether network protection is running. -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/QuickScanOverdue** Indicates whether a Windows Defender quick scan is overdue for the device. -A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default) +A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default). -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/FullScanOverdue** Indicates whether a Windows Defender full scan is overdue for the device. -A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default) +A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default). -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/SignatureOutOfDate** Indicates whether the Windows Defender signature is outdated. -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/RebootRequired** Indicates whether a device reboot is needed. -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/FullScanRequired** Indicates whether a Windows Defender full scan is required. -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. @@ -357,7 +355,7 @@ Supported operation is Get. **Health/TamperProtectionEnabled** Indicates whether the Windows Defender tamper protection feature is enabled.​ -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. @@ -422,5 +420,4 @@ Supported operations are Get and Execute. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md index 8b68977b69..2d435e85ed 100644 --- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md +++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md @@ -23,7 +23,6 @@ User Experience Virtualization (UE-V) supports Microsoft Application Virtualizat ## UE-V settings synchronization for App-V applications - UE-V monitors when an application opens by the program name and, optionally, by file version numbers and product version numbers, whether the application is installed locally or virtually by using App-V. When the application starts, UE-V monitors the App-V process, applies any settings that are stored in the user's settings storage path, and then enables the application to start normally. UE-V monitors App-V applications and automatically translates the relevant file and registry paths to the virtualized location as opposed to the physical location outside the App-V computing environment. **To implement settings synchronization for a virtualized application** @@ -34,28 +33,11 @@ UE-V monitors when an application opens by the program name and, optionally, by 3. Publish the template to the location of your settings template catalog or manually install the template by using the `Register-UEVTemplate` Windows PowerShell cmdlet. - **Note**   - If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**. - - + > [!NOTE] + > If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**. 4. Start the App-V package. - - - - - ## Related topics - [Administering UE-V](uev-administering-uev.md) - - - - - - - - - diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index 414c766a67..0371ab7f89 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -30,55 +30,52 @@ The following resources provide additional information about using Windows Updat [Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/) - ## How do I reset Windows Update components? -[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data. - - -[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update. +[Reset Windows Update Client settings script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data. +[Reset Windows Update Agent script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update. ## Reset Windows Update components manually 1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER: - ```console + ``` console cmd ``` 2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ```console + ``` console net stop bits net stop wuauserv ``` 3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER: - ```console + ``` console Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" ``` 4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above. 1. Rename the following folders to *.BAK: - ```console + ``` console %systemroot%\SoftwareDistribution\DataStore %systemroot%\SoftwareDistribution\Download %systemroot%\system32\catroot2 ``` To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ```console + ``` console Ren %systemroot%\SoftwareDistribution\DataStore *.bak Ren %systemroot%\SoftwareDistribution\Download *.bak Ren %systemroot%\system32\catroot2 *.bak ``` 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ```console + ``` console sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) ``` 5. Type the following command at a command prompt, and then press ENTER: - ```console + ``` console cd /d %windir%\system32 ``` 6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ```console + ``` console regsvr32.exe atl.dll regsvr32.exe urlmon.dll regsvr32.exe mshtml.dll @@ -118,20 +115,20 @@ The following resources provide additional information about using Windows Updat ``` 7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: - ```console + ``` console netsh winsock reset ``` 8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER: - ```console + ``` console proxycfg.exe -d ``` 9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ```console + ``` console net start bits net start wuauserv ``` 10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER: - ```console + ``` console bitsadmin.exe /reset /allusers ``` diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index 3b16df17e6..418f73f68c 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -16,7 +16,6 @@ ms.topic: article # Determine What to Migrate - By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration. However, when considering what settings to migrate, you should also consider what settings you would like the user to be able to configure, if any, and what settings you would like to standardize. Many organizations use their migration as an opportunity to create and begin enforcing a better-managed environment. Some of the settings that users can configure on unmanaged computers prior to the migration can be locked on the new, managed computers. For example, standard wallpaper, Internet Explorer security settings, and desktop configuration are some of the items you can choose to standardize. @@ -25,7 +24,6 @@ To reduce complexity and increase standardization, your organization should cons ## In This Section - @@ -51,18 +49,6 @@ To reduce complexity and increase standardization, your organization should cons
- - ## Related topics - [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - - - - - - - - - diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index b4173bb737..d28e648aac 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -48,13 +48,13 @@ On the KMS host computer, perform the following steps: 1. To extract the contents of the update, run the following command: - ```cmd + ```console expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\ ``` 1. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command: - ```cmd + ```console expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168 ``` diff --git a/windows/deployment/windows-autopilot/autopilot-mbr.md b/windows/deployment/windows-autopilot/autopilot-mbr.md index f103766d0d..28c376ab92 100644 --- a/windows/deployment/windows-autopilot/autopilot-mbr.md +++ b/windows/deployment/windows-autopilot/autopilot-mbr.md @@ -1,420 +1,421 @@ ---- -title: Windows Autopilot motherboard replacement -ms.reviewer: -manager: laurawi -description: Windows Autopilot deployment MBR scenarios -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article ---- - - -# Windows Autopilot motherboard replacement scenario guidance - -**Applies to** - -- Windows 10 - -This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios. - -Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEM’s require strict uniqueness across motherboards, MAC addresses, etc., while Windows Autopilot requires strict uniqueness at the Hardware ID level for each device to enable successful registration. The Hardware ID does not always accommodate all the OEM hardware component requirements, thus these requirements are sometimes at odds, causing issues with some repair scenarios. - -**Motherboard Replacement (MBR)** - -If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended: - -1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot -2. [Replace the motherboard](#replace-the-motherboard) -3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device) -4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot -5. [Reset the device](#reset-the-device) -6. [Return the device](#return-the-repaired-device-to-the-customer) - -Each of these steps is described below. - -## Deregister the Autopilot device from the Autopilot program - -Before the device arrives at the repair facility, it must be deregistered by the entity that registered it. Only the entity that registered the device can deregister it. This might be the customer IT Admin, the OEM, or the CSP partner. If the IT Admin registered the device, they likely did so via Intune (or possibly the Microsoft Store for Business). In that case, they should deregister the device from Intune (or MSfB). This is necessary because devices registered in Intune will not show up in MPC. However, if the OEM or CSP partner registered the device, they likely did so via the Microsoft Partner Center (MPC). In that case, they should deregister the device from MPC, which will also remove it from the customer IT Admin’s Intune account. Below, we describe the steps an IT Admin would go through to deregister a device from Intune, and the steps an OEM or CSP would go through to deregister a device from MPC. - -**NOTE**: When possible, an OEM or CSP should register Autopilot devices, rather than having the customer do it. This will avoid problems where OEMs or CSPs may not be able to deregister a device if, for example, a customer leasing a device goes out of business before deregistering it themselves. - -**EXCEPTION**: If a customer grants an OEM permission to register devices on their behalf via the automated consent process, then an OEM can use the API to deregister devices they didn’t register themselves (instead, the customer registered the devices). But keep in mind that this would only remove those devices from the Autopilot program, it would not disenroll them from Intune or disjoin them from AAD. The customer must do those steps, if desired, through Intune. - -### Deregister from Intune - -To deregister an Autopilot device from Intune, an IT Admin would: - -1. Sign in to their Intune account -2. Navigate to Intune > Groups > All groups -3. Remove the desired device from its group -4. Navigate to Intune > Devices > All devices -5. Select the checkbox next to the device you want to delete, then click the Delete button on the top menu -6. Navigate to Intune > Devices > Azure AD devices -7. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu -8. Navigate to Intune > Device enrollment > Windows enrollment > Devices -9. Select the checkbox next to the device you want to deregister -10. Click the extended menu icon (“…”) on the far right end of the line containing the device you want to deregister in order to expose an additional menu with the option to “unassign user” -11. Click “Unassign user” if the device was previously assigned to a user; if not, this option will be grayed-out and can be ignored -12. With the unassigned device still selected, click the Delete button along the top menu to remove this device - -**NOTE**: These steps deregister the device from Autopilot, but also unenroll the device from Intune, and disjoin the device from AAD. While it may appear that only deregistering the device from Autopilot is needed, there are certain barriers in place within Intune that necessitate all the steps above be done, which is best practice anyway in case the device gets lost or becomes unrecoverable, to eliminate the possibility of orphaned devices existing in the Autopilot database, or Intune, or AAD. If a device gets into an unrecoverable state, you can contact the appropriate [Microsoft support alias](autopilot-support.md) for assistance. - -The deregistration process will take about 15 minutes. You can accelerate the process by clicking the “Sync” button, then “Refresh” the display until the device is no longer present. - -More details on deregistering devices from Intune can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group). - -### Deregister from MPC - -To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would: - -1. Log into MPC -2. Navigate to Customer > Devices -3. Select the device to be deregistered and click the “Delete device” button - -![devices](images/devices.png) - -**NOTE**: Deregistering a device from Autopilot in MPC does only that; it does not also unenroll the device from the MDM (Intune), nor does it disjoin the device from AAD. Therefore, if possible, the OEM/CSP ideally should work with the customer IT Admin to have the device fully removed per the Intune steps in the previous section. - -Alternatively, an OEM partner that has integrated the OEM Direct APIs can deregister a device by calling the AutopilotDeviceRegistration API with the TenantID and TenantDomain fields left blank in the request call. - -Because the repair facility will not have access to the user’s login credentials, the repair facility will have to reimage the device as part of the repair process. This means that the customer should do three things before sending the device off for repair: -1. Copy all important data off the device. -2. Let the repair facility know which version of Windows they should reinstall after the repair. -3. If applicable, let the repair facility know which version of Office they should reinstall after the repair. - -## Replace the motherboard - -Technicians replace the motherboard (or other hardware) on the broken device. A replacement DPK is injected. - -Repair and key replacement processes vary between facilities. Sometimes repair facilities receive motherboard spare parts from OEMs that have replacement DPKs already injected, but sometimes not. Sometimes repair facilities receive fully-functional BIOS tools from OEMs, but sometimes not. This means that the quality of the data in the BIOS after a MBR varies. To ensure the repaired device will still be Autopilot-capable following its repair, the new (post-repair) BIOS should be able to successfully gather and populate the following information at a minimum: - -- DiskSerialNumber -- SmbiosSystemSerialNumber -- SmbiosSystemManufacturer -- SmbiosSystemProductName -- SmbiosUuid -- TPM EKPub -- MacAddress -- ProductKeyID -- OSType - -**NOTE**: For simplicity, and because processes vary between repair facilities, we have excluded many of the additional steps often used in a MBR, such as: -- Verify that the device is still functional -- Disable BitLocker* -- Repair the Boot Configuration Data (BCD) -- Repair and verify the network driver operation - -*BitLocker can be suspended rather than disbled if the technician has the ability to resume it after the repair. - -## Capture a new Autopilot device ID (4K HH) from the device - -Repair technicians must sign in to the repaired device to capture the new device ID. Assuming the repair technician does NOT have access to the customer’s login credentials, they will have to reimage the device in order to gain access, per the following steps: - -1. The repair technician creates a [WinPE bootable USB drive](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#create-a-bootable-windows-pe-winpe-partition). -2. The repair technician boots the device to WinPE. -3. The repair technician [applies a new Windows image to the device](https://docs.microsoft.com/windows-hardware/manufacture/desktop/work-with-windows-images). - - **NOTE**: Ideally, the same version of Windows should be reimaged onto the device that was originally on the device, so some coordination will be required between the repair facility and customer to capture this information at the time the device arrives for repair. This might include the customer sending the repair facility a customized image (.ppk file) via a USB stick, for example. - -4. The repair technician boots the device into the new Windows image. -5. Once on the desktop, the repair technician captures the new device ID (4K HH) off the device using either the OA3 Tool or the PowerShell script, as described below. - -Those repair facilities with access to the OA3 Tool (which is part of the ADK) can use the tool to capture the 4K Hardware Hash (4K HH). - -Alternatively, the [WindowsAutoPilotInfo Powershell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) can be used to capture the 4K HH by following these steps: - -1. Install the script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) or from the command line (command line installation is shown below). -2. Navigate to the script directory and run it on the device when the device is either in Full OS or Audit Mode. See the following example. - - ```powershell - md c:\HWID - Set-Location c:\HWID - Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force - Install-Script -Name Get-WindowsAutopilotInfo -Force - Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv - ``` - ->If you are prompted to install the NuGet package, choose **Yes**.
->If, after installing the script you get an error that Get-WindowsAutopilotInfo.ps1 is not found, verify that C:\Program Files\WindowsPowerShell\Scripts is present in your PATH variable.
->If the Install-Script cmdlet fails, verify that you have the default PowerShell repository registered (**Get-PSRepository**) or register the default repository with **Register-PSRepository -Default -Verbose**. - -The script creates a .csv file that contains the device information, including the complete 4K HH. Save this file so that you can access it later. The service facility will use this 4K HH to reregister device as described below. Be sure to use the -OutputFile parameter when saving the file, which ensures that file formatting is correct. Do not attempt to pipe the command output to a file manually. - -**NOTE**: If the repair facility does not have the ability to run the OA3 tool or PowerShell script to capture the new 4K HH, then the CSP (or OEM) partners must do this for them. Without some entity capturing the new 4K HH, there is no way to reregister this device as an Autopilot device. - - -## Reregister the repaired device using the new device ID - -If an OEM is not able to reregister the device, then the repair facility or CSP should reregister the device using MPC, or the customer IT Admin should be advised to reregister the device via Intune (or MSfB). Both ways of reregistering a device are shown below. - -### Reregister from Intune - -To reregister an Autopilot device from Intune, an IT Admin would: -1. Sign in to Intune. -2. Navigate to Device enrollment > Windows enrollment > Devices > Import. -3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered (the device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document). - -The following video provides a good overview of how to (re)register devices via MSfB.
- -> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0] - -### Reregister from MPC - -To reregister an Autopilot device from MPC, an OEM or CSP would: - -1. Sign in to MPC. -2. Navigate to the Customer > Devices page and click the **Add devices** button to upload the csv file. - -![device](images/device2.png)
-![device](images/device3.png) - -In the case of reregistering a repaired device through MPC, the uploaded csv file must contain the 4K HH for the device, and not just the PKID or Tuple (SerialNumber + OEMName + ModelName). If only the PKID or Tuple were used, the Autopilot service would be unable to find a match in the Autopilot database, since no 4K HH info was ever previously submitted for this essentially “new” device, and the upload will fail, likely returning a ZtdDeviceNotFound error. So, again, only upload the 4K HH, not the Tuple or PKID. - -**NOTE**: When including the 4K HH in the csv file, you do NOT also need to include the PKID or Tuple. Those columns may be left blank, as shown below: - -![hash](images/hh.png) - -## Reset the device - -Since the device was required to be in Full OS or Audit Mode to capture the 4K HH, the repair facility must reset the image back to a pre-OOBE state before returning it to the customer. One way this can be accomplished is by using the built-in reset feature in Windows, as follows: - -On the device, go to Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Finally, click on Reset. - -![reset](images/reset.png) - -However, it’s likely the repair facility won’t have access to Windows because they lack the user credentials to login, in which case they need to use other means to reimage the device, such as the [Deployment Image Servicing and Management tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#use-a-deployment-script-to-apply-your-image). - -## Return the repaired device to the customer - -After completing the previous steps, the repaired device can now be returned to the customer, and will be auto-enrolled into the Autopilot program on first boot-up during OOBE. - -**NOTE**: If the repair facility did NOT reimage the device, they could be sending it back in a potentially broken state (e.g., there’s no way to log into the device because it’s been dissociated from the only known user account), in which case they should tell the organization that they need to fix the registration and OS themselves. - -**IMPORTANT**: A device can be “registered” for Autopilot prior to being powered-on, but the device isn’t actually “deployed” to Autopilot (i.e., enabled as an Autopilot device) until it goes through OOBE, which is why resetting the device back to a pre-OOBE state is a required step. - -## Specific repair scenarios - -This section covers the most common repair scenarios, and their impact on Autopilot enablement. - -NOTES ON TEST RESULTS: - -- Scenarios below were tested using Intune only (no other MDMs were tested). -- In most test scenarios below, the repaired and reregistered device needed to go through OOBE again for Autopilot to be enabled. -- Motherboard replacement scenarios often result in lost data, so repair centers or customers should be reminded to backup data (if possible) prior to repair. -- In the cases where a repair facility does not have the ability to write device info into the BIOS of the repaired device, new processes need to be created to successfully enable Autopilot. -- Repaired device should have the Product Key (DPK) preinjected in the BIOS before capturing the new 4K HH (device ID) - -In the following table:
-- Supported = **Yes**: the device can be reenabled for Autopilot -- Supported = **No**: the device cannot be reenabled for Autopilot - - -
ScenarioSupportedMicrosoft Recommendation -
Motherboard Replacement (MBR) in generalYesThe recommended course of action for MBR scenarios is: - -1. Autopilot device is deregistered from the Autopilot program -2. The motherboard is replace -3. The device is reimaged (with BIOS info and DPK reinjected)* -4. A new Autopilot device ID (4K HH) is captured off the device -5. The repaired device is reregistered for the Autopilot program using the new device ID -6. The repaired device is reset to boot to OOBE -7. The repaired device is shipped back to the customer - -*It’s not necessary to reimage the device if the repair technician has access to the customer’s login credentials. It’s technically possible to do a successful MBR and Autopilot re-enablement without keys or certain BIOS info (e.g., serial #, model name, etc.), but doing so is only recommended for testing/educational purposes. - -
MBR when motherboard has a TPM chip (enabled) and only one onboard network card (that also gets replaced)Yes - -1. Deregister damaged device -2. Replace motherboard -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write device info into BIOS -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
MBR when motherboard has a TPM chip (enabled) and a second network card (or network interface) that is not replaced along with the motherboardNoThis scenario is not recommended, as it breaks the Autopilot experience, because the resulting Device ID will not be stable until after TPM attestation has completed, and even then registration may give incorrect results because of ambiguity with MAC Address resolution. -
MBR where the NIC card, HDD, and WLAN all remain the same after the repairYes - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write old device info into BIOS (same s/n, model, etc.)* -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -*Note that for this and subsequent scenarios, rewriting old device info would not include the TPM 2.0 endorsement key, as the associated private key is locked to the TPM device - -
MBR where the NIC card remains the same, but the HDD and WLAN are replacedYes - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Insert new HDD and WLAN -4. Write old device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
MBR where the NIC card and WLAN remains the same, but the HDD is replacedYes - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Insert new HDD -4. Write old device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that had NOT been Autopilot-enabled before.Yes - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write old device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that HAD been Autopilot-enabled before.Yes - -1. Deregister old device from which MB will be taken -2. Deregister damaged device (that you want to repair) -3. Replace motherboard in repair device with MB from other Autopilot device (with new RDPK preinjected in BIOS) -4. Reimage device (to gain access), unless have access to customers’ login credentials -5. Write old device info into BIOS (same s/n, model, etc.) -6. Capture new 4K HH -7. Reregister repaired device -8. Reset device back to OOBE -9. Go through Autopilot OOBE (customer) -10. Autopilot successfully enabled - -NOTE: The repaired device can also be used successfully as a normal, non-Autopilot device. - -
BIOS info excluded from MBR deviceNoRepair facility does not have BIOS tool to write device info into BIOS after MBR. - -1. Deregister damaged device -2. Replace motherboard (BIOS does NOT contain device info) -3. Reimage and write DPK into image -4. Capture new 4K HH -5. Reregister repaired device -6. Create Autopilot profile for device -7. Go through Autopilot OOBE (customer) -8. Autopilot FAILS to recognize repaired device - -
MBR when there is no TPM chipYesThough we do not recommend enabling an Autopilot devices without a TPM chip (which is recommended for BitLocker encryption), it is possible to enable an Autopilot devices in “standard user” mode (but NOT Self-deploying mode) that does not have a TPM chip. In this case, you would: - -1. Deregister damaged device -2. Replace motherboard -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write old device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reregister repaired device -7. Reset device back to OOBE -8. Go through Autopilot OOBE (customer) -9. Autopilot successfully enabled - -
New DPK written into image on repaired Autopilot device with a new MBYesRepair facility replaces normal MB on damaged device. MB does not contain any DPK in the BIOS. Repair facility writes DPK into image after MBR. - -1. Deregister damaged device -2. Replace motherboard – BIOS does NOT contain DPK info -3. Reimage device (to gain access), unless have access to customers’ login credentials -4. Write device info into BIOS (same s/n, model, etc.) -5. Capture new 4K HH -6. Reset or reimage device to pre-OOBE and write DPK into image -7. Reregister repaired device -8. Go through Autopilot OOBE -9. Autopilot successfully enabled - -
New Repair Product Key (RDPK)YesUsing a MB with a new RDPK preinjected results in a successful Autopilot refurbishment scenario. - -1. Deregister damaged device -2. Replace motherboard (with new RDPK preinjected in BIOS) -3. Reimage or rest image to pre-OOBE -4. Write device info into BIOS -5. Capture new 4K HH -6. Reregister repaired device -7. Reimage or reset image to pre-OOBE -8. Go through Autopilot OOBE -9. Autopilot successfully enabled - -
No Repair Product Key (RDPK) injectedNoThis scenario violates Microsoft policy and breaks the Windows Autopilot experience. -
Reimage damaged Autopilot device that was not deregistered prior to repairYes, but the device will still be associated with previous tenant ID, so should only be returned to same customer - -1. Reimage damaged device -2. Write DPK into image -3. Go through Autopilot OOBE -4. Autopilot successfully enabled (to previous tenant ID) - -
Disk replacement from a non-Autopilot device to an Autopilot deviceYes - -1. Do not deregister damaged device prior to repair -2. Replace HDD on damaged device -3. Reimage or reset image back to OOBE -4. Go through Autopilot OOBE (customer) -5. Autopilot successfully enabled (repaired device recognized as its previous self) - -
Disk replacement from one Autopilot device to another Autopilot deviceMaybeIf the device from which the HDD is taken was itself previously deregistered from Autopilot, then that HDD can be used in a repair device. But if the HDD was never previously deregistered from Autopilot before being used in a repaired device, the newly repaired device will not have the proper Autopilot experience. - -Assuming the used HDD was previously deregistered (before being used in this repair): - -1. Deregister damaged device -2. Replace HDD on damaged device using a HDD from another deregistered Autopilot device -3. Reimage or rest the repaired device back to a pre-OOBE state -4. Go through Autopilot OOBE (customer) -5. Autopilot successfully enabled - -
Third party network card replacement NoWhether from a non-Autopilot device to an Autopilot device, from one Autopilot device to another Autopilot device, or from an Autopilot device to a non-Autopilot device, any scenario where a 3rd party (not onboard) Network card is replaced will break the Autopilot experience, and is not recommended. -
A device repaired more than 3 timesNoAutopilot is not supported when a device is repeatedly repaired, so that whatever parts NOT replaced become associated with too many parts that have been replaced, which would make it difficult to uniquely identify that device in the future. -
Memory replacementYesReplacing the memory on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the memory. -
GPU replacementYesReplacing the GPU(s) on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the GPU. -
- ->When scavenging parts from another Autopilot device, we recommend unregistering the scavenged device from Autopilot, scavenging it, and then NEVER REGISTERING THE SCAVENGED DEVICE (AGAIN) FOR AUTOPILOT, because reusing parts this way may cause two active devices to end up with the same ID, with no possibility of distinguishing between the two. - -**NOTE**: The following parts may be replaced without compromising Autopilot enablement or requiring special additional repair steps: -- Memory (RAM or ROM) -- Power Supply -- Video Card -- Card Reader -- Sound card -- Expansion card -- Microphone -- Webcam -- Fan -- Heat sink -- CMOS battery - -Other repair scenarios not yet tested and verified include: -- Daughterboard replacement -- CPU replacement -- Wifi replacement -- Ethernet replacement - -## FAQ - -| Question | Answer | -| --- | --- | -| If we have a tool that programs product information into the BIOS after the MBR, do we still need to submit a CBR report for the device to be Autopilot-capable? | No. Not if the in-house tool writes the minimum necessary information into the BIOS that the Autopilot program looks for to identify the device, as described earlier in this document. | -| What if only some components are replaced rather than the full motherboard? | While it’s true that some limited repairs do not prevent the Autopilot algorithm from successfully matching the post-repair device with the pre-repair device, it is best to ensure 100% success by going through the MBR steps above even for devices that only needed limited repairs. | -| How does a repair technician gain access to a broken device if they don’t have the customer’s login credentials? | The technician will have to reimage the device and use their own credentials during the repair process. | - -## Related topics - -[Device guidelines](autopilot-device-guidelines.md)
+--- +title: Windows Autopilot motherboard replacement +ms.reviewer: +manager: laurawi +description: Windows Autopilot deployment MBR scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +--- + + +# Windows Autopilot motherboard replacement scenario guidance + +**Applies to** + +- Windows 10 + +This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios. + +Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEM’s require strict uniqueness across motherboards, MAC addresses, etc., while Windows Autopilot requires strict uniqueness at the Hardware ID level for each device to enable successful registration. The Hardware ID does not always accommodate all the OEM hardware component requirements, thus these requirements are sometimes at odds, causing issues with some repair scenarios. + +**Motherboard Replacement (MBR)** + +If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended: + +1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot +2. [Replace the motherboard](#replace-the-motherboard) +3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device) +4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot +5. [Reset the device](#reset-the-device) +6. [Return the device](#return-the-repaired-device-to-the-customer) + +Each of these steps is described below. + +## Deregister the Autopilot device from the Autopilot program + +Before the device arrives at the repair facility, it must be deregistered by the entity that registered it. Only the entity that registered the device can deregister it. This might be the customer IT Admin, the OEM, or the CSP partner. If the IT Admin registered the device, they likely did so via Intune (or possibly the Microsoft Store for Business). In that case, they should deregister the device from Intune (or MSfB). This is necessary because devices registered in Intune will not show up in MPC. However, if the OEM or CSP partner registered the device, they likely did so via the Microsoft Partner Center (MPC). In that case, they should deregister the device from MPC, which will also remove it from the customer IT Admin’s Intune account. Below, we describe the steps an IT Admin would go through to deregister a device from Intune, and the steps an OEM or CSP would go through to deregister a device from MPC. + +**NOTE**: When possible, an OEM or CSP should register Autopilot devices, rather than having the customer do it. This will avoid problems where OEMs or CSPs may not be able to deregister a device if, for example, a customer leasing a device goes out of business before deregistering it themselves. + +**EXCEPTION**: If a customer grants an OEM permission to register devices on their behalf via the automated consent process, then an OEM can use the API to deregister devices they didn’t register themselves (instead, the customer registered the devices). But keep in mind that this would only remove those devices from the Autopilot program, it would not disenroll them from Intune or disjoin them from AAD. The customer must do those steps, if desired, through Intune. + +### Deregister from Intune + +To deregister an Autopilot device from Intune, an IT Admin would: + +1. Sign in to their Intune account +2. Navigate to Intune > Groups > All groups +3. Remove the desired device from its group +4. Navigate to Intune > Devices > All devices +5. Select the checkbox next to the device you want to delete, then click the Delete button on the top menu +6. Navigate to Intune > Devices > Azure AD devices +7. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu +8. Navigate to Intune > Device enrollment > Windows enrollment > Devices +9. Select the checkbox next to the device you want to deregister +10. Click the extended menu icon (“…”) on the far right end of the line containing the device you want to deregister in order to expose an additional menu with the option to “unassign user” +11. Click “Unassign user” if the device was previously assigned to a user; if not, this option will be grayed-out and can be ignored +12. With the unassigned device still selected, click the Delete button along the top menu to remove this device + +**NOTE**: These steps deregister the device from Autopilot, but also unenroll the device from Intune, and disjoin the device from AAD. While it may appear that only deregistering the device from Autopilot is needed, there are certain barriers in place within Intune that necessitate all the steps above be done, which is best practice anyway in case the device gets lost or becomes unrecoverable, to eliminate the possibility of orphaned devices existing in the Autopilot database, or Intune, or AAD. If a device gets into an unrecoverable state, you can contact the appropriate [Microsoft support alias](autopilot-support.md) for assistance. + +The deregistration process will take about 15 minutes. You can accelerate the process by clicking the “Sync” button, then “Refresh” the display until the device is no longer present. + +More details on deregistering devices from Intune can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group). + +### Deregister from MPC + +To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would: + +1. Log into MPC +2. Navigate to Customer > Devices +3. Select the device to be deregistered and click the “Delete device” button + +![devices](images/devices.png) + +**NOTE**: Deregistering a device from Autopilot in MPC does only that; it does not also unenroll the device from the MDM (Intune), nor does it disjoin the device from AAD. Therefore, if possible, the OEM/CSP ideally should work with the customer IT Admin to have the device fully removed per the Intune steps in the previous section. + +Alternatively, an OEM partner that has integrated the OEM Direct APIs can deregister a device by calling the AutopilotDeviceRegistration API with the TenantID and TenantDomain fields left blank in the request call. + +Because the repair facility will not have access to the user’s login credentials, the repair facility will have to reimage the device as part of the repair process. This means that the customer should do three things before sending the device off for repair: +1. Copy all important data off the device. +2. Let the repair facility know which version of Windows they should reinstall after the repair. +3. If applicable, let the repair facility know which version of Office they should reinstall after the repair. + +## Replace the motherboard + +Technicians replace the motherboard (or other hardware) on the broken device. A replacement DPK is injected. + +Repair and key replacement processes vary between facilities. Sometimes repair facilities receive motherboard spare parts from OEMs that have replacement DPKs already injected, but sometimes not. Sometimes repair facilities receive fully-functional BIOS tools from OEMs, but sometimes not. This means that the quality of the data in the BIOS after an MBR varies. To ensure the repaired device will still be Autopilot-capable following its repair, the new (post-repair) BIOS should be able to successfully gather and populate the following information at a minimum: + +- DiskSerialNumber +- SmbiosSystemSerialNumber +- SmbiosSystemManufacturer +- SmbiosSystemProductName +- SmbiosUuid +- TPM EKPub +- MacAddress +- ProductKeyID +- OSType + +**NOTE**: For simplicity, and because processes vary between repair facilities, we have excluded many of the additional steps often used in an MBR, such as: +- Verify that the device is still functional +- Disable BitLocker* +- Repair the Boot Configuration Data (BCD) +- Repair and verify the network driver operation + +*BitLocker can be suspended rather than disabled if the technician has the ability to resume it after the repair. + +## Capture a new Autopilot device ID (4K HH) from the device + +Repair technicians must sign in to the repaired device to capture the new device ID. Assuming the repair technician does NOT have access to the customer’s login credentials, they will have to reimage the device in order to gain access, per the following steps: + +1. The repair technician creates a [WinPE bootable USB drive](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#create-a-bootable-windows-pe-winpe-partition). +2. The repair technician boots the device to WinPE. +3. The repair technician [applies a new Windows image to the device](https://docs.microsoft.com/windows-hardware/manufacture/desktop/work-with-windows-images). + + **NOTE**: Ideally, the same version of Windows should be reimaged onto the device that was originally on the device, so some coordination will be required between the repair facility and customer to capture this information at the time the device arrives for repair. This might include the customer sending the repair facility a customized image (.ppk file) via a USB stick, for example. + +4. The repair technician boots the device into the new Windows image. +5. Once on the desktop, the repair technician captures the new device ID (4K HH) off the device using either the OA3 Tool or the PowerShell script, as described below. + +Those repair facilities with access to the OA3 Tool (which is part of the ADK) can use the tool to capture the 4K Hardware Hash (4K HH). + +Alternatively, the [WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) can be used to capture the 4K HH by following these steps: + +1. Install the script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) or from the command line (command line installation is shown below). +2. Navigate to the script directory and run it on the device when the device is either in Full OS or Audit Mode. See the following example. + + ```powershell + md c:\HWID + Set-Location c:\HWID + Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force + Install-Script -Name Get-WindowsAutopilotInfo -Force + Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv + ``` + +>If you are prompted to install the NuGet package, choose **Yes**.
+>If, after installing the script you get an error that Get-WindowsAutopilotInfo.ps1 is not found, verify that C:\Program Files\WindowsPowerShell\Scripts is present in your PATH variable.
+>If the Install-Script cmdlet fails, verify that you have the default PowerShell repository registered (**Get-PSRepository**) or register the default repository with **Register-PSRepository -Default -Verbose**. + +The script creates a .csv file that contains the device information, including the complete 4K HH. Save this file so that you can access it later. The service facility will use this 4K HH to reregister device as described below. Be sure to use the -OutputFile parameter when saving the file, which ensures that file formatting is correct. Do not attempt to pipe the command output to a file manually. + +**NOTE**: If the repair facility does not have the ability to run the OA3 tool or PowerShell script to capture the new 4K HH, then the CSP (or OEM) partners must do this for them. Without some entity capturing the new 4K HH, there is no way to reregister this device as an Autopilot device. + + +## Reregister the repaired device using the new device ID + +If an OEM is not able to reregister the device, then the repair facility or CSP should reregister the device using MPC, or the customer IT Admin should be advised to reregister the device via Intune (or MSfB). Both ways of reregistering a device are shown below. + +### Reregister from Intune + +To reregister an Autopilot device from Intune, an IT Admin would: +1. Sign in to Intune. +2. Navigate to Device enrollment > Windows enrollment > Devices > Import. +3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered (the device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document). + +The following video provides a good overview of how to (re)register devices via MSfB.
+ +> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0] + +### Reregister from MPC + +To reregister an Autopilot device from MPC, an OEM or CSP would: + +1. Sign in to MPC. +2. Navigate to the Customer > Devices page and click the **Add devices** button to upload the csv file. + +![device](images/device2.png)
+![device](images/device3.png) + +In the case of reregistering a repaired device through MPC, the uploaded csv file must contain the 4K HH for the device, and not just the PKID or Tuple (SerialNumber + OEMName + ModelName). If only the PKID or Tuple was used, the Autopilot service would be unable to find a match in the Autopilot database, since no 4K HH info was ever previously submitted for this essentially “new” device, and the upload will fail, likely returning a ZtdDeviceNotFound error. So, again, only upload the 4K HH, not the Tuple or PKID. + +**NOTE**: When including the 4K HH in the csv file, you do NOT also need to include the PKID or Tuple. Those columns may be left blank, as shown below: + +![hash](images/hh.png) + +## Reset the device + +Since the device was required to be in Full OS or Audit Mode to capture the 4K HH, the repair facility must reset the image back to a pre-OOBE state before returning it to the customer. One way this can be accomplished is by using the built-in reset feature in Windows, as follows: + +On the device, go to Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Finally, click on Reset. + +![reset](images/reset.png) + +However, it’s likely the repair facility won’t have access to Windows because they lack the user credentials to sign in, in which case they need to use other means to reimage the device, such as the [Deployment Image Servicing and Management tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#use-a-deployment-script-to-apply-your-image). + +## Return the repaired device to the customer + +After completing the previous steps, the repaired device can now be returned to the customer, and will be auto-enrolled into the Autopilot program on first boot-up during OOBE. + +**NOTE**: If the repair facility did NOT reimage the device, they could be sending it back in a potentially broken state (e.g., there’s no way to log into the device because it’s been dissociated from the only known user account), in which case they should tell the organization that they need to fix the registration and OS themselves. + +**IMPORTANT**: A device can be “registered” for Autopilot prior to being powered-on, but the device isn’t actually “deployed” to Autopilot (i.e., enabled as an Autopilot device) until it goes through OOBE, which is why resetting the device back to a pre-OOBE state is a required step. + +## Specific repair scenarios + +This section covers the most common repair scenarios, and their impact on Autopilot enablement. + +NOTES ON TEST RESULTS: + +- Scenarios below were tested using Intune only (no other MDMs were tested). +- In most test scenarios below, the repaired and reregistered device needed to go through OOBE again for Autopilot to be enabled. +- Motherboard replacement scenarios often result in lost data, so repair centers or customers should be reminded to back up data (if possible) prior to repair. +- In the cases where a repair facility does not have the ability to write device info into the BIOS of the repaired device, new processes need to be created to successfully enable Autopilot. +- Repaired device should have the Product Key (DPK) preinjected in the BIOS before capturing the new 4K HH (device ID) + +In the following table:
+- Supported = **Yes**: the device can be reenabled for Autopilot +- Supported = **No**: the device cannot be reenabled for Autopilot + + +
ScenarioSupportedMicrosoft Recommendation +
Motherboard Replacement (MBR) in generalYesThe recommended course of action for MBR scenarios is: + +1. Autopilot device is deregistered from the Autopilot program +2. The motherboard is replace +3. The device is reimaged (with BIOS info and DPK reinjected)* +4. A new Autopilot device ID (4K HH) is captured off the device +5. The repaired device is reregistered for the Autopilot program using the new device ID +6. The repaired device is reset to boot to OOBE +7. The repaired device is shipped back to the customer + +*It’s not necessary to reimage the device if the repair technician has access to the customer’s login credentials. It’s technically possible to do a successful MBR and Autopilot re-enablement without keys or certain BIOS info (e.g., serial #, model name, etc.), but doing so is only recommended for testing/educational purposes. + +
MBR when motherboard has a TPM chip (enabled) and only one onboard network card (that also gets replaced)Yes + +1. Deregister damaged device +2. Replace motherboard +3. Reimage device (to gain access), unless you have access to customers’ login credentials +4. Write device info into BIOS +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
MBR when motherboard has a TPM chip (enabled) and a second network card (or network interface) that is not replaced along with the motherboardNoThis scenario is not recommended, as it breaks the Autopilot experience, because the resulting Device ID will not be stable until after TPM attestation has completed, and even then registration may give incorrect results because of ambiguity with MAC Address resolution. +
MBR where the NIC card, HDD, and WLAN all remain the same after the repairYes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Reimage device (to gain access), unless you have access to customers’ login credentials +4. Write old device info into BIOS (same s/n, model, etc.)* +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +*Note that for this and subsequent scenarios, rewriting old device info would not include the TPM 2.0 endorsement key, as the associated private key is locked to the TPM device + +
MBR where the NIC card remains the same, but the HDD and WLAN are replacedYes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Insert new HDD and WLAN +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
MBR where the NIC card and WLAN remains the same, but the HDD is replacedYes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Insert new HDD +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that had NOT been Autopilot-enabled before.Yes + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Reimage device (to gain access), unless you have access to customers’ login credentials +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that HAD been Autopilot-enabled before.Yes + +1. Deregister old device from which MB will be taken +2. Deregister damaged device (that you want to repair) +3. Replace motherboard in repair device with MB from other Autopilot device (with new RDPK preinjected in BIOS) +4. Reimage device (to gain access), unless you have access to customers’ login credentials +5. Write old device info into BIOS (same s/n, model, etc.) +6. Capture new 4K HH +7. Reregister repaired device +8. Reset device back to OOBE +9. Go through Autopilot OOBE (customer) +10. Autopilot successfully enabled + +NOTE: The repaired device can also be used successfully as a normal, non-Autopilot device. + +
BIOS info excluded from MBR deviceNoRepair facility does not have BIOS tool to write device info into BIOS after MBR. + +1. Deregister damaged device +2. Replace motherboard (BIOS does NOT contain device info) +3. Reimage and write DPK into image +4. Capture new 4K HH +5. Reregister repaired device +6. Create Autopilot profile for device +7. Go through Autopilot OOBE (customer) +8. Autopilot FAILS to recognize repaired device + +
MBR when there is no TPM chipYesThough we do not recommend enabling Autopilot devices without a TPM chip (which is recommended for BitLocker encryption), it is possible to enable an Autopilot device in “standard user” mode (but NOT Self-deploying mode) that does not have a TPM chip. In this case, you would: + +1. Deregister damaged device +2. Replace motherboard +3. Reimage device (to gain access), unless you have access to customers’ login credentials +4. Write old device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reregister repaired device +7. Reset device back to OOBE +8. Go through Autopilot OOBE (customer) +9. Autopilot successfully enabled + +
New DPK written into image on repaired Autopilot device with a new MBYesRepair facility replaces normal MB on damaged device. MB does not contain any DPK in the BIOS. Repair facility writes DPK into image after MBR. + +1. Deregister damaged device +2. Replace motherboard – BIOS does NOT contain DPK info +3. Reimage device (to gain access), unless you have access to customers’ login credentials +4. Write device info into BIOS (same s/n, model, etc.) +5. Capture new 4K HH +6. Reset or reimage device to pre-OOBE and write DPK into image +7. Reregister repaired device +8. Go through Autopilot OOBE +9. Autopilot successfully enabled + +
New Repair Product Key (RDPK)YesUsing a motherboard with a new RDPK preinjected results in a successful Autopilot refurbishment scenario. + +1. Deregister damaged device +2. Replace motherboard (with new RDPK preinjected in BIOS) +3. Reimage or rest image to pre-OOBE +4. Write device info into BIOS +5. Capture new 4K HH +6. Reregister repaired device +7. Reimage or reset image to pre-OOBE +8. Go through Autopilot OOBE +9. Autopilot successfully enabled + +
No Repair Product Key (RDPK) injectedNoThis scenario violates Microsoft policy and breaks the Windows Autopilot experience. +
Reimage damaged Autopilot device that was not deregistered prior to repairYes, but the device will still be associated with previous tenant ID, so should only be returned to same customer + +1. Reimage damaged device +2. Write DPK into image +3. Go through Autopilot OOBE +4. Autopilot successfully enabled (to previous tenant ID) + +
Disk replacement from a non-Autopilot device to an Autopilot deviceYes + +1. Do not deregister damaged device prior to repair +2. Replace HDD on damaged device +3. Reimage or reset image back to OOBE +4. Go through Autopilot OOBE (customer) +5. Autopilot successfully enabled (repaired device recognized as its previous self) + +
Disk replacement from one Autopilot device to another Autopilot deviceMaybeIf the device from which the HDD is taken was itself previously deregistered from Autopilot, then that HDD can be used in a repair device. But if the HDD was never previously deregistered from Autopilot before being used in a repaired device, the newly repaired device will not have the proper Autopilot experience. + +Assuming the used HDD was previously deregistered (before being used in this repair): + +1. Deregister damaged device +2. Replace HDD on damaged device using a HDD from another deregistered Autopilot device +3. Reimage or rest the repaired device back to a pre-OOBE state +4. Go through Autopilot OOBE (customer) +5. Autopilot successfully enabled + +
Non-Microsoft network card replacement NoWhether from a non-Autopilot device to an Autopilot device, from one Autopilot device to another Autopilot device, or from an Autopilot device to a non-Autopilot device, any scenario where a 3rd party (not onboard) Network card is replaced will break the Autopilot experience, and is not recommended. +
A device repaired more than 3 timesNoAutopilot is not supported when a device is repeatedly repaired, so that whatever parts NOT replaced become associated with too many parts that have been replaced, which would make it difficult to uniquely identify that device in the future. +
Memory replacementYesReplacing the memory on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the memory. +
GPU replacementYesReplacing the GPU(s) on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the GPU. +
+ +>When scavenging parts from another Autopilot device, we recommend unregistering the scavenged device from Autopilot, scavenging it, and then NEVER REGISTERING THE SCAVENGED DEVICE (AGAIN) FOR AUTOPILOT, because reusing parts this way may cause two active devices to end up with the same ID, with no possibility of distinguishing between the two. + +**NOTE**: The following parts may be replaced without compromising Autopilot enablement or requiring special additional repair steps: +- Memory (RAM or ROM) +- Power Supply +- Video Card +- Card Reader +- Sound card +- Expansion card +- Microphone +- Webcam +- Fan +- Heat sink +- CMOS battery + +Other repair scenarios not yet tested and verified include: +- Daughterboard replacement +- CPU replacement +- Wifi replacement +- Ethernet replacement + +## FAQ + +| Question | Answer | +| --- | --- | +| If we have a tool that programs product information into the BIOS after the MBR, do we still need to submit a CBR report for the device to be Autopilot-capable? | No. Not if the in-house tool writes the minimum necessary information into the BIOS that the Autopilot program looks for to identify the device, as described earlier in this document. | +| What if only some components are replaced rather than the full motherboard? | While it’s true that some limited repairs do not prevent the Autopilot algorithm from successfully matching the post-repair device with the pre-repair device, it is best to ensure 100% success by going through the MBR steps above even for devices that only needed limited repairs. | +| How does a repair technician gain access to a broken device if they don’t have the customer’s login credentials? | The technician will have to reimage the device and use their own credentials during the repair process. | + +## Related topics + +[Device guidelines](autopilot-device-guidelines.md)
diff --git a/windows/deployment/windows-autopilot/bitlocker.md b/windows/deployment/windows-autopilot/bitlocker.md index a33cb8d60e..542243d569 100644 --- a/windows/deployment/windows-autopilot/bitlocker.md +++ b/windows/deployment/windows-autopilot/bitlocker.md @@ -23,9 +23,9 @@ ms.topic: article - Windows 10 -With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins. +With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encryption algorithm isn't applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins. -The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use. +The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit, or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use. To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices: @@ -39,11 +39,11 @@ An example of Microsoft Intune Windows Encryption settings is shown below. ![BitLocker encryption settings](images/bitlocker-encryption.png) -Note that a device which is encrypted automatically will need to be decrypted prior to changing the encryption algorithm. +**Note**: A device that is encrypted automatically will need to be decrypted prior to changing the encryption algorithm. The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable. -Note: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**. +**Note**: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**. ## Requirements @@ -51,4 +51,4 @@ Windows 10, version 1809 or later. ## See also -[Bitlocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) +[BitLocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 31298d382d..f0a7008b37 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -28,7 +28,7 @@ To get started with Windows Autopilot, you should try it out with a virtual mach In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. > [!NOTE] -> Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune. +> Although there are [multiple platforms](add-devices.md#registering-devices) available to enable Autopilot, this lab primarily uses Intune. > Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual. @@ -43,7 +43,7 @@ The following video provides an overview of the process: These are the things you'll need to complete this lab: - +
Windows 10 installation mediaWindows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
Internet accessIf you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
Internet accessIf you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
Hyper-V or a physical device running Windows 10The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
A Premium Intune accountThis guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
@@ -110,9 +110,9 @@ When you are prompted to restart the computer, choose **Yes**. The computer migh > Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - ![hyper-v feature](../images/hyper-v-feature.png) + ![Hyper-V feature](images/hyper-v-feature.png) - ![hyper-v](../images/svr_mgr2.png) + ![Hyper-V](images/svr_mgr2.png)

If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. @@ -401,7 +401,7 @@ Optional: see the following video for an overview of the process. First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one. -Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page. +Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** on the upper-right-corner of the main page. Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: @@ -469,7 +469,7 @@ Click on **OK** and then click on **Create**. Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading. -To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**: +To create a Group, open the Azure portal and select **Azure Active Directory** > **Groups** > **All groups**: ![All groups](images/all-groups.png) diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md index 81d649c077..2ea6052a20 100644 --- a/windows/deployment/windows-autopilot/existing-devices.md +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -59,7 +59,7 @@ See the following examples. >[!TIP] >To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616). -1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window +1. On an Internet connected Windows PC or server, open an elevated Windows PowerShell command window 2. Enter the following lines to install the necessary modules #### Install required modules @@ -118,7 +118,7 @@ See the following examples. |------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. | | CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. | - | CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. | + | CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, for example: tenant.onmicrosoft.com. | | CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | | CloudAssignedDomainJoinMethod (number, required) | This property specifies whether the device should join Azure Active Directory or Active Directory (Hybrid Azure AD Join). Values include: Active AD Join = 0, Hybrid Azure AD Join = 1 | | CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment.
0 = not required, 1 = required. | @@ -175,7 +175,7 @@ See the following examples. 4. Click **Next**, then enter the following **Membership Rules** details: - Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection. - - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples. + - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next**, and then choose **PC-01** under **Resources**. See the following examples. ![Named resource1](images/pc-01a.png) ![Named resource2](images/pc-01b.png) @@ -198,7 +198,7 @@ See the following examples. - Boot Image: Click **Browse** and select a Windows 10 boot image (1803 or later) - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later. - Select the **Partition and format the target computer before installing the operating system** checkbox. - - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional. + - Select or clear **Configure task sequence for use with BitLocker** checkbox. This is optional. - Product Key and Server licensing mode: Optionally enter a product key and server licensing mode. - Randomly generate the local administrator password and disable the account on all support platforms (recommended): Optional. - Enable the account and specify the local administrator password: Optional. @@ -210,7 +210,7 @@ See the following examples. >[!IMPORTANT] > The System Preparation Tool (sysprep) will run with the /Generalize parameter which, on Windows 10 versions 1903 and 1909, will delete the Autopilot profile file and the machine will boot into OOBE phase instead of Autopilot phase. To fix this issue, please see [Windows Autopilot - known issues](https://docs.microsoft.com/windows/deployment/windows-autopilot/known-issues). -5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page. +5. Click **Next**, and then click **Next** again to accept the default settings on the Install Configuration Manager page. 6. On the State Migration page, enter the following details: - Clear the **Capture user settings and files** checkbox. - Clear the **Capture network settings** checkbox. @@ -222,7 +222,7 @@ See the following examples. 7. On the Include Updates page, choose one of the three available options. This selection is optional. 8. On the Install applications page, add applications if desired. This is optional. -9. Click **Next**, confirm settings, click **Next** and then click **Close**. +9. Click **Next**, confirm settings, click **Next**, and then click **Close**. 10. Right click on the Autopilot for existing devices task sequence and click **Edit**. 11. In the Task Sequence Editor under the **Install Operating System** group, click the **Apply Windows Settings** action. 12. Click **Add** then click **New Group**. @@ -245,7 +245,7 @@ See the following examples. 24. Add a second step by clicking **Add**, pointing to **Images**, and clicking **Prepare Windows for Capture**. Use the following settings in this step: - Automatically build mass storage driver list: **Not selected** - Do not reset activation flag: **Not selected** - - Shutdown the computer after running this action: **Optional** + - Shut down the computer after running this action: **Optional** ![Autopilot task sequence](images/ap-ts-1.png) @@ -259,9 +259,9 @@ See the following examples. Next, ensure that all content required for the task sequence is deployed to distribution points. 1. Right click on the **Autopilot for existing devices** task sequence and click **Distribute Content**. -2. Click **Next**, **Review the content to distribute** and then click **Next**. +2. Click **Next**, **Review the content to distribute**, and then click **Next**. 3. On the Specify the content distribution page click **Add** to specify either a **Distribution Point** or **Distribution Point Group**. -4. On the a Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run. +4. On the Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run. 5. When you are finished specifying content distribution, click **Next** twice then click **Close**. ### Deploy the OS with Autopilot Task Sequence diff --git a/windows/deployment/windows-autopilot/images/hyper-v-feature.png b/windows/deployment/windows-autopilot/images/hyper-v-feature.png new file mode 100644 index 0000000000..d7293d808e Binary files /dev/null and b/windows/deployment/windows-autopilot/images/hyper-v-feature.png differ diff --git a/windows/deployment/windows-autopilot/images/svr_mgr2.png b/windows/deployment/windows-autopilot/images/svr_mgr2.png new file mode 100644 index 0000000000..dd2e6737c6 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/svr_mgr2.png differ diff --git a/windows/deployment/windows-autopilot/policy-conflicts.md b/windows/deployment/windows-autopilot/policy-conflicts.md index 6b53e0c5e5..f4abf3e78c 100644 --- a/windows/deployment/windows-autopilot/policy-conflicts.md +++ b/windows/deployment/windows-autopilot/policy-conflicts.md @@ -29,11 +29,11 @@ There are a significant number of policy settings available for Windows 10, both PolicyMore information Device restriction / Password Policy -When certain DeviceLock policies, such as minimum password length and password complexity, or any similar group policy settings, including any that disable auto-logon, are applied to a device, and that device reboots during the device Enrollment Status Page (ESP), the out-of-box experience or user desktop auto-logon could fail unexpectantly. This is especially true for kiosk scenarios where passwords are automatically generated. +When certain DeviceLock policies, such as minimum password length and password complexity, or any similar group policy settings (including any that disable autologon) are applied to a device, and that device reboots during the device Enrollment Status Page (ESP), the out-of-box experience (OOBE) or user desktop autologon can fail unexpectantly. This is especially true for kiosk scenarios where passwords are automatically generated. Windows 10 Security Baseline / Administrator elevation prompt behavior
Windows 10 Security Baseline / Require admin approval mode for administrators -When modifying user account control (UAC) settings during the out-of-box experience (OOBE) using device Enrollment Status Page (ESP), additional UAC prompts may result, especially if the device reboots after these policies are applied enabling them to take effect. To work around this issue, the policies can be targeted to users instead of devices so that they apply later in the process. +When modifying user account control (UAC) settings during the OOBE using the device Enrollment Status Page (ESP), additional UAC prompts may result, especially if the device reboots after these policies are applied, enabling them to take effect. To work around this issue, the policies can be targeted to users instead of devices so that they apply later in the process. diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index a03e5fbb55..ff194c99ab 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -25,34 +25,34 @@ Windows Autopilot is designed to simplify all parts of the Windows device lifecy ## Troubleshooting process -Regardless of whether performing user-driven or self-deploying device deployments, the troubleshooting process is the mostly the same. It is useful to understand the flow for a specific device: +Whether you are performing user-driven or self-deploying device deployments, the troubleshooting process is about the same. It is always useful to understand the flow for a specific device: -- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection. -- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place. -- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated. -- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials. -- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune). +- A network connection is established. This can be a wireless (Wi-fi) or wired (Ethernet) connection. +- The Windows Autopilot profile is downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place. +- User authentication occurs. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated. +- Azure Active Directory join occurs. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials. +- Automatic MDM enrollment occurs. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (for example, Microsoft Intune). - Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in. For troubleshooting, key activities to perform are: -- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)? -- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)? -- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected? -- Azure AD join issues. Was the device able to join Azure Active Directory? -- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)? +- Configuration: Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)? +- Network connectivity: Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)? +- Autopilot OOBE behavior: Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected? +- Azure AD join issues: Was the device able to join Azure Active Directory? +- MDM enrollment issues: Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)? ## Troubleshooting Autopilot Device Import ### Clicking Import after selecting CSV does nothing, '400' error appears in network trace with error body **"Cannot convert the literal '[DEVICEHASH]' to the expected type 'Edm.Binary'"** -This error points to the device hash being incorrectly formatted. This could be caused by anything that corrupts the collected hash, but one possibility is that the hash itself, even if completely valid, fails to be decoded. +This error points to the device hash being incorrectly formatted. This could be caused by anything that corrupts the collected hash, but one possibility is that the hash itself (even if it is completely valid) fails to be decoded. -The device hash is Base64. At the device level, it's encoded as unpadded Base64, but Autopilot expects padded Base64. In most cases, it seems the payload lines up to not require padding, so the process works, but sometimes it doesn't line up cleanly and padding is necessary. This is when you get the error above. Powershell's Base64 decoder also expects padded Base64, so we can use that to validate that the hash is properly padded. +The device hash is Base64. At the device level, it's encoded as unpadded Base64, but Autopilot expects padded Base64. In most cases, it seems the payload lines up to not require padding, so the process works, but sometimes it doesn't line up cleanly and padding is necessary. This is when you get the error above. PowerShell's Base64 decoder also expects padded Base64, so we can use that to validate that the hash is properly padded. -The "A" characters at the end of the hash are effectively empty data - Each character in Base64 is 6 bits, A in Base64 is 6 bits equal to 0. Deleting or adding "A"s at the end doesn't change the actual payload data. +The "A" characters at the end of the hash are effectively empty data - Each character in Base64 is 6 bits, A in Base64 is 6 bits equal to 0. Deleting or adding **A**'s at the end doesn't change the actual payload data. -To fix this, we'll need to modify the hash, then test the new value, until powershell succeeds in decoding the hash. The result is mostly illegible, this is fine - we're just looking for it to not throw the error "Invalid length for a Base-64 char array or string". +To fix this, we'll need to modify the hash, then test the new value, until PowerShell succeeds in decoding the hash. The result is mostly illegible, this is fine - we're just looking for it to not throw the error "Invalid length for a Base-64 char array or string". To test the base64, you can use the following: ```powershell @@ -88,35 +88,35 @@ If the expected Autopilot behavior does not occur during the out-of-box experien ### Windows 10 version 1803 and above -To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> AutoPilot** for versions before 1903, or **Application and Services Logs –> Microsoft –> Windows –> ModernDeployment-Diagnostics-Provider –> AutoPilot** for 1903 and above. The following events may be recorded, depending on the scenario and profile configuration. +To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs –> Microsoft –> Windows –> Provisioning-Diagnostics-Provider –> Autopilot** for versions before 1903, or **Application and Services Logs –> Microsoft –> Windows –> ModernDeployment-Diagnostics-Provider –> Autopilot** for 1903 and above. The following events may be recorded, depending on the scenario and profile configuration. | Event ID | Type | Description | |----------|------|-------------| -| 100 | Warning | “AutoPilot policy [name] not found.” This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. | -| 101 | Info | “AutoPilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].” This shows Autopilot retrieving and processing numeric OOBE settings. | -| 103 | Info | “AutoPilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. | -| 109 | Info | “AutoPilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This shows Autopilot retrieving and processing state-related OOBE settings. | -| 111 | Info | “AutoPilotRetrieveSettings succeeded.” This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. | -| 153 | Info | “AutoPilotManager reported the state changed from [original state] to [new state].” Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. | -| 160 | Info | “AutoPilotRetrieveSettings beginning acquisition.” This shows that Autopilot is getting ready to download the needed Autopilot profile settings. | -| 161 | Info | “AutoPilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded. | -| 163 | Info | “AutoPilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.” This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. | -| 164 | Info | “AutoPilotManager determined Internet is available to attempt policy download.” | -| 171 | Error | “AutoPilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. | -| 172 | Error | “AutoPilotManager failed to set AutoPilot profile as available. HRESULT=[error code].” This is typically related to event ID 171. | +| 100 | Warning | “Autopilot policy [name] not found.” This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. | +| 101 | Info | “AutopilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].” This shows Autopilot retrieving and processing numeric OOBE settings. | +| 103 | Info | “AutopilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. | +| 109 | Info | “AutopilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This shows Autopilot retrieving and processing state-related OOBE settings. | +| 111 | Info | “AutopilotRetrieveSettings succeeded.” This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. | +| 153 | Info | “AutopilotManager reported the state changed from [original state] to [new state].” Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. | +| 160 | Info | “AutopilotRetrieveSettings beginning acquisition.” This shows that Autopilot is getting ready to download the needed Autopilot profile settings. | +| 161 | Info | “AutopilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded. | +| 163 | Info | “AutopilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.” This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. | +| 164 | Info | “AutopilotManager determined Internet is available to attempt policy download.” | +| 171 | Error | “AutopilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. | +| 172 | Error | “AutopilotManager failed to set Autopilot profile as available. HRESULT=[error code].” This is typically related to event ID 171. | In addition to the event log entries, the registry and ETW trace options described below also work with Windows 10 version 1803 and above. ### Windows 10 version 1709 and above -On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service. These can be found at **HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot**. Available registry entries include: +On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service. These can be found at **HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\Autopilot**. Available registry entries include: | Value | Description | |-------|-------------| | AadTenantId | The GUID of the Azure AD tenant the user signed into. This should match the tenant that the device was registered with; if it does not match the user will receive an error. | -| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, e.g. “contosomn.onmicrosoft.com.” If the device is not registered with Autopilot, this value will be blank. | +| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, for example, “contosomn.onmicrosoft.com.” If the device is not registered with Autopilot, this value will be blank. | | CloudAssignedTenantId | The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value). If the device isn’t registered with Autopilot, this value will be blank.| -| IsAutoPilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. | +| IsAutopilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. | | TenantMatched | This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with. If this is 0, the user would be shown an error and forced to start over. | | CloudAssignedOobeConfig | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | @@ -128,7 +128,7 @@ On devices running a [supported version](https://docs.microsoft.com/windows/rele The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD. -An Azure AD device is created upon import - it's important that this object not be deleted. It acts as Autopilot's anchor in AAD for group membership and targeting (including the profile) and can lead to join errors if it's deleted. Once this object has been deleted, to fix the issue, deleting and reimporting this autopilot hash will be necessary so it can recreate the associated object. +An Azure AD device is created upon import - it's important that this object is not deleted. It acts as Autopilot's anchor in AAD for group membership and targeting (including the profile) and can lead to join errors if it's deleted. Once this object has been deleted, to fix the issue, deleting and reimporting this autopilot hash will be necessary so it can recreate the associated object. Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed. @@ -138,13 +138,13 @@ See [this knowledge base article](https://support.microsoft.com/help/4089533/tro Error code 80180018 will typically be reported on an error page titled "Something went wrong". This error means that the MDM enrollment failed. -If Autopilot Reset fails immediately with an error "Ran into trouble. Please sign in with an administrator account to see why and reset manually," see [Troubleshoot Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset#troubleshoot-autopilot-reset) for more help. +If Autopilot Reset fails immediately with an error **Ran into trouble. Please sign in with an administrator account to see why and reset manually**, see [Troubleshoot Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset#troubleshoot-autopilot-reset) for more help. ## Profile download When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It is important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it is necessary to re-generalize the OS using **sysprep /generalize /oobe**, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC. -When a profile is downloaded depends on the version of Windows 10 that is running on the PC. See the following table. +When a profile is downloaded depends upon the version of Windows 10 that is running on the PC. See the following table. | Windows 10 version | Profile download behavior | | --- | --- | diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index 1a9d30eb2e..7786be9c94 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -47,6 +47,7 @@ For more information on the available join options, see the following sections: - [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain. - [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. +- [Hybrid Azure Active Directory join with VPN support](#user-driven-mode-for-hybrid-azure-active-directory-join-with-vpn-support) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain, but are not connected to the corporate network and must use VPN connectivity. ## User-driven mode for Azure Active Directory join @@ -83,11 +84,65 @@ To perform a user-driven hybrid Azure AD joined deployment using Windows Autopil - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. - If using Proxy, WPAD Proxy settings option must be enabled and configured. -**Azure AD device join**: The hybrid Azure AD join process uses the system context to perform device Azure AD join, therefore it is not affected by user based Azure AD join permission settings. In addition, all users are enabled to join devices to Azure AD by default. +The hybrid Azure AD join process uses the system context to register the device to Azure AD, therefore it is not affected by user based Azure AD join permission settings. -### Step by step instructions +## User-driven mode for hybrid Azure Active Directory join with VPN support + +Devices that are joined to Active Directory require connectivity to an Active Directory domain controller for a variety of activities, such as user sign-in (validating the user's credentials) and Group Policy application. As a result, the Windows Autopilot user-driven Hybrid Azure AD Join process would validate that the device is able to contact an Active Directory domain controller by pinging that domain controller. + +With the additional of VPN support for this scenario, it is now possible for you to specify to skip that connectivity check during the Hybrid Azure AD Join. This does not eliminate the need for communicating with an Active Directory domain controller, but rather enables the device to be first prepared with a needed VPN configuration delivered via Intune prior to the user attempting to sign into Windows, allowing connectivity to the organization's network. + +### Requirements + +The following additional requirements apply for Hybrid Azure AD Join with VPN support: + +- A supported version of Windows 10: + - Windows 10 1903 + December 10th Cumulative update (KB4530684, OS build 18362.535) or higher + - Windows 10 1909 + December 10th Cumulative update (KB4530684, OS build 18363.535) or higher + - Windows 10 2004 or later +- Enable the new “Skip domain connectivity check” toggle in the Hybrid Azure AD Join Autopilot profile. +- A VPN configuration that can be deployed via Intune that enables the user to manualy establish a VPN connection from the Windows logon screen, or one that automatically establishes a VPN connection as needed. + +The specific VPN configuration required depends on the VPN software and authentication being used. For third-party (non-Microsoft) VPN solutions, this typically would involve deploying a Win32 app (containing the VPN client software itself as well as any specific connection information, e.g. VPN endpoint host names) via Intune Management Extensions. Consult your VPN provider's documentation for configuration details specific to that provider. + +> [!NOTE] +> The VPN requirements are not specific to Windows Autopilot. For example, if you have already implemented a VPN configuration to enable remote password resets, where a user needs to log on to Windows with a new password when not on the organization's network, that same configuration can be used with Windows Autopilot. Once the user has signed in to cache their credentials, subsequent log-on attempts do not need connectivity since the cached credentials can be used. + +In cases where certificate authentication is required by the VPN software, the needed machine certificate should also be deployed via Intune. This can be done using the Intune certificate enrollment capabilities, targeting the certificate profiles to the device. + +Note that user certificates are not supported because these certificates cannot be deployed until the user logs in. Also, third-party UWP VPN plug-ins delivered from the Windows Store are also not supported because these are not installed until after the user signs in. + +### Validation + +Before attempting a hybrid Azure AD Join using VPN, it is important to first confirm that a user-driven Hybrid Azure AD Join process can be performed on the organization's network, before adding in the additional requirements described below. This simplifies troubleshooting by making sure the core process works fine before adding the additional VPN configuration required. + +Next, validate that the VPN configuration (Win32 app, certs, and any other requirements) can be deployed via Intune to an existing device that has already been hybrid Azure AD joined. For example, some VPN clients create a per-machine VPN connection as part of the installation process, so you can validate the configuration using steps such as these: + +- From PowerShell, verify that at least one per-machine VPN connection has been created using the "Get-VpnConnection -AllUserConnection" command. +- Attempt to manually start the VPN connection using the command: RASDIAL.EXE "ConnectionName" +- Log out and verify that the "VPN connection" icon can be seen on the Windows logon page. +- Move the device off the corporate network and attempt to establish the connection using the icon on the Windows logon page, signing into an account that does not have cached credentials. + +For VPN configurations that automatically connect, the validation steps may be different. + +> [!NOTE] +> Always On VPN can be used for this scenario. See the [Deploy Always On VPN](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment) documentation for more information. Note that Intune cannot yet deploy the needed per-machine VPN profile. + +To validate the end-to-end process, ensure the needed Windows 10 cumulative update has been installed on Windows 10 1903 or Windows 10 1909. This can be done manually during OOBE by first downloading the latest cumulative from https://catalog.update.microsoft.com and then manually installing it: + +- Press Shift-F10 to open a command prompt. +- Insert a USB key containing the donwloaded update. +- Install the update using the command (substituting the real file name): WUSA.EXE .msu /quiet +- Reboot the computer using the command: shutdown.exe /r /t 0 + +Alternatively, you can invoke Windows Update to install the latest updates through this process: + +- Press Shift-F10 to open a command prompt. +- Run the command "start ms-settings:" +- Navigate to the "Update & Security" node and check for updates. +- Reboot after the updates are installed. + +## Step by step instructions See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). - - diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 1cf373f277..2b3ffca049 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -26,7 +26,8 @@ ms.custom: Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met. -**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot). +> [!NOTE] +> For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot). ## Software requirements @@ -46,8 +47,8 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following: -- Ensure DNS name resolution for internet DNS names -- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP) +- Ensure DNS name resolution for internet DNS names. +- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP). In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to allow access to the required services. For additional details about each of these services and their specific requirements, review the following details: @@ -84,7 +85,7 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti Office 365As part of the Intune device configuration, installation of Microsoft 365 Apps for enterprise may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. Hybrid AAD joinThe device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode -Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested: +Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
Intel- https://ekop.intel.com/ekcertservice
Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1 @@ -97,9 +98,9 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required: -- [Microsoft 365 Business Premium subscriptions](https://www.microsoft.com/microsoft-365/business) -- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/microsoft-365/enterprise/firstline) -- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx) +- [Microsoft 365 Business Premium subscriptions](https://www.microsoft.com/microsoft-365/business). +- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/microsoft-365/enterprise/firstline). +- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx). - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune). - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features. - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. @@ -120,7 +121,7 @@ Before Windows Autopilot can be used, some configuration tasks are required to s - Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties). - Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise. -Specific scenarios will then have additional requirements. Generally, there are two specific tasks: +Specific scenarios will then have additional requirements. Generally, there are two specific tasks: - Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details. - Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information. @@ -133,7 +134,6 @@ For a walkthrough for some of these and related steps, see this video: - There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). ## Related topics diff --git a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md index b10120467d..8d69cc5d75 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-whats-new.md @@ -29,6 +29,12 @@ The following [Windows Autopilot updates](autopilot-update.md) are available. ** No updates are available yet. Check back here later for more information. +## New in Windows 10, version 2004 + +With this release, you can configure Windows Autopilot [user-driven](user-driven.md) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903. + +If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles. + ## New in Windows 10, version 1903 [Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video: diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index b20c33c92e..7f5c4ffe62 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -31,7 +31,7 @@ For Windows Defender Credential Guard to provide protection, the computers you a To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses: - Support for Virtualization-based security (required) - Secure boot (required) -- TPM 1.2 or 2.0 (preferred - provides binding to hardware), either discrete or firmware +- TPM (preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware - UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) The Virtualization-based security requires: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 0f6cbee626..5a7e9bb20a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -40,7 +40,9 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. -You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. +You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. +If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. +Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. > [!NOTE] >There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 7e12444b58..340c9edb2a 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -133,9 +133,14 @@ This table provides info about the most common problems you might encounter whil - By design, OneNote only supports WIP protected notebooks stored on enterprise-managed SharePoint (OneDrive for Business). Onenote does not support local WIP protected notebooks. - OneNote might encounter an error such as "This notebook contains protected content from your organization, which can't be viewed or synced. Please change the file ownership to Personal, or contact your IT administrator." Supported notebooks (OneDrive for Business) should be shown in File Explorer as links and open with your associated browser. Unsupported notebooks would show as folders or .one files (with a OneNote icon) - If unsupported files won't open in the browser, then they are 'stuck' in the old local format - incompatible with WIP or viewing online. We recommend that you create a new notebook and copy the contents from the existing notebook into the new one. In OneNote desktop, File > New > OnedDive - company name notebook and create a new one. Then within OneNote, copy over the old 'local' sections into this new notebook to ensure they get upgraded to the modern format. Hold Ctrl + drag and drop the sections into the notebook. Holding Ctrl will copy sections rather than move them, preserving the old sections as backup copies. Wait for the new notebook to finish syncing to OneDrive for business. + OneNote notebooks on OneDrive for Business must be properly configured to work with WIP. + OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it. + "OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps: +1. Close the notebook in OneNote. +2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop. +3. Copy the notebook folder and Paste it back into the OneDrive for Business folder. + +Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button. Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 3743899296..8780a1b14b 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -248,6 +248,18 @@ #### [Privacy](microsoft-defender-atp/linux-privacy.md) #### [Resources](microsoft-defender-atp/linux-resources.md) + +### [Microsoft Defender Advanced Threat Protection for Android]() +#### [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp/microsoft-defender-atp-android.md) + +#### [Deploy]() +##### [Deploy Microsoft Defender ATP for Android with Microsoft Intune](microsoft-defender-atp/android-intune.md) + +#### [Configure]() +##### [Configure Microsoft Defender ATP for Android features](microsoft-defender-atp/android-configure.md) + + + ### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md) ## [Security operations]() @@ -267,26 +279,26 @@ ##### [Manage alerts](microsoft-defender-atp/manage-alerts.md) ##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md) ##### [Investigate files](microsoft-defender-atp/investigate-files.md) -##### [Investigate machines](microsoft-defender-atp/investigate-machines.md) +##### [Investigate devices](microsoft-defender-atp/investigate-machines.md) ##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md) ##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md) ###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md) ##### [Investigate a user account](microsoft-defender-atp/investigate-user.md) -#### [Machines list]() -##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md) -##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md) +#### [Devices list]() +##### [View and organize the Devices list](microsoft-defender-atp/machines-view-overview.md) +##### [Manage device group and tags](microsoft-defender-atp/machine-tags.md) #### [Take response actions]() -##### [Take response actions on a machine]() -###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md) +##### [Take response actions on a device]() +###### [Response actions on devices](microsoft-defender-atp/respond-machine-alerts.md) ###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags) ###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation) ###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session) -###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) -###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-machines) +###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices) +###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-devices) ###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution) -###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network) +###### [Isolate devices from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-devices-from-the-network) ###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert) ###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center) @@ -307,7 +319,7 @@ ##### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) #### [Investigate entities using Live response]() -##### [Investigate entities on machines](microsoft-defender-atp/live-response.md) +##### [Investigate entities on devices](microsoft-defender-atp/live-response.md) ##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md) @@ -318,7 +330,7 @@ ##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md) ##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md) ##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md) -#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md) +#### [Device health and compliance reports](microsoft-defender-atp/machine-reports.md) #### [Custom detections]() @@ -375,21 +387,21 @@ ## [How-to]() ### [Onboard devices to the service]() -#### [Onboard machines to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md) +#### [Onboard devices to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md) #### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md) -#### [Onboard Windows 10 machines]() +#### [Onboard Windows 10 devices]() ##### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md) -##### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md) -##### [Onboard machines using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md) -##### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md) -##### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md) -##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md) +##### [Onboard devices using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md) +##### [Onboard devices using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md) +##### [Onboard devices using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md) +##### [Onboard devices using a local script](microsoft-defender-atp/configure-endpoints-script.md) +##### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](microsoft-defender-atp/configure-endpoints-vdi.md) #### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md) -#### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md) -#### [Onboard machines without Internet access](microsoft-defender-atp/onboard-offline-machines.md) -#### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md) -#### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md) +#### [Onboard non-Windows devices](microsoft-defender-atp/configure-endpoints-non-windows.md) +#### [Onboard devices without Internet access](microsoft-defender-atp/onboard-offline-machines.md) +#### [Run a detection test on a newly onboarded device](microsoft-defender-atp/run-detection-test.md) +#### [Run simulated attacks on devices](microsoft-defender-atp/attack-simulations.md) #### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md) #### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md) @@ -397,9 +409,9 @@ ##### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md) ##### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md) -### [Manage machine configuration]() -#### [Ensure your machines are configured properly](microsoft-defender-atp/configure-machines.md) -#### [Monitor and increase machine onboarding](microsoft-defender-atp/configure-machines-onboarding.md) +### [Manage device configuration]() +#### [Ensure your devices are configured properly](microsoft-defender-atp/configure-machines.md) +#### [Monitor and increase device onboarding](microsoft-defender-atp/configure-machines-onboarding.md) #### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md) #### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md) @@ -416,8 +428,8 @@ ##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md) ##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md) ###### [Create and manage roles](microsoft-defender-atp/user-roles.md) -###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md) -###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) +###### [Create and manage device groups](microsoft-defender-atp/machine-groups.md) +###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md) #### [Rules]() @@ -426,9 +438,9 @@ ##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md) ##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md) -#### [Machine management]() -##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md) -##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md) +#### [Device management]() +##### [Onboarding devices](microsoft-defender-atp/onboard-configure.md) +##### [Offboarding devices](microsoft-defender-atp/offboard-machines.md) #### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md) @@ -464,7 +476,7 @@ ####### [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md) ####### [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md) ####### [Get alert related IPs information](microsoft-defender-atp/get-alert-related-ip-info.md) -####### [Get alert related machine information](microsoft-defender-atp/get-alert-related-machine-info.md) +####### [Get alert related device information](microsoft-defender-atp/get-alert-related-machine-info.md) ####### [Get alert related user information](microsoft-defender-atp/get-alert-related-user-info.md) ###### [Machine]() @@ -587,9 +599,9 @@ #### [Role-based access control]() ##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md) ##### [Create and manage roles](microsoft-defender-atp/user-roles.md) -##### [Create and manage machine groups]() -###### [Using machine groups](microsoft-defender-atp/machine-groups.md) -###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md) +##### [Create and manage device groups]() +###### [Using device groups](microsoft-defender-atp/machine-groups.md) +###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md) #### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md) @@ -625,8 +637,8 @@ #### [Troubleshoot sensor state]() ##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md) ##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md) -##### [Inactive machines](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-machines) -##### [Misconfigured machines](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-machines) +##### [Inactive devices](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-devices) +##### [Misconfigured devices](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-devices) ##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md) #### [Troubleshoot Microsoft Defender ATP service issues]() diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 7a0b4059d1..45f76a991a 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -94,7 +94,7 @@ Endpoint detection and response capabilities are put in place to detect, investi - [Alerts](microsoft-defender-atp/alerts-queue.md) - [Historical endpoint data](microsoft-defender-atp/investigate-machines.md#timeline) - [Response orchestration](microsoft-defender-atp/response-actions.md) -- [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines) +- [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices) - [Threat intelligence](microsoft-defender-atp/threat-indicator-concepts.md) - [Advanced detonation and analysis service](microsoft-defender-atp/respond-file-alerts.md#deep-analysis) - [Advanced hunting](microsoft-defender-atp/advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md index 2a7c5b7895..b5294a1f4b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md @@ -53,7 +53,7 @@ Because your protection is a cloud service, computers must have access to the in | **Service**| **Description** |**URL** | | :--: | :-- | :-- | | Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com`
`*.wdcpalt.microsoft.com`
`*.wd.microsoft.com`| -| Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`| +| Microsoft Update Service (MU)
Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com`
`*.delivery.mp.microsoft.com`
`*.windowsupdate.com`
for details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)| |Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`| | Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net`
`ussus1westprod.blob.core.windows.net`
`usseu1northprod.blob.core.windows.net`
`usseu1westprod.blob.core.windows.net`
`ussuk1southprod.blob.core.windows.net`
`ussuk1westprod.blob.core.windows.net`
`ussas1eastprod.blob.core.windows.net`
`ussas1southeastprod.blob.core.windows.net`
`ussau1eastprod.blob.core.windows.net`
`ussau1southeastprod.blob.core.windows.net` | | Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/`
`https://www.microsoft.com/pkiops/certs`
`https://crl.microsoft.com/pki/crl/products`
`https://www.microsoft.com/pki/certs` | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png index cc63efe4a4..5653f969ec 100644 Binary files a/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png and b/windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 1261d7fa01..fc9bf5c636 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -35,7 +35,7 @@ Turn on this feature to take advantage of the automated investigation and remedi ## Live response -Turn on this feature so that users with the appropriate permissions can start a live response session on machines. +Turn on this feature so that users with the appropriate permissions can start a live response session on devices. For more information about role assignments, see [Create and manage roles](user-roles.md). @@ -52,7 +52,7 @@ For tenants created on or after Windows 10, version 1809 the automated investiga >[!NOTE] > ->- The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine. +>- The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device. >- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it. ## Allow or block file @@ -62,7 +62,7 @@ Blocking is only available if your organization fulfills these requirements: - Uses Microsoft Defender Antivirus as the active antimalware solution and, - The cloud-based protection feature is enabled -This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization. +This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on devices in your organization. To turn **Allow or block** files on: @@ -80,7 +80,7 @@ After turning on this feature, you can [block files](respond-file-alerts.md#allo Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they will be allowed or blocked based on your custom indicator list. -To use this feature, machines must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834). +To use this feature, devices must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834). For more information, see [Manage indicators](manage-indicators.md). @@ -93,7 +93,7 @@ Turn on this feature so that you can see user details stored in Azure Active Dir - Security operations dashboard - Alert queue -- Machine details page +- Device details page For more information, see [Investigate a user account](investigate-user.md). @@ -102,11 +102,11 @@ For more information, see [Investigate a user account](investigate-user.md). Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks. >[!NOTE] -> When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode. +> When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode. ## Azure Advanced Threat Protection integration -The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view. +The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view. >[!NOTE] >You'll need to have the appropriate license to enable this feature. @@ -117,7 +117,7 @@ Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microso ### Enable the Microsoft Defender ATP integration from the Azure ATP portal -To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. +To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. 1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role. @@ -125,18 +125,18 @@ To receive contextual machine integration in Azure ATP, you'll also need to enab 3. Toggle the Integration setting to **On** and click **Save**. -After completing the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page. +After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page. ## Office 365 Threat Intelligence connection This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. -When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows machines. +When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices. >[!NOTE] >You'll need to have the appropriate license to enable this feature. -To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). +To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). ## Microsoft Threat Experts @@ -150,11 +150,11 @@ Out of the two Microsoft Threat Expert components, targeted attack notification Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. >[!NOTE] ->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. +>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. ## Azure Information Protection -Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded machines and machine risk ratings. +Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings. ## Microsoft Intune connection diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 7209a654db..669be788ad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -1,7 +1,7 @@ --- title: Query best practices for advanced hunting description: Learn how to construct fast, efficient, and error-free threat hunting queries when using advanced hunting -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -40,7 +40,7 @@ Apply these recommendations to get results faster and avoid timeouts while runni ## Query tips and pitfalls ### Queries with process IDs -Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). +Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`). The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md index 50d1242878..d568ae26bb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md @@ -1,7 +1,7 @@ --- title: DeviceAlertEvents table in the advanced hunting schema description: Learn about alert generation events in the DeviceAlertEvents table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -34,8 +34,8 @@ For information on other tables in the advanced hunting schema, see [the advance |-------------|-----------|-------------| | `AlertId` | string | Unique identifier for the alert | | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `Severity` | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert | | `Category` | string | Type of threat indicator or breach activity identified by the alert | | `Title` | string | Title of the alert | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index b5b530d85f..a3844f8f21 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string | Type of activity that triggered the event | | `FileName` | string | Name of the file that the recorded action was applied to | | `FolderPath` | string | Folder containing the file that the recorded action was applied to | @@ -44,19 +44,19 @@ For information on other tables in the advanced hunting schema, see [the advance | `AccountName` |string | User name of the account | | `AccountSid` | string | Security Identifier (SID) of the account | | `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to | -| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | +| `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information | | `ProcessId` | int | Process ID (PID) of the newly created process | | `ProcessCommandLine` | string | Command line used to create the new process | | `ProcessCreationTime` | datetime | Date and time the process was created | | `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | -| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | +| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts | | `RegistryKey` | string | Registry key that the recorded action was applied to | | `RegistryValueName` | string | Name of the registry value that the recorded action was applied to | | `RegistryValueData` | string | Data of the registry value that the recorded action was applied to | | `RemoteIP` | string | IP address that was being connected to | | `RemotePort` | int | TCP port on the remote device that was being connected to | -| `LocalIP` | string | IP address assigned to the local machine used during communication | -| `LocalPort` | int | TCP port on the local machine used during communication | +| `LocalIP` | string | IP address assigned to the local device used during communication | +| `LocalPort` | int | TCP port on the local device used during communication | | `FileOriginUrl` | string | URL where the file was downloaded from | | `FileOriginIP` | string | IP address where the file was downloaded from | | `AdditionalFields` | string | Additional information about the event in JSON array format | @@ -74,7 +74,7 @@ For information on other tables in the advanced hunting schema, see [the advance | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | -| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts | +| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md index 4d1315f233..2e1e4ccfe6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md @@ -1,7 +1,7 @@ --- title: DeviceFileCertificateInfo table in the advanced hunting schema description: Learn about file signing information in the DeviceFileCertificateInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -33,8 +33,8 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `SHA1` | string | SHA-1 of the file that the recorded action was applied to | | `IsSigned` | boolean | Indicates whether the file is signed | | `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 53faa19f58..351be8cfc8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advanc | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string | Type of activity that triggered the event | | `FileName` | string | Name of the file that the recorded action was applied to | | `FolderPath` | string | Folder containing the file that the recorded action was applied to | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index b9c338f0c1..2327ce1a4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string | Type of activity that triggered the event | | `FileName` | string | Name of the file that the recorded action was applied to | | `FolderPath` | string | Folder containing the file that the recorded action was applied to | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index e51b88cf9a..cc3663977a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -1,7 +1,7 @@ --- title: DeviceInfo table in the advanced hunting schema -description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, machine, OS, platform, users, MachineInfo +description: Learn about OS, computer name, and other device information in the DeviceInfo table of the advanced hunting schema +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -25,25 +25,25 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. +The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about devices in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | -| `ClientVersion` | string | Version of the endpoint agent or sensor running on the machine | -| `PublicIP` | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy | -| `OSArchitecture` | string | Architecture of the operating system running on the machine | -| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 | -| `OSBuild` | string | Build version of the operating system running on the machine | -| `IsAzureADJoined` | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | -| `LoggedOnUsers` | string | List of all users that are logged on the machine at the time of the event in JSON array format | -| `RegistryDeviceTag` | string | Machine tag added through the registry | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | +| `ClientVersion` | string | Version of the endpoint agent or sensor running on the device | +| `PublicIP` | string | Public IP address used by the onboarded device to connect to the Microsoft Defender ATP service. This could be the IP address of the device itself, a NAT device, or a proxy | +| `OSArchitecture` | string | Architecture of the operating system running on the device | +| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 | +| `OSBuild` | string | Build version of the operating system running on the device | +| `IsAzureADJoined` | boolean | Boolean indicator of whether device is joined to the Azure Active Directory | +| `LoggedOnUsers` | string | List of all users that are logged on the device at the time of the event in JSON array format | +| `RegistryDeviceTag` | string | Device tag added through the registry | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | -| `OSVersion` | string | Version of the operating system running on the machine | +| `OSVersion` | string | Version of the operating system running on the device | | `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine | ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index 9814bdbe14..f48045b11f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -32,15 +32,15 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string |Type of activity that triggered the event | | `AccountDomain` | string | Domain of the account | | `AccountName` | string | User name of the account | | `AccountSid` | string | Security Identifier (SID) of the account | -| `LogonType` | string | Type of logon session, specifically:

- **Interactive** - User physically interacts with the machine using the local keyboard and screen

- **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

- **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

- **Batch** - Session initiated by scheduled tasks

- **Service** - Session initiated by services as they start
| -| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | -| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | +| `LogonType` | string | Type of logon session, specifically:

- **Interactive** - User physically interacts with the device using the local keyboard and screen

- **Remote interactive (RDP) logons** - User interacts with the device remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

- **Network** - Session initiated when the device is accessed using PsExec or when shared resources on the device, such as printers and shared folders, are accessed

- **Batch** - Session initiated by scheduled tasks

- **Service** - Session initiated by services as they start
| +| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts | +| `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information | | `RemoteIP` | string | IP address that was being connected to | | `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | `RemotePort` | int | TCP port on the remote device that was being connected to | @@ -63,7 +63,7 @@ For information on other tables in the advanced hunting schema, see [the advance | `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | -| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the machine | +| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the device | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index 17ba4f7f0d..3defded189 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -32,14 +32,14 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string | Type of activity that triggered the event | | `RemoteIP` | string | IP address that was being connected to | | `RemotePort` | int | TCP port on the remote device that was being connected to | | `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to | -| `LocalIP` | string | IP address assigned to the local machine used during communication | -| `LocalPort` | int | TCP port on the local machine used during communication | +| `LocalIP` | string | IP address assigned to the local device used during communication | +| `LocalPort` | int | TCP port on the local device used during communication | | `Protocol` | string | IP protocol used, whether TCP or UDP | | `LocalIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index 2e84b08364..82d860e259 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -1,7 +1,7 @@ --- title: DeviceNetworkInfo table in the advanced hunting schema description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel, MachineNetworkInfo +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, device, mac, ip, adapter, dns, dhcp, gateway, tunnel, DeviceNetworkInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -25,15 +25,15 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) -The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. +The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of devices, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md). | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns | | `NetworkAdapterName` | string | Name of the network adapter | | `MacAddress` | string | MAC address of the network adapter | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 6fdba4c948..4c9e3d2d15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string | Type of activity that triggered the event | | `FileName` | string | Name of the file that the recorded action was applied to | | `FolderPath` | string | Folder containing the file that the recorded action was applied to | @@ -48,11 +48,11 @@ For information on other tables in the advanced hunting schema, see [the advance | `AccountDomain` | string | Domain of the account | | `AccountName` | string | User name of the account | | `AccountSid` | string | Security Identifier (SID) of the account | -| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | +| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts | | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event | -| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. | +| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts. | | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index c0b36b2df8..bff256d499 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| | `Timestamp` | datetime | Date and time when the event was recorded | -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ActionType` | string | Type of activity that triggered the event | | `RegistryKey` | string | Registry key that the recorded action was applied to | | `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md index d58f79d5f1..41857037ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md @@ -1,7 +1,7 @@ --- title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema -description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment +description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -34,9 +34,9 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | -| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | +| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.| | `Timestamp` | datetime |Date and time when the record was generated | | `ConfigurationId` | string | Unique identifier for a specific configuration | | `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md index f30af239df..9381ed9722 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md @@ -1,7 +1,7 @@ --- title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md index 384b79a65a..50afa668fd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md @@ -1,7 +1,7 @@ --- title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -35,11 +35,11 @@ For information on other tables in the advanced hunting schema, see [the advance | Column name | Data type | Description | |-------------|-----------|-------------| -| `DeviceId` | string | Unique identifier for the machine in the service | -| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | -| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | -| `OSVersion` | string | Version of the operating system running on the machine | -| `OSArchitecture` | string | Architecture of the operating system running on the machine | +| `DeviceId` | string | Unique identifier for the device in the service | +| `DeviceName` | string | Fully qualified domain name (FQDN) of the device | +| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | +| `OSVersion` | string | Version of the operating system running on the device | +| `OSArchitecture` | string | Architecture of the operating system running on the device | | `SoftwareVendor` | string | Name of the software vendor | | `SoftwareName` | string | Name of the software product | | `SoftwareVersion` | string | Version number of the software product | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md index 2ba11df0c9..255fb53dc3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md @@ -1,7 +1,7 @@ --- title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index 977cd7c2dc..5cd3f15a09 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -1,7 +1,7 @@ --- title: Overview of advanced hunting in Microsoft Defender ATP description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -25,7 +25,7 @@ ms.topic: article Advanced hunting is a query-based threat-hunting tool that lets you explore raw data for the last 30 days. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats. -You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines. +You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured devices. ## Get started with advanced hunting Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index 3570732cf5..947c3638f3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -1,7 +1,7 @@ --- title: Learn the advanced hunting query language description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md index 2ac9237205..34716e8296 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md @@ -1,7 +1,7 @@ --- title: Work with advanced hunting query results in Microsoft Defender ATP description: Make the most of the query results returned by advanced hunting in Microsoft Defender ATP -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -77,8 +77,8 @@ These results are best visualized using a stacked column chart: ![Image of advanced hunting query results displayed as a stacked chart](images/advanced-hunting-stacked-chart.jpg) *Query results for alerts by OS and severity displayed as a stacked chart* -#### Top ten machine groups with alerts -If you're dealing with a list of values that isn’t finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top ten machine groups with the most alerts, use the query below: +#### Top ten device groups with alerts +If you're dealing with a list of values that isn’t finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top ten device groups with the most alerts, use the query below: ```kusto DeviceAlertEvents @@ -89,7 +89,7 @@ DeviceAlertEvents Use the pie chart view to effectively show distribution across the top groups: ![Image of advanced hunting query results displayed as a pie chart](images/advanced-hunting-pie-chart.jpg) -*Pie chart showing distribution of alerts across machine groups* +*Pie chart showing distribution of alerts across device groups* #### Malware detections over time Using the `summarize` operator with the `bin()` function, you can check for events involving a particular indicator over time. The query below counts detections of an EICAR test file at 30 minute intervals to show spikes in detections of that file: @@ -113,7 +113,7 @@ After running a query, select **Export** to save the results to local file. Your - **Any chart** — the query results are exported as a JPEG image of the rendered chart ## Drill down from query results -To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity. +To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity. ## Tweak your queries from the results Right-click a value in the result set to quickly enhance your query. You can use the options to: diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index 8aa65eadc9..94c74051a1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -1,7 +1,7 @@ --- title: Advanced hunting schema reference description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -27,7 +27,7 @@ ms.date: 01/14/2020 [!include[Prerelease information](../../includes/prerelease.md)] -The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema. +The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema. ## Schema tables @@ -38,8 +38,8 @@ Table and column names are also listed within the Microsoft Defender Security Ce | Table name | Description | |------------|-------------| | **[DeviceAlertEvents](advanced-hunting-devicealertevents-table.md)** | Alerts on Microsoft Defender Security Center | -| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Machine information, including OS information | -| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains | +| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Device information, including OS information | +| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of devices, including adapters, IP and MAC addresses, as well as connected networks and domains | | **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events | | **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** | Network connection and related events | | **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md index b661399a57..677a74ca65 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -1,7 +1,7 @@ --- title: Use shared queries in advanced hunting description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md index 0f5c27cc7e..4a29f349d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md @@ -20,7 +20,7 @@ ms.date: 09/03/2018 --- # Alerts queue in Microsoft Defender Security Center -Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as machines, files, or user accounts. +Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts. ## In this section @@ -30,9 +30,9 @@ Topic | Description [Manage alerts](manage-alerts.md) | Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert. [Investigate alerts](investigate-alerts.md)| Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. [Investigate files](investigate-files.md)| Investigate the details of a file associated with a specific alert, behaviour, or event. -[Investigate machines](investigate-machines.md)| Investigate the details of a machine associated with a specific alert, behaviour, or event. -[Investigate an IP address](investigate-ip.md) | Examine possible communication between machines in your network and external internet protocol (IP) addresses. -[Investigate a domain](investigate-domain.md) | Investigate a domain to see if machines and servers in your network have been communicating with a known malicious domain. +[Investigate devices](investigate-machines.md)| Investigate the details of a device associated with a specific alert, behaviour, or event. +[Investigate an IP address](investigate-ip.md) | Examine possible communication between devices in your network and external internet protocol (IP) addresses. +[Investigate a domain](investigate-domain.md) | Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain. [Investigate a user account](investigate-user.md) | Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index 34e1b7c512..c745548afb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -26,10 +26,10 @@ ms.date: 03/27/2020 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink) -The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first. +The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first. >[!NOTE] ->The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md). +>The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md). There are several options you can choose from to customize the alerts queue view. @@ -51,7 +51,7 @@ You can apply the following filters to limit the list of alerts and get a more f Alert severity | Description :---|:--- -High
(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on machines. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary. +High
(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary. Medium
(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack. Low
(Yellow) | Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization. Informational
(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues. @@ -60,15 +60,15 @@ Informational
(Grey) | Alerts that might not be considered harmful to the n Microsoft Defender Antivirus (Microsoft Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes. -The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected. +The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual device, if infected. -The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. +The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization. So, for example: -- The severity of a Microsoft Defender ATP alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage. -- An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. -- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". +- The severity of a Microsoft Defender ATP alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage. +- An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat. +- An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. #### Understanding alert categories @@ -118,16 +118,16 @@ You can choose between showing alerts that are assigned to you or automation. Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service. >[!NOTE] ->The Microsoft Defender Antivirus filter will only appear if machines are using Microsoft Defender Antivirus as the default real-time protection antimalware product. +>The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product. ### OS platform Limit the alerts queue view by selecting the OS platform that you're interested in investigating. -### Machine group +### Device group -If you have specific machine groups that you're interested in checking, you can select the groups to limit the alerts queue view. +If you have specific device groups that you're interested in checking, you can select the groups to limit the alerts queue view. ### Associated threat @@ -138,7 +138,7 @@ Use this filter to focus on alerts that are related to high profile threats. You - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) - [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) - [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) - [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 5508ee20b8..e8811269cd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -45,8 +45,8 @@ id | String | Alert ID. title | String | Alert title. description | String | Alert description. alertCreationTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was created. -lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine. -firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that machine. +lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same device. +firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that device. lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated. resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert. diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md new file mode 100644 index 0000000000..7ea09555f6 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md @@ -0,0 +1,50 @@ +--- +title: Configure Microsoft Defender ATP for Android features +ms.reviewer: +description: Describes how to configure Microsoft Defender ATP for Android +keywords: microsoft, defender, atp, android, configuration +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Configure Microsoft Defender ATP for Android features +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) + +## Conditional Access with Microsoft Defender ATP for Android +Microsoft Defender ATP for Android along with Microsoft Intune and Azure Active +Directory enables enforcing Device compliance and Conditional Access policies +based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense +(MTD) solution that you can deploy to leverage this capability via Intune. + +For more infomation on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and +Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android). + + +## Configure custom indicators + +>[!NOTE] +> Microsoft Defender ATP for Android only supports creating custom indicators for IP addresses and URLs/domains. + +Microsoft Defender ATP for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md). + +## Configure web protection +Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center. + +For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). + +## Related topics +- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) +- [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md new file mode 100644 index 0000000000..79ac88b90c --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md @@ -0,0 +1,294 @@ +--- +title: Deploy Microsoft Defender ATP for Android with Microsoft Intune +ms.reviewer: +description: Describes how to deploy Microsoft Defender ATP for Android with Microsoft Intune +keywords: microsoft, defender, atp, android, installation, deploy, uninstallation, +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Deploy Microsoft Defender ATP for Android with Microsoft Intune + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) + +This topic describes deploying Microsoft Defender ATP for Android on Intune +Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your +device](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/aka.ms/enrollAndroid). + + +> [!NOTE] +> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes.
+> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.** + +## Deploy on Device Administrator enrolled devices + +**Deploy Microsoft Defender ATP for Android on Intune Company Portal - Device +Administrator enrolled devices** + +This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices. Upgrade from the Preview APK to the GA version on Google Play would be supported. + +### Download the onboarding package + +Download the onboarding package from Microsoft Defender Security Center. + +1. In [Microsoft Defender Security +Center](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/securitycenter.microsoft.com), go to **Settings** \> **Machine Management** \> **Onboarding**. + +2. In the first drop-down, select **Android** as the Operating system. + +3. Select **Download Onboarding package** and save the downloaded .APK file. + + ![Image of onboarding package page](images/onboarding_package_1.png) + +### Add as Line of Business (LOB) App + +The downloaded Microsoft Defender ATP for Android onboarding package. It is a +.APK file can be deployed to user groups as a Line of Business app during the +preview from Microsoft Endpoint Manager Admin Center. + +1. In [Microsoft Endpoint Manager admin +center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> +**Android Apps** \> **Add \> Line-of-business app** and click **Select**. + + ![Image of Microsoft Endpoint Manager Admin Center](images/eba67e1a3adfec2c77c35a34cb030fba.png) + + +2. On the **Add app** page and in the *App Information* section, click **Select +add package file** and then click the ![Icon](images/1a62eac0222a9ba3c2fd62744bece76e.png) icon and select the MDATP Universal APK file that was downloaded from the *Download Onboarding package* step. + + ![Image of Microsoft Endpoint Manager Admin Center](images/e78d36e06495c2f70eb14230de6f7429.png) + + +3. Select **OK**. + +4. In the *App Information* section that comes up, enter the **Publisher** as +Microsoft. Other fields are optional and then select **Next**. + + ![Image of Microsoft Endpoint Manager Admin Center](images/190a979ec5b6a8f57c9067fe1304cda8.png) + +5. In the *Assignments* section, go to the **Required** section and select **Add +group.** You can then choose the user group(s) that you would like to target +Microsoft Defender ATP for Android app. Click **Select** and then **Next**. + + >[!NOTE] + >The selected user group should consist of Intune enrolled users. + + ![Image of Microsoft Endpoint Manager Admin Center](images/363bf30f7d69a94db578e8af0ddd044b.png) + + +6. In the **Review+Create** section, verify that all the information entered is +correct and then select **Create**. + + In a few moments, the Microsoft Defender ATP app would be created successfully, +and a notification would show up at the top-right corner of the page. + + ![Image of Microsoft Endpoint Manager Admin Center](images/86cbe56f88bb6e93e9c63303397fc24f.png) + + +7. In the app information page that is displayed, in the **Monitor** section, +select **Device install status** to verify that the device installation has +completed successfully. + + ![Image of Microsoft Endpoint Manager Admin Center](images/513cf5d59eaaef5d2b5bc122715b5844.png) + + +During Public Preview, to **update** Microsoft Defender ATP for Android deployed +as a Line of Business app, download the latest APK. Following the steps in +*Download the onboarding package* section and follow instructions on how to [update +a Line of Business +App](https://docs.microsoft.com/mem/intune/apps/lob-apps-android#step-5-update-a-line-of-business-app). + +### Complete onboarding and check status + +1. Once Microsoft Defender ATP for Android has been installed on the device, you'll see the app icon. + + ![Icon on mobile device](images/7cf9311ad676ec5142002a4d0c2323ca.jpg) + +2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions +to complete onboarding the app. The details include end-user acceptance of Android permissions required by Microsoft Defender ATP for Android. + +3. Upon successful onboarding, the device will start showing up on the Devices +list in Microsoft Defender Security Center. + + ![Image of device in Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) + +## Deploy on Android Enterprise enrolled devices + +Microsoft Defender ATP for Android supports Android Enterprise enrolled devices. + +For more information on the enrollment options supported by Intune, see +[Enrollment +Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) . + +As Microsoft Defender ATP for Android is deployed via managed Google Play, +updates to the app are automatic via Google Play. + +Currently only Work Profile, Fully Managed devices are supported for deployment. + + +>[!NOTE] +>During Public Preview, to access Microsoft Defender ATP in your managed Google Play, contact [atpm@microsoft.com](mailto:atpm@microsoft.com) with the organization ID of your managed Google Play for next steps. This can be found under the **Admin Settings** of [managed Google Play](https://play.google.com/work/).
+> At General Availability (GA), Microsoft Defender ATP for Android will be available as a public app. Upgrades from preview to GA version will be supported. + +## Add Microsoft Defender ATP for Android as a managed Google Play app + +After receiving a confirmation e-mail from Microsoft that your managed Google +Play organization ID has been approved, follow the steps below to add Microsoft +Defender ATP app into your managed Google Play. + +1. In [Microsoft Endpoint Manager admin +center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> +**Android Apps** \> **Add** and select **managed Google Play app**. + + ![Image of Microsoft Endpoint Manager admin center](images/579ff59f31f599414cedf63051628b2e.png) + + +2. On your managed Google Play page that loads subsequently, go to the search +box and lookup **Microsoft Defender.** Your search should display the Microsoft +Defender ATP app in your Managed Google Play. Click on the Microsoft Defender +ATP app from the Apps search result. + + ![Image of Microsoft Endpoint Manager admin center](images/0f79cb37900b57c3e2bb0effad1c19cb.png) + +3. In the App description page that comes up next, you should be able to see app +details on Microsoft Defender ATP. Review the information on the page and then +select **Approve**. + + ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png) + + +4. You should now be presented with the permissions that Microsoft Defender ATP +obtains for it to work. Review them and then select **Approve**. + + ![A screenshot of Microsoft Defender ATP preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png) + + +5. You'll be presented with the Approval settings page. The page confirms +your preference to handle new app permissions that Microsoft Defender ATP for +Android might ask. Review the choices and select your preferred option. Select +**Done**. + + By default, managed Google Play selects *Keep approved when app requests new +permissions* + + ![Image of notifications tab](images/ffecfdda1c4df14148f1526c22cc0236.png) + + +6. After the permissions handling selection is made, select **Sync** to sync +Microsoft Defender ATP to your apps list. + + ![Image of sync page](images/34e6b9a0dae125d085c84593140180ed.png) + + +7. The sync will complete in a few minutes. + + ![Image of Android app](images/9fc07ffc150171f169dc6e57fe6f1c74.png) + +8. Select the **Refresh** button in the Android apps screen and Microsoft +Defender ATP should be visible in the apps list. + + ![Image of list of Android apps](images/fa4ac18a6333335db3775630b8e6b353.png) + + +9. Microsoft Defender ATP supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s). + + a. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**. + + ![Image of Microsoft Endpoint Manager admin center](images/android-mem.png) + + b. In the **Create app configuration policy** page, enter the following details: + - Name: Microsoft Defender ATP. + - Choose **Android Enterprise** as platform. + - Choose **Work Profile only** as Profile Type. + - Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**. + + ![Image of create app configuration policy page](images/android-create-app.png) + + c. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions + - External storage (read) + - External storage (write) + + Then select **OK**. + + ![Image of create app configuration policy](images/android-create-app-config.png) + + + d. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**. + + ![Image of create app configuration policy](images/android-auto-grant.png) + + + e. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app. + + ![Image of create app configuration policy](images/android-select-group.png) + + + f. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
+ + The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group. + + ![Image of create app configuration policy](images/android-review-create.png) + + + +10. Select **Microsoft Defender ATP** app in the list \> **Properties** \> +**Assignments** \> **Edit**. + + ![Image of list of apps](images/9336bbd778cff5e666328bb3db7c76fd.png) + + +11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of +the device via Company Portal app. This assignment can be done by navigating to +the *Required* section \> **Add group,** selecting the user group and click +**Select**. + + ![Image of edit application page](images/ea06643280075f16265a596fb9a96042.png) + + +12. In the **Edit Application** page, review all the information that was entered +above. Then select **Review + Save** and then **Save** again to commence +assignment. + +## Complete onboarding and check status + +1. Confirm the installation status of Microsoft Defender ATP for Android by +clicking on the **Device Install Status**. Verif that the device is +displayed here. + + ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png) + + +2. On the device, you can confirm the same by going to the **work profile** and +confirm that Microsoft Defender ATP is available. + + ![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png) + +3. When the app is installed, open the app and accept the permissions +and then your onboarding should be successful. + + ![Image of mobile device with Microsoft Defender ATP app](images/23c125534852dcef09b8e37c98e82148.png) + +4. At this stage the device is successfully onboarded onto Microsoft Defender +ATP for Android. You can verify this on the [Microsoft Defender Security +Center](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/securitycenter.microsoft.com) +by navigating to the **Devices** page. + + ![Image of Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) + + +## Related topics +- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) +- [Configure Microsoft Defender ATP for Android features](android-configure.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md new file mode 100644 index 0000000000..c7309c2bb9 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md @@ -0,0 +1,229 @@ +--- +title: Microsoft Defender ATP for Android Application license terms +ms.reviewer: +description: Describes the Microsoft Defender ATP for Android license terms +keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope, +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +hideEdit: true +--- + +# Microsoft Defender ATP for Android application license terms +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) + +## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP + +These license terms ("Terms") are an agreement between Microsoft Corporation (or +based on where you live, one of its affiliates) and you. Please read them. They +apply to the application named above. These Terms also apply to any Microsoft + +- updates, + +- supplements, + +- Internet-based services, and + +- support services + +for this application, unless other terms accompany those items. If so, those +terms apply. + +**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, +DO NOT USE THE APPLICATION.** + +**If you comply with these Terms, you have the perpetual rights below.** + +1. **INSTALLATION AND USE RIGHTS.** + + 1. **Installation and Use.** You may install and use any number of copies + of this application on Android enabled device or devices which you own + or control. You may use this application with your company's valid + subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or + an online service that includes MDATP functionalities. + + 2. **Updates.** Updates or upgrades to MDATP may be required for full + functionality. Some functionality may not be available in all countries. + + 3. **Third Party Programs.** The application may include third party + programs that Microsoft, not the third party, licenses to you under this + agreement. Notices, if any, for the third-party program are included for + your information only. + +2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to + Internet access, data transfer and other services per the terms of the data + service plan and any other agreement you have with your network operator due + to use of the application. You are solely responsible for any network + operator charges. + +3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with + the application. It may change or cancel them at any time. + + 1. Consent for Internet-Based or Wireless Services. The application may + connect to Internet-based wireless services. Your use of the application + operates as your consent to the transmission of standard device + information (including but not limited to technical information about + your device, system and application software, and peripherals) for + Internet-based or wireless services. If other terms are provided in + connection with your use of the services, those terms also apply. + + - Data. Some online services require, or may be enhanced by, the + installation of local software like this one. At your, or your + admin's direction, this software may send data from a device to or + from an online service. + + - Usage Data. Microsoft automatically collects usage and performance + data over the internet. This data will be used to provide and + improve Microsoft products and services and enhance your experience. + You may limit or control collection of some usage and performance + data through your device settings. Doing so may disrupt your use of + certain features of the application. For additional information on + Microsoft's data collection and use, see the [Online Services + Terms](https://go.microsoft.com/fwlink/?linkid=2106777). + + 2. Misuse of Internet-based Services. You may not use any Internet-based + service in any way that could harm it or impair anyone else's use of it + or the wireless network. You may not use the service to try to gain + unauthorized access to any service, data, account or network by any + means. + +4. **FEEDBACK.** If you give feedback about the application to Microsoft, you + give to Microsoft, without charge, the right to use, share and commercialize + your feedback in any way and for any purpose. You also give to third + parties, without charge, any patent rights needed for their products, + technologies and services to use or interface with any specific parts of a + Microsoft software or service that includes the feedback. You will not give + feedback that is subject to a license that requires Microsoft to license its + software or documentation to third parties because we include your feedback + in them. These rights survive this agreement. + +5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement + only gives you some rights to use the application. Microsoft reserves all + other rights. Unless applicable law gives you more rights despite this + limitation, you may use the application only as expressly permitted in this + agreement. In doing so, you must comply with any technical limitations in + the application that only allow you to use it in certain ways. You may not + + - work around any technical limitations in the application; + + - reverse engineer, decompile or disassemble the application, except and + only to the extent that applicable law expressly permits, despite this + limitation; + + - make more copies of the application than specified in this agreement or + allowed by applicable law, despite this limitation; + + - publish the application for others to copy; + + - rent, lease or lend the application; or + + - transfer the application or this agreement to any third party. + +6. **EXPORT RESTRICTIONS.** The application is subject to United States export + laws and regulations. You must comply with all domestic and international + export laws and regulations that apply to the application. These laws + include restrictions on destinations, end users and end use. For additional + information, + see[www.microsoft.com/exporting](https://www.microsoft.com/exporting). + +7. **SUPPORT SERVICES.** Because this application is "as is," we may not + provide support services for it. If you have any issues or questions about + your use of this application, including questions about your company's + privacy policy, please contact your company's admin. Do not contact the + application store, your network operator, device manufacturer, or Microsoft. + The application store provider has no obligation to furnish support or + maintenance with respect to the application. + +8. **APPLICATION STORE.** + + 1. If you obtain the application through an application store (e.g., Google + Play), please review the applicable application store terms to ensure + your download and use of the application complies with such terms. + Please note that these Terms are between you and Microsoft and not with + the application store. + + 2. The respective application store provider and its subsidiaries are third + party beneficiaries of these Terms, and upon your acceptance of these + Terms, the application store provider(s) will have the right to directly + enforce and rely upon any provision of these Terms that grants them a + benefit or rights. + +9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and + Microsoft 365 are registered or common-law trademarks of Microsoft + Corporation in the United States and/or other countries. + +10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates, + Internet-based services, and support services that you use are the entire + agreement for the application and support services. + +11. **APPLICABLE LAW.** + + 1. **United States.** If you acquired the application in the United States, + Washington state law governs the interpretation of this agreement and + applies to claims for breach of it, regardless of conflict of laws + principles. The laws of the state where you live govern all other + claims, including claims under state consumer protection laws, unfair + competition laws, and in tort. + + 2. **Outside the United States.** If you acquired the application in any + other country, the laws of that country apply. + +12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may + have other rights under the laws of your country. You may also have rights + with respect to the party from whom you acquired the application. This + agreement does not change your rights under the laws of your country if the + laws of your country do not permit it to do so. + +13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL + FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND + WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND + EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO + EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE + APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE + APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE + ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL + CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO + THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE + IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NON-INFRINGEMENT.** + + **FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.** + +14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT + PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO + ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER + DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR + INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.** + +This limitation applies to: + +- anything related to the application, services, content (including code) on + third party Internet sites, or third party programs; and + +- claims for breach of contract, warranty, guarantee or condition; consumer + protection; deception; unfair competition; strict liability, negligence, + misrepresentation, omission, trespass or other tort; violation of statute or + regulation; or unjust enrichment; all to the extent permitted by applicable + law. + +It also applies even if: + +a. Repair, replacement or refund for the application does not fully compensate + you for any losses; or + +b. Covered Parties knew or should have known about the possibility of the + damages. + +The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md index 891d09df60..09f3293f1a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md @@ -22,7 +22,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md index 1cd0814c99..e4a1dddb18 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md @@ -48,7 +48,7 @@ Now you have a Flow that is triggered every time a new Alert occurs. ![Image of edit credentials](images/api-flow-3.png) All you need to do now is choose your next steps. -For example, you can isolate the machine if the Severity of the Alert is High and send an email about it. +For example, you can isolate the device if the Severity of the Alert is High and send an email about it. The Alert trigger provides only the Alert ID and the Machine ID. You can use the connector to expand these entities. ### Get the Alert entity using the connector @@ -61,7 +61,7 @@ The Alert trigger provides only the Alert ID and the Machine ID. You can use the ![Image of edit credentials](images/api-flow-4.png) -### Isolate the machine if the Alert's severity is High +### Isolate the device if the Alert's severity is High 1. Add **Condition** as a new step. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 2fdc0af72f..1e157ea511 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -29,8 +29,8 @@ Understand what data fields are exposed as part of the detections API and how th >[!Note] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. ->- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details. ->-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). +>- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details. +>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Detections API fields and portal mapping The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. @@ -63,10 +63,10 @@ Field numbers match the numbers in the images below. > | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. | > | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. | > | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. | -> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every Detection. | +> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined devices. Value available for every Detection. | > | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. | -> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every Detection. | -> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. | +> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The device fully qualified domain name. Value available for every Detection. | +> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. | > | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. | > | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | > | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md index cb5955d6d3..546c64449d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md @@ -125,6 +125,8 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a ## Power BI dashboard samples in GitHub For more information see the [Power BI report templates](https://github.com/microsoft/MDATP-PowerBI-Templates). +## Sample reports +View the Microsoft Defender ATP Power BI report samples. For more information, see [Browse code samples](https://docs.microsoft.com/samples/browse/?products=mdatp). ## Related topic diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md index 1c6f356099..aac9695165 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md @@ -2,7 +2,7 @@ title: Access the Microsoft Defender Advanced Threat Protection APIs ms.reviewer: description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities -keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, machine, user, domain, ip, file, advanced hunting, query +keywords: apis, api, wdatp, open api, microsoft defender atp api, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md index 4329883752..1181ff8181 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md @@ -30,7 +30,7 @@ ms.date: 11/28/2018 Microsoft Defender ATP supports two ways to manage permissions: - **Basic permissions management**: Set permissions to either full access or read-only. -- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to machine groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md). +- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md). > [!NOTE] > If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch: diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md index 26f0706b19..492d7037dc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md @@ -1,7 +1,7 @@ --- title: Experience Microsoft Defender ATP through simulated attacks description: Run the provided attack scenario simulations to experience how Microsoft Defender ATP can detect, investigate, and respond to breaches. -keywords: wdatp, test, scenario, attack, simulation, simulated, diy, windows defender advanced threat protection +keywords: wdatp, test, scenario, attack, simulation, simulated, diy, microsoft defender advanced threat protection search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -30,11 +30,11 @@ ms.date: 11/20/2018 >- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). >- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). -You might want to experience Microsoft Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response. +You might want to experience Microsoft Defender ATP before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response. ## Before you begin -To run any of the provided simulations, you need at least [one onboarded machine](onboard-configure.md). +To run any of the provided simulations, you need at least [one onboarded device](onboard-configure.md). Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario. @@ -44,18 +44,18 @@ Read the walkthrough document provided with each attack scenario. Each document - **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control. - - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity. + - **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and device learning detection of malicious memory activity. - **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity. 2. Download and read the corresponding walkthrough document provided with your selected scenario. -3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test machine but it's not mandatory. +3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test device but it's not mandatory. -4. Run the simulation file or script on the test machine as instructed in the walkthrough document. +4. Run the simulation file or script on the test device as instructed in the walkthrough document. > [!NOTE] -> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine. +> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device. > > > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink) @@ -63,5 +63,5 @@ Read the walkthrough document provided with each attack scenario. Each document ## Related topics -- [Onboard machines](onboard-configure.md) -- [Onboard Windows 10 machines](configure-endpoints.md) \ No newline at end of file +- [Onboard devices](onboard-configure.md) +- [Onboard Windows 10 devices](configure-endpoints.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 02ddfa2a9b..a6be5fa509 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -1,6 +1,6 @@ --- title: Use attack surface reduction rules to prevent malware infection -description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware. +description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware. keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -66,7 +66,7 @@ DeviceEvents You can review the Windows event log to view events generated by attack surface reduction rules: -1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. +1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. 2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer. diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index a04fe5d589..dab80159ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -23,7 +23,7 @@ During and after an automated investigation, certain remediation actions can be If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation. >[!NOTE] ->If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation. +>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the device or device group will be able to view the entire investigation. ## The Action center @@ -62,7 +62,7 @@ On the **Investigations** page, you can view details and use filters to focus on |**Status** |(See [Automated investigation status](#automated-investigation-status)) | |**Triggering alert** | The alert that initiated the automated investigation | |**Detection source** |The source of the alert that initiated the automated investigation | -|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that were created. | +|**Entities** | Entities can include device or devices, and device groups. You can filter the automated investigations list to zone in a specific device to see other investigations related to the device, or to see specific device groups that were created. | |**Threat** |The category of threat detected during the automated investigation | |**Tags** |Filter using manually added tags that capture the context of an automated investigation| |**Comments** |Select between filtering the list between automated investigations that have comments and those that don't| @@ -82,7 +82,7 @@ An automated investigation can have one of the following status values: | Terminated by system | The investigation stopped. An investigation can stop for several reasons:
- The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time.
- There are too many actions in the list.
Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. | | Failed | At least one investigation analyzer ran into a problem where it could not complete properly.

If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. | | Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. | -| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. | +| Waiting for device | Investigation paused. The investigation will resume as soon as the device is available. | | Terminated by user | A user stopped the investigation before it could complete. | @@ -90,7 +90,7 @@ An automated investigation can have one of the following status values: ![Image of investigation details window](images/atp-analyze-auto-ir.png) -You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information. +You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the device that was investigated, and other information. In this view, you'll see the name of the investigation, when it started and ended. @@ -112,23 +112,23 @@ From this view, you can also view and add comments and tags about the investigat ### Alerts -The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned. +The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the device associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned. -Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing. +Additional alerts seen on a device can be added to an automated investigation as long as the investigation is ongoing. -Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history. +Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related device, logged-on users, and comments and history. Clicking on an alert title brings you the alert page. -### Machines +### Devices -The **Machines** tab Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated. +The **Devices** tab Shows details the device name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated. -Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. +Devices that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. -Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users. +Selecting a device using the checkbox brings up the device details pane where you can see more information such as device details and logged-on users. -Clicking on a machine name brings you the machine page. +Clicking on a device name brings you the device page. ### Evidence @@ -140,11 +140,11 @@ The **Entities** tab shows details about entities such as files, process, servic ### Log -The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration. +The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, device name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration. As with other sections, you can customize columns, select the number of items to show per page, and filter the log. -Available filters include action type, action, status, machine name, and description. +Available filters include action type, action, status, device name, and description. You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data. diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 3399f94ff8..81ce65baaa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -1,7 +1,7 @@ --- title: Use automated investigations to investigate and remediate threats description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). -keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export +keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -21,7 +21,7 @@ ms.topic: conceptual > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh] -Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually. +Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually. The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated. @@ -30,7 +30,7 @@ The automated investigation feature leverages various inspection algorithms, and ## How the automated investigation starts -When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. +When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation. >[!NOTE] >Currently, automated investigation only supports the following OS versions: @@ -41,12 +41,12 @@ When an alert is triggered, a security playbook goes into effect. Depending on t ## Details of an automated investigation -During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Evidence**, **Entities**, and **Log** tabs. +During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs. |Tab |Description | |--|--| |**Alerts**| Shows the alert that started the investigation.| -|**Machines** |Shows where the alert was seen.| +|**Devices** |Shows where the alert was seen.| |**Evidence** |Shows the entities that were found to be malicious during the investigation.| |**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). | |**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.| @@ -57,28 +57,28 @@ During and after an automated investigation, you can view details about the inve ## How an automated investigation expands its scope -While an investigation is running, any other alerts generated from the machine are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation. +While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation. -If an incriminated entity is seen in another machine, the automated investigation process will expand its scope to include that machine, and a general security playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. +If an incriminated entity is seen in another device, the automated investigation process will expand its scope to include that device, and a general security playbook will start on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view. ## How threats are remediated -Depending on how you set up the machine groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats. +Depending on how you set up the device groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats. You can configure the following levels of automation: |Automation level | Description| |---|---| -|No automated response | Machines do not get any automated investigations run on them. | +|No automated response | Devices do not get any automated investigations run on them. | |Semi - require approval for any remediation | This is the default automation level.

An approval is needed for any remediation action. | |Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.

Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.| |Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will automatically be remediated if needed.| |Full - remediate threats automatically | All remediation actions will be performed automatically.| > [!TIP] -> For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups.md). +> For more information on how to configure these automation levels, see [Create and manage device groups](machine-groups.md). -The default machine group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed. +The default device group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed. When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation. diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 3d719200bc..04569f6785 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -26,7 +26,7 @@ ms.collection: ## Overview -Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised machines. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and machine learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security). +Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security). Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Microsoft Defender ATP components and features work together in behavioral blocking and containment capabilities. @@ -80,15 +80,15 @@ Below are two real-life examples of behavioral blocking and containment in actio As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server. -Behavior-based machine learning models in Microsoft Defender ATP caught and stopped the attacker’s techniques at two points in the attack chain: -- The first protection layer detected the exploit behavior. Machine learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack. +Behavior-based device learning models in Microsoft Defender ATP caught and stopped the attacker’s techniques at two points in the attack chain: +- The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack. - The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot). While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)): :::image type="content" source="images/behavblockcontain-initialaccessalert.png" alt-text="Initial access alert in the Microsoft Defender Security Center"::: -This example shows how behavior-based machine learning models in the cloud add new layers of protection against attacks, even after they have started running. +This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running. ### Example 2: NTML relay - Juicy Potato malware variant diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md index 3666eb4a2a..621f338029 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md @@ -1,6 +1,6 @@ --- title: Check the health state of the sensor in Microsoft Defender ATP -description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data. +description: Check the sensor health on devices to identify which ones are misconfigured, inactive, or are not reporting sensor data. keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -25,33 +25,31 @@ ms.date: 04/24/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink) -The sensor health tile is found on the Security Operations dashboard. This tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues. +The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual device’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues. -There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service: -- **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. -- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. +There are two status indicators on the tile that provide information on the number of devices that are not reporting properly to the service: +- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. +- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. +Clicking any of the groups directs you to **Devices list**, filtered according to your choice. -Clicking any of the groups directs you to Machines list, filtered according to your choice. +![Screenshot of Devices with sensor issues tile](images/atp-devices-with-sensor-issues-tile.png) -You can also download the entire list in CSV format using the **Export to CSV** feature. For more information on filters, see [View and organize the Machines list](machines-view-overview.md). +On **Devices list**, you can filter the health state list by the following status: +- **Active** - Devices that are actively reporting to the Microsoft Defender ATP service. +- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues: + - **No sensor data** - Devices has stopped sending sensor data. Limited alerts can be triggered from the device. + - **Impaired communications** - Ability to communicate with device is impaired. Sending files for deep analysis, blocking files, isolating device from network and other actions that require communication with the device may not work. +- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service. -You can filter the health state list by the following status: -- **Active** - Machines that are actively reporting to the Microsoft Defender ATP service. -- **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues: - - **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine. - - **Impaired communications** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work. -- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service. - - -You can view the machine details when you click on a misconfigured or inactive machine. - -![Microsoft Defender ATP sensor filter](images/atp-machine-health-details.png) - -In the **Machines list**, you can download a full list of all the machines in your organization in a CSV format. +You can also download the entire list in CSV format using the **Export** feature. For more information on filters, see [View and organize the Devices list](machines-view-overview.md). >[!NOTE] ->Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is. +>Export the list in CSV format to display the unfiltered data. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is. + +![Screenshot of Devices list page](images/atp-devices-list-page.png) + +You can view the device details when you click on a misconfigured or inactive device. ## Related topic - [Fix unhealthy sensors in Microsoft Defender ATP](fix-unhealthy-sensors.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index 1596496d14..d8929fdd67 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -1,6 +1,6 @@ --- title: Collect investigation package API -description: Use this API to create calls related to the collecting an investigation package from a machine. +description: Use this API to create calls related to the collecting an investigation package from a device. keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -24,7 +24,7 @@ ms.topic: article - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description -Collect investigation package from a machine. +Collect investigation package from a device. ## Limitations @@ -42,7 +42,7 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md index de0e22cee2..cf9bede7a1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md @@ -37,7 +37,7 @@ The following OS versions are supported: - Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/en-us/help/4490481)) >[!NOTE] ->A patch must be deployed before machine onboarding in order to configure Microsoft Defender ATP to the correct environment. +>A patch must be deployed before device onboarding in order to configure Microsoft Defender ATP to the correct environment. The following OS versions are not supported: - Windows Server 2008 R2 SP1 @@ -67,7 +67,7 @@ The following capabilities are not currently available: The following capabilities are not currently available: - Threat protection report -- Machine health and compliance report +- Device health and compliance report - Integration with third-party products @@ -92,7 +92,7 @@ You'll need to ensure that traffic from the following are allowed: Service location | DNS record :---|:--- -Common URLs for all locations (Global location) | ```crl.microsoft.com```
```ctldl.windowsupdate.com```
```notify.windows.com```
```settings-win.data.microsoft.com```

NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 machines running version 1803 or earlier. +Common URLs for all locations (Global location) | ```crl.microsoft.com```
```ctldl.windowsupdate.com```
```notify.windows.com```
```settings-win.data.microsoft.com```

NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 devices running version 1803 or earlier. Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com```
```winatp-gw-usgt.microsoft.com```
```winatp-gw-usgv.microsoft.com```
```*.blob.core.usgovcloudapi.net``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md index b58503a9c9..fb8e70489a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md @@ -41,7 +41,7 @@ The compliance policy is used with Conditional Access to allow only devices that ## Understand the Conditional Access flow Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated. -The flow begins with machines being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune. +The flow begins with devices being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune. Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain conditions are met, the policy is applied. @@ -55,8 +55,8 @@ To resolve the risk found on a device, you'll need to return the device to a com There are three ways to address a risk: 1. Use Manual or automated remediation. -2. Resolve active alerts on the machine. This will remove the risk from the machine. -3. You can remove the machine from the active policies and consequently, Conditional Access will not be applied on the machine. +2. Resolve active alerts on the device. This will remove the risk from the device. +3. You can remove the device from the active policies and consequently, Conditional Access will not be applied on the device. Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure Conditional Access](configure-conditional-access.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index 06bd8455af..0577df46b2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -1,6 +1,6 @@ --- title: Overview of Configuration score in Microsoft Defender Security Center -description: Your configuration score shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls +description: Your configuration score shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -25,7 +25,7 @@ ms.topic: conceptual >[!NOTE] > Secure score is now part of Threat & Vulnerability Management as Configuration score. -Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your machines across the following categories: +Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories: - Application - Operating system @@ -60,7 +60,7 @@ You can improve your security configuration when you remediate issues from the s 3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up. 4. **Submit request**. You will see a confirmation message that the remediation task has been created. - >![Remediation task creation confirmation](images/tvm_remediation_task_created.png) + ![Remediation task creation confirmation](images/tvm_remediation_task_created.png) 5. Save your CSV file. ![Save csv file](images/tvm_save_csv_file.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md index b9b7d557f2..33f344c34b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md @@ -27,7 +27,7 @@ This section guides you through the steps you need to take to configure Threat & ### Before you begin > [!IMPORTANT] -> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
+> Threat & Vulnerability Management data currently supports Windows 10 devices. Upgrade to Windows 10 to account for the rest of your devices’ threat and vulnerability exposure data.
Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft Endpoint Configuration Manager. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 70890b48ee..2dc93956ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -32,7 +32,7 @@ You'll need to install and configure some files and tools to use Micro Focus Arc >[!Note] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. ## Before you begin diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index 8286330112..a4c17d2c2a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -37,7 +37,7 @@ To configure automated investigation and remediation, you [turn on the features] ## Set up device groups 1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Device groups**. -2. Select **+ Add machine group**. +2. Select **+ Add device group**. 3. Create at least one device group, as follows: - Specify a name and description for the device group. - In the **Automation level list**, select a level, such as **Full – remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated). diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index 96650774c3..e605898b2f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -1,7 +1,7 @@ --- title: Configure alert notifications in Microsoft Defender ATP description: You can use Microsoft Defender Advanced Threat Protection to configure email notification settings for security alerts, based on severity and other criteria. -keywords: email notifications, configure alert notifications, windows defender atp notifications, windows defender atp alerts, windows 10 enterprise, windows 10 education +keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -32,15 +32,15 @@ You can configure Microsoft Defender ATP to send email notifications to specifie You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue.md). -If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine groups that were configured in the notification rule. -Users with the proper permission can only create, edit, or delete notifications that are limited to their machine group management scope. -Only users assigned to the Global administrator role can manage notification rules that are configured for all machine groups. +If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. +Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. +Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups. The email notification includes basic information about the alert and a link to the portal where you can do further investigation. ## Create rules for alert notifications -You can create rules that determine the machines and alert severities to send email notifications for and the notification recipients. +You can create rules that determine the devices and alert severities to send email notifications for and the notification recipients. 1. In the navigation pane, select **Settings** > **Alert notifications**. @@ -51,12 +51,12 @@ You can create rules that determine the machines and alert severities to send em - **Rule name** - Specify a name for the notification rule. - **Include organization name** - Specify the customer name that appears on the email notification. - **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant. - - **Include machine information** - Includes the machine name in the email alert body. + - **Include device information** - Includes the device name in the email alert body. >[!NOTE] > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Microsoft Defender ATP data. - - **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups.md). + - **Devices** - Choose whether to notify recipients for alerts on all devices (Global administrator role only) or on selected device groups. For more information, see [Create and manage device groups](machine-groups.md). - **Alert severity** - Choose the alert severity level. 4. Click **Next**. @@ -67,10 +67,6 @@ You can create rules that determine the machines and alert severities to send em 7. Click **Save notification rule**. -Here's an example email notification: - -![Image of example email notification](images/atp-example-email-notification.png) - ## Edit a notification rule 1. Select the notification rule you'd like to edit. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index 00b5ca0b72..3f0a7dcdd7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -1,7 +1,7 @@ --- title: Onboard Windows 10 devices to Microsoft Defender ATP via Group Policy -description: Use Group Policy to deploy the configuration package on Windows 10 machines so that they are onboarded to the service. -keywords: configure machines using group policy, machine management, configure Windows ATP machines, onboard Microsoft Defender Advanced Threat Protection machines, group policy +description: Use Group Policy to deploy the configuration package on Windows 10 devices so that they are onboarded to the service. +keywords: configure devices using group policy, device management, configure Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, group policy search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 04/24/2018 --- -# Onboard Windows 10 machines using Group Policy +# Onboard Windows 10 devices using Group Policy **Applies to:** @@ -37,7 +37,7 @@ ms.date: 04/24/2018 > For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates. -## Onboard machines using Group Policy +## Onboard devices using Group Policy 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -48,7 +48,7 @@ ms.date: 04/24/2018 d. Click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*. 3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. @@ -65,15 +65,15 @@ ms.date: 04/24/2018 9. Click **OK** and close any open GPMC windows. >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md). ## Additional Microsoft Defender ATP configuration settings -For each machine, you can state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. +For each device, you can state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. ### Configure sample collection settings -1. On your GP management machine, copy the following files from the +1. On your GP management device, copy the following files from the configuration package: a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_ @@ -95,17 +95,17 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa 5. Click **Windows components** and then **Windows Defender ATP**. -6. Choose to enable or disable sample sharing from your machines. +6. Choose to enable or disable sample sharing from your devices. >[!NOTE] > If you don't set a value, the default value is to enable sample collection. -## Offboard machines using Group Policy -For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +## Offboard devices using Group Policy +For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] -> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. +> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): @@ -117,7 +117,7 @@ For security reasons, the package used to Offboard machines will expire 30 days d. Click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. @@ -134,25 +134,25 @@ For security reasons, the package used to Offboard machines will expire 30 days 9. Click **OK** and close any open GPMC windows. > [!IMPORTANT] -> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. +> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months. -## Monitor machine configuration -With Group Policy there isn’t an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools. +## Monitor device configuration +With Group Policy there isn’t an option to monitor deployment of policies on the devices. Monitoring can be done directly on the portal, or by using the different deployment tools. -## Monitor machines using the portal +## Monitor devices using the portal 1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/). -2. Click **Machines list**. -3. Verify that machines are appearing. +2. Click **Devices list**. +3. Verify that devices are appearing. > [!NOTE] -> It can take several days for machines to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. +> It can take several days for devices to start showing on the **Devices list**. This includes the time it takes for the policies to be distributed to the device, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. ## Related topics -- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) -- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) -- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) -- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP machines](run-detection-test.md) +- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) +- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) +- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP devices](run-detection-test.md) - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index c5d535a96e..b06ae2ef0e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -1,7 +1,7 @@ --- -title: Onboard Windows 10 machines using Mobile Device Management tools -description: Use Mobile Device Management tools to deploy the configuration package on machines so that they are onboarded to the service. -keywords: onboard machines using mdm, machine management, onboard Windows ATP machines, onboard Microsoft Defender Advanced Threat Protection machines, mdm +title: Onboard Windows 10 devices using Mobile Device Management tools +description: Use Mobile Device Management tools to deploy the configuration package on devices so that they are onboarded to the service. +keywords: onboard devices using mdm, device management, onboard Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, mdm search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 12/06/2018 --- -# Onboard Windows 10 machines using Mobile Device Management tools +# Onboard Windows 10 devices using Mobile Device Management tools **Applies to:** @@ -27,7 +27,7 @@ ms.date: 12/06/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) -You can use mobile device management (MDM) solutions to configure machines. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage machines. +You can use mobile device management (MDM) solutions to configure devices. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage devices. For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). @@ -36,7 +36,7 @@ If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwi For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment). -## Onboard machines using Microsoft Intune +## Onboard devices using Microsoft Intune Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection). @@ -44,18 +44,18 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh > [!NOTE] -> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. -> - Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703. +> - The **Health Status for onboarded devices** policy uses read-only properties and can't be remediated. +> - Configuration of diagnostic data reporting frequency is only available for devices on Windows 10, version 1703. >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md). -## Offboard and monitor machines using Mobile Device Management tools -For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +## Offboard and monitor devices using Mobile Device Management tools +For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] -> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. +> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): @@ -79,15 +79,15 @@ For more information on Microsoft Intune policy settings see, [Windows 10 policy > [!NOTE] -> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated. +> The **Health Status for offboarded devices** policy uses read-only properties and can't be remediated. > [!IMPORTANT] -> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. +> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months. ## Related topics -- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) -- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) -- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) -- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) +- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) +- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) +- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index 34b72d6438..e59d230fb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -1,7 +1,7 @@ --- -title: Onboard non-Windows machines to the Microsoft Defender ATP service -description: Configure non-Windows machines so that they can send sensor data to the Microsoft Defender ATP service. -keywords: onboard non-Windows machines, macos, linux, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines +title: Onboard non-Windows devices to the Microsoft Defender ATP service +description: Configure non-Windows devices so that they can send sensor data to the Microsoft Defender ATP service. +keywords: onboard non-Windows devices, macos, linux, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Onboard non-Windows machines +# Onboard non-Windows devices **Applies to:** @@ -33,12 +33,12 @@ You'll need to know the exact Linux distros and macOS versions that are compatib - [Microsoft Defender ATP for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements) - [Microsoft Defender ATP for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements). -## Onboarding non-Windows machines -You'll need to take the following steps to onboard non-Windows machines: +## Onboarding non-Windows devices +You'll need to take the following steps to onboard non-Windows devices: 1. Select your preferred method of onboarding: - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-atp-mac). - - For other non-Windows devices choose **Onboard non-Windows machines through third-party integration**. + - For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**. 1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed. @@ -51,7 +51,7 @@ You'll need to take the following steps to onboard non-Windows machines: 2. Run a detection test by following the instructions of the third-party solution. -## Offboard non-Windows machines +## Offboard non-Windows devices 1. Follow the third-party's documentation to disconnect the third-party solution from Microsoft Defender ATP. @@ -63,7 +63,7 @@ You'll need to take the following steps to onboard non-Windows machines: ## Related topics -- [Onboard Windows 10 machines](configure-endpoints.md) +- [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard servers](configure-server-endpoints.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) - [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 28eb5db87f..5ad42ec668 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -1,7 +1,7 @@ --- -title: Onboard Windows 10 machines using Configuration Manager -description: Use Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service. -keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines +title: Onboard Windows 10 devices using Configuration Manager +description: Use Configuration Manager to deploy the configuration package on devices so that they are onboarded to the service. +keywords: onboard devices using sccm, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,7 +18,7 @@ ms.topic: article ms.date: 02/07/2020 --- -# Onboard Windows 10 machines using Configuration Manager +# Onboard Windows 10 devices using Configuration Manager **Applies to:** @@ -30,17 +30,17 @@ ms.date: 02/07/2020 -## Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager current branch +## Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager current branch Configuration Manager current branch has integrated support to configure and manage Microsoft Defender ATP on managed devices. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection). -## Onboard Windows 10 machines using earlier versions of System Center Configuration Manager +## Onboard Windows 10 devices using earlier versions of System Center Configuration Manager -You can use existing Configuration Manager functionality to create a policy to configure your machines. This action is supported in System Center 2012 R2 Configuration Manager. +You can use existing Configuration Manager functionality to create a policy to configure your devices. This action is supported in System Center 2012 R2 Configuration Manager. -### Onboard machines using System Center Configuration Manager +### Onboard devices using System Center Configuration Manager 1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): @@ -62,10 +62,10 @@ You can use existing Configuration Manager functionality to create a policy to c > Microsoft Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md). > -> Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a machine has been onboarded. An application is a different type of object than a package and program. -> If a machine is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the machine until the rule detects the status change. +> Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. +> If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change. > > This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1. > This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status". @@ -73,10 +73,10 @@ For more information, see [Configure Detection Methods in System Center 2012 R2 ### Configure sample collection settings -For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. +For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. -You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine. -This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure they’re complaint. +You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a device. +This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted devices to make sure they’re complaint. The configuration is set through the following registry key entry: @@ -88,8 +88,8 @@ Value: 0 or 1 Where:
Key type is a D-WORD.
Possible values are: -- 0 - doesn't allow sample sharing from this machine -- 1 - allows sharing of all file types from this machine +- 0 - doesn't allow sample sharing from this device +- 1 - allows sharing of all file types from this device The default value in case the registry key doesn’t exist is 1. @@ -97,18 +97,18 @@ For more information about System Center Configuration Manager Compliance see [I -## Offboard machines using Configuration Manager +## Offboard devices using Configuration Manager -For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] -> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. +> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. -### Offboard machines using Microsoft Endpoint Configuration Manager current branch +### Offboard devices using Microsoft Endpoint Configuration Manager current branch If you use Microsoft Endpoint Configuration Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file). -### Offboard machines using System Center 2012 R2 Configuration Manager +### Offboard devices using System Center 2012 R2 Configuration Manager 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): @@ -127,18 +127,18 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create a. Choose a predefined device collection to deploy the package to. > [!IMPORTANT] -> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. +> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months. -## Monitor machine configuration +## Monitor device configuration If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Microsoft Defender ATP dashboard in the Configuration Manager console. For more information, see [Microsoft Defender Advanced Threat Protection - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor). If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts: -1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the machines in your network. +1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the devices in your network. -2. Checking that the machines are compliant with the Microsoft Defender ATP service (this ensures the machine can complete the onboarding process and can continue to report data to the service). +2. Checking that the devices are compliant with the Microsoft Defender ATP service (this ensures the device can complete the onboarding process and can continue to report data to the service). ### Confirm the configuration package has been correctly deployed @@ -150,15 +150,15 @@ If you're using System Center 2012 R2 Configuration Manager, monitoring consists 4. Review the status indicators under **Completion Statistics** and **Content Status**. - If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). + If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). ![Configuration Manager showing successful deployment with no errors](images/sccm-deployment.png) -### Check that the machines are compliant with the Microsoft Defender ATP service +### Check that the devices are compliant with the Microsoft Defender ATP service You can set a compliance rule for configuration item in System Center 2012 R2 Configuration Manager to monitor your deployment. -This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines. +This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted devices. Monitor the following registry key entry: ``` @@ -169,9 +169,9 @@ Value: “1” For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)). ## Related topics -- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) -- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) -- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) -- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) +- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) +- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) +- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index baa161a42c..ebc09038ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -1,7 +1,7 @@ --- -title: Onboard Windows 10 machines using a local script -description: Use a local script to deploy the configuration package on machines so that they are onboarded to the service. -keywords: configure machines using a local script, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines +title: Onboard Windows 10 devices using a local script +description: Use a local script to deploy the configuration package on devices so that they are onboarded to the service. +keywords: configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Onboard Windows 10 machines using a local script +# Onboard Windows 10 devices using a local script **Applies to:** @@ -29,12 +29,12 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) -You can also manually onboard individual machines to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all machines in your network. +You can also manually onboard individual devices to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all devices in your network. > [!NOTE] -> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints.md). +> The script has been optimized to be used on a limited number of devices (1-10 devices). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 devices](configure-endpoints.md). -## Onboard machines +## Onboard devices 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -46,9 +46,9 @@ You can also manually onboard individual machines to Microsoft Defender ATP. You d. Click **Download package** and save the .zip file. -2. Extract the contents of the configuration package to a location on the machine you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. +2. Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. -3. Open an elevated command-line prompt on the machine and run the script: +3. Open an elevated command-line prompt on the device and run the script: a. Go to **Start** and type **cmd**. @@ -60,16 +60,16 @@ You can also manually onboard individual machines to Microsoft Defender ATP. You 5. Press the **Enter** key or click **OK**. -For information on how you can manually validate that the machine is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). +For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). >[!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). ## Configure sample collection settings -For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. +For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. -You can manually configure the sample sharing setting on the machine by using *regedit* or creating and running a *.reg* file. +You can manually configure the sample sharing setting on the device by using *regedit* or creating and running a *.reg* file. The configuration is set through the following registry key entry: @@ -81,17 +81,17 @@ Value: 0 or 1 Where:
Name type is a D-WORD.
Possible values are: -- 0 - doesn't allow sample sharing from this machine -- 1 - allows sharing of all file types from this machine +- 0 - doesn't allow sample sharing from this device +- 1 - allows sharing of all file types from this device The default value in case the registry key doesn’t exist is 1. -## Offboard machines using a local script -For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +## Offboard devices using a local script +For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. > [!NOTE] -> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions. +> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): @@ -103,9 +103,9 @@ For security reasons, the package used to Offboard machines will expire 30 days d. Click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. -3. Open an elevated command-line prompt on the machine and run the script: +3. Open an elevated command-line prompt on the device and run the script: a. Go to **Start** and type **cmd**. @@ -118,26 +118,26 @@ For security reasons, the package used to Offboard machines will expire 30 days 5. Press the **Enter** key or click **OK**. > [!IMPORTANT] -> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. +> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months. -## Monitor machine configuration +## Monitor device configuration You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding.md) to verify that the script completed successfully and the agent is running. Monitoring can also be done directly on the portal, or by using the different deployment tools. -### Monitor machines using the portal +### Monitor devices using the portal 1. Go to Microsoft Defender Security Center. -2. Click **Machines list**. +2. Click **Devices list**. -3. Verify that machines are appearing. +3. Verify that devices are appearing. ## Related topics -- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) -- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) -- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) -- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) +- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) +- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) +- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) +- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index bc65d8301d..e8ace77542 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -1,7 +1,7 @@ --- -title: Onboard non-persistent virtual desktop infrastructure (VDI) machines -description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Microsoft Defender ATP the service. -keywords: configure virtual desktop infrastructure (VDI) machine, vdi, machine management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints +title: Onboard non-persistent virtual desktop infrastructure (VDI) devices +description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they are onboarded to Microsoft Defender ATP the service. +keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -18,17 +18,17 @@ ms.topic: article ms.date: 04/16/2020 --- -# Onboard non-persistent virtual desktop infrastructure (VDI) machines +# Onboard non-persistent virtual desktop infrastructure (VDI) devices **Applies to:** -- Virtual desktop infrastructure (VDI) machines +- Virtual desktop infrastructure (VDI) devices >[!WARNING] -> Micrsosoft Defender ATP currently does not support Windows Virtual Desktop multi-user session. +> Microsoft Defender ATP support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported. >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink) -## Onboard non-persistent virtual desktop infrastructure (VDI) machines +## Onboard non-persistent virtual desktop infrastructure (VDI) devices Microsoft Defender ATP supports non-persistent VDI session onboarding. @@ -40,15 +40,15 @@ Microsoft Defender ATP supports non-persistent VDI session onboarding. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: - Instant early onboarding of a short-lived sessions, which must be onboarded to Microsoft Defender ATP prior to the actual provisioning. -- The machine name is typically reused for new sessions. +- The device name is typically reused for new sessions. -VDI machines can appear in Microsoft Defender ATP portal as either: +VDI devices can appear in Microsoft Defender ATP portal as either: -- Single entry for each machine. -Note that in this case, the *same* machine name must be configured when the session is created, for example using an unattended answer file. -- Multiple entries for each machine - one for each session. +- Single entry for each device. +Note that in this case, the *same* device name must be configured when the session is created, for example using an unattended answer file. +- Multiple entries for each device - one for each session. -The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries. +The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries. >[!WARNING] > For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft Defender ATP sensor onboarding. @@ -68,8 +68,8 @@ The following steps will guide you through onboarding VDI machines and will high >[!NOTE] >If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer. -3. The following step is only applicable if you're implementing a single entry for each machine:
- **For single entry for each machine**:
+3. The following step is only applicable if you're implementing a single entry for each device:
+ **For single entry for each device**:
a. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`.
>[!NOTE] @@ -78,30 +78,30 @@ The following steps will guide you through onboarding VDI machines and will high 4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**. >[!NOTE] - >Domain Group Policy may also be used for onboarding non-persistent VDI machines. + >Domain Group Policy may also be used for onboarding non-persistent VDI devices. 5. Depending on the method you'd like to implement, follow the appropriate steps:
- **For single entry for each machine**:
+ **For single entry for each device**:
Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`.

- **For multiple entries for each machine**:
+ **For multiple entries for each device**:
Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`. 6. Test your solution: - a. Create a pool with one machine. + a. Create a pool with one device. - b. Logon to machine. + b. Logon to device. - c. Logoff from machine. + c. Logoff from device. - d. Logon to machine with another user. + d. Logon to device with another user. - e. **For single entry for each machine**: Check only one entry in Microsoft Defender Security Center.
- **For multiple entries for each machine**: Check multiple entries in Microsoft Defender Security Center. + e. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.
+ **For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center. -7. Click **Machines list** on the Navigation pane. +7. Click **Devices list** on the Navigation pane. -8. Use the search function by entering the machine name and select **Machine** as search type. +8. Use the search function by entering the device name and select **Device** as search type. ## Updating non-persistent virtual desktop infrastructure (VDI) images As a best practice, we recommend using offline servicing tools to patch golden/master images.
@@ -120,7 +120,7 @@ For more information on DISM commands and offline servicing, please refer to the If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health: -1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script). +1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script). 2. Ensure the sensor is stopped by running the command below in a CMD window: @@ -143,8 +143,8 @@ If offline servicing is not a viable option for your non-persistent VDI environm 5. Re-seal the golden/master image as you normally would. ## Related topics -- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) -- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) -- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) -- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md) +- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) +- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) +- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) +- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md index c3f4376a4a..bde1047764 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md @@ -1,7 +1,7 @@ --- -title: Onboarding tools and methods for Windows 10 machines -description: Onboard Windows 10 machines so that they can send sensor data to the Microsoft Defender ATP sensor -keywords: Onboard Windows 10 machines, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune +title: Onboarding tools and methods for Windows 10 devices +description: Onboard Windows 10 devices so that they can send sensor data to the Microsoft Defender ATP sensor +keywords: Onboard Windows 10 devices, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Onboarding tools and methods for Windows 10 machines +# Onboarding tools and methods for Windows 10 devices **Applies to:** @@ -26,7 +26,7 @@ ms.topic: conceptual -Machines in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the machines in your organization. +Devices in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization. The following deployment tools and methods are supported: @@ -38,11 +38,11 @@ The following deployment tools and methods are supported: ## In this section Topic | Description :---|:--- -[Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on machines. -[Onboard Windows machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on machines. -[Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on machine. -[Onboard Windows 10 machines using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints. -[Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI machines. +[Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on devices. +[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. +[Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device. +[Onboard Windows 10 devices using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints. +[Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices. >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md index dea1185d9b..42f46bd701 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md @@ -48,6 +48,6 @@ For more information about ASR rule deployment in Microsoft 365 security center, **Related topics** -* [Ensure your machines are configured properly](configure-machines.md) -* [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) +* [Ensure your devices are configured properly](configure-machines.md) +* [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) * [Monitor compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index d3f378cce2..c189165c5f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -1,6 +1,6 @@ --- -title: Get machines onboarded to Microsoft Defender ATP -description: Track onboarding of Intune-managed machines to Windows Defender ATP and increase onboarding rate. +title: Get devices onboarded to Microsoft Defender ATP +description: Track onboarding of Intune-managed devices to Microsoft Defender ATP and increase onboarding rate. keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,34 +17,34 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get machines onboarded to Microsoft Defender ATP +# Get devices onboarded to Microsoft Defender ATP **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) -Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks. +Each onboarded device adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a device can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks. -Before you can track and manage onboarding of machines: -- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management) +Before you can track and manage onboarding of devices: +- [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management) - [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions) -## Discover and track unprotected machines +## Discover and track unprotected devices -The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 machines that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 machines. +The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 devices. -![Machine configuration management Onboarding card](images/secconmgmt_onboarding_card.png)
-*Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine* +![Device configuration management Onboarding card](images/secconmgmt_onboarding_card.png)
+*Card showing onboarded devices compared to the total number of Intune-managed Windows 10 device* >[!NOTE] ->If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines. +>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your devices. -## Onboard more machines with Intune profiles +## Onboard more devices with Intune profiles -Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 machines](onboard-configure.md). For Intune-managed machines, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select machines, effectively onboarding these devices to the service. +Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 devices](onboard-configure.md). For Intune-managed devices, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select devices, effectively onboarding these devices to the service. -From the **Onboarding** card, select **Onboard more machines** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state. +From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state. ![Microsoft Defender ATP device compliance page on Intune device management](images/secconmgmt_onboarding_1deviceconfprofile.png)
*Microsoft Defender ATP device compliance page on Intune device management* @@ -55,16 +55,16 @@ From the **Onboarding** card, select **Onboard more machines** to create and ass >[!NOTE] > If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**. -From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard. To do this, you can either: +From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the devices you want to onboard. To do this, you can either: - Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile. - Create the device configuration profile from scratch. -For more information, [read about using Intune device configuration profiles to onboard machines to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile). +For more information, [read about using Intune device configuration profiles to onboard devices to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) ## Related topics -- [Ensure your machines are configured properly](configure-machines.md) +- [Ensure your devices are configured properly](configure-machines.md) - [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md index e7f8c3b23b..958fa4756c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md @@ -1,7 +1,7 @@ --- title: Increase compliance to the Microsoft Defender ATP security baseline description: The Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection. -keywords: Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection ASR, security baseline +keywords: Intune management, MDATP, WDATP, Microsoft Defender, advanced threat protection ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -29,42 +29,42 @@ Security baselines ensure that security features are configured according to gui To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a). Before you can deploy and track compliance to security baselines: -- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management) +- [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management) - [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions) ## Compare the Microsoft Defender ATP and the Windows Intune security baselines -The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: +The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: - [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows) - [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp) -Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released. +Ideally, devices onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released. >[!NOTE] ->The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments. +>The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments. ## Monitor compliance to the Microsoft Defender ATP security baseline -The **Security baseline** card on [machine configuration management](configure-machines.md) provides an overview of compliance across Windows 10 machines that have been assigned the Microsoft Defender ATP security baseline. +The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Microsoft Defender ATP security baseline. ![Security baseline card](images/secconmgmt_baseline_card.png)
*Card showing compliance to the Microsoft Defender ATP security baseline* -Each machine is given one of the following status types: +Each device is given one of the following status types: -- **Matches baseline**—machine settings match all the settings in the baseline -- **Does not match baseline**—at least one machine setting doesn't match the baseline -- **Misconfigured**—at least one baseline setting isn't properly configured on the machine and is in a conflict, error, or pending state -- **Not applicable**—At least one baseline setting isn't applicable on the machine +- **Matches baseline**—device settings match all the settings in the baseline +- **Does not match baseline**—at least one device setting doesn't match the baseline +- **Misconfigured**—at least one baseline setting isn't properly configured on the device and is in a conflict, error, or pending state +- **Not applicable**—At least one baseline setting isn't applicable on the device -To review specific machines, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the machines. +To review specific devices, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the devices. >[!NOTE] ->You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune. +>You might experience discrepancies in aggregated data displayed on the device configuration management page and those displayed on overview screens in Intune. ## Review and assign the Microsoft Defender ATP security baseline -Machine configuration management monitors baseline compliance only of Windows 10 machines that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to machines on Intune device management. +Device configuration management monitors baseline compliance only of Windows 10 devices that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to devices on Intune device management. 1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed. @@ -82,22 +82,22 @@ Machine configuration management monitors baseline compliance only of Windows 10 ![Security baseline options during profile creation on Intune](images/secconmgmt_baseline_intuneprofile2.png)
*Security baseline options during profile creation on Intune* -4. Assign the profile to the appropriate machine group. +4. Assign the profile to the appropriate device group. ![Security baseline profiles on Intune](images/secconmgmt_baseline_intuneprofile3.png)
*Assigning the security baseline profile on Intune* -5. Create the profile to save it and deploy it to the assigned machine group. +5. Create the profile to save it and deploy it to the assigned device group. ![Assigning the security baseline on Intune](images/secconmgmt_baseline_intuneprofile4.png)
*Creating the security baseline profile on Intune* >[!TIP] ->Security baselines on Intune provide a convenient way to comprehensively secure and protect your machines. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines). +>Security baselines on Intune provide a convenient way to comprehensively secure and protect your devices. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) ## Related topics -- [Ensure your machines are configured properly](configure-machines.md) -- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) +- [Ensure your devices are configured properly](configure-machines.md) +- [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index 463aa8e967..3e3bb64cc8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -1,6 +1,6 @@ --- -title: Ensure your machines are configured properly -description: Properly configure machines to boost overall resilience against threats and enhance your capability to detect and respond to attacks. +title: Ensure your devices are configured properly +description: Properly configure devices to boost overall resilience against threats and enhance your capability to detect and respond to attacks. keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,44 +17,46 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Ensure your machines are configured properly +# Ensure your devices are configured properly **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) -With properly configured machines, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your machines: +With properly configured devices, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your devices: - Onboard to Microsoft Defender ATP - Meet or exceed the Microsoft Defender ATP security baseline configuration - Have strategic attack surface mitigations in place +Click **Configuration management** from the navigation menu to open the Device configuration management page. + ![Security configuration management page](images/secconmgmt_main.png)
-*Machine configuration management page* +*Device configuration management page* You can track configuration status at an organizational level and quickly take action in response to poor onboarding coverage, compliance issues, and poorly optimized attack surface mitigations through direct, deep links to device management pages on Microsoft Intune and Microsoft 365 security center. In doing so, you benefit from: -- Comprehensive visibility of the events on your machines -- Robust threat intelligence and powerful machine learning technologies for processing raw events and identifying the breach activity and threat indicators +- Comprehensive visibility of the events on your devices +- Robust threat intelligence and powerful device learning technologies for processing raw events and identifying the breach activity and threat indicators - A full stack of security features configured to efficiently stop the installation of malicious implants, hijacking of system files and process, data exfiltration, and other threat activities - Optimized attack surface mitigations, maximizing strategic defenses against threat activity while minimizing impact to productivity -## Enroll machines to Intune management +## Enroll devices to Intune management -Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines. +Device configuration management works closely with Intune device management to establish the inventory of the devices in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 devices. -Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll). +Before you can ensure your devices are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 devices. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll). >[!NOTE] >To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign). >[!TIP] ->To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). +>To optimize device management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). ## Obtain required permissions -By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding machines and deploying the security baseline. +By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline. If you have been assigned other roles, ensure you have the necessary permissions: @@ -72,8 +74,8 @@ If you have been assigned other roles, ensure you have the necessary permissions ## In this section Topic | Description :---|:--- -[Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed machines and onboard more machines through Intune. -[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed machines. +[Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune. +[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices. [Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center. >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 1beb715be6..0be1734f27 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -24,7 +24,7 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ## Before you begin -Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up. +Ensure that you have Microsoft Defender ATP deployed in your environment with devices enrolled, and not just on a laboratory set-up. Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. @@ -37,15 +37,15 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M 2. Click **Apply**. -![Image of Microsoft Threat Experts settings](images/mte-collaboratewithmte.png) + ![Image of Microsoft Threat Experts settings](images/mte-collaboratewithmte.png) 3. Enter your name and email address so that Microsoft can get back to you on your application. -![Image of Microsoft Threat Experts application](images/mte-apply.png) + ![Image of Microsoft Threat Experts application](images/mte-apply.png) 4. Read the [privacy statement](https://privacy.microsoft.com/en-us/privacystatement), then click **Submit** when you're done. You will receive a welcome email once your application is approved. -![Image of Microsoft Threat Experts application confirmation](images/mte-applicationconfirmation.png) + ![Image of Microsoft Threat Experts application confirmation](images/mte-applicationconfirmation.png) 6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**. @@ -68,13 +68,13 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert ## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization -You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard. +You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard. > [!NOTE] > - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details. > - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry. -1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request. +1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request. 2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**. @@ -88,33 +88,36 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w ![Image of Microsoft Threat Experts Experts on Demand full subscription screen](images/mte-eod-fullsubscription.png) - The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request. + The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or device details page that you were at when you made the request. 3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation. 4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts. > [!NOTE] -> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub. Watch this video for a quick overview of the Microsoft Services Hub. +> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub. + +Watch this video for a quick overview of the Microsoft Services Hub. >[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f] -
+ + ## Sample investigation topics that you can consult with Microsoft Threat Experts **Alert information** - We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further? -- We’ve observed two similar attacks which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference? +- We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference? - I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts? What type of sign-ins are being monitored? - Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. **Possible machine compromise** -- Can you help answer why we see “Unknown process observed?” This is seen quite frequently on many machines. We appreciate any input to clarify whether this is related to malicious activity. +- Can you help answer why we see “Unknown process observed?” This message or alert is seen frequently on many devices. We appreciate any input to clarify whether this message or alert is related to malicious activity. - Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]? **Threat intelligence details** -- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link? -- I recently saw a [social media reference e.g., Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor? +- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link? +- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor? **Microsoft Threat Experts’ alert communications** - Can your incident response team help us address the targeted attack notification that we got? @@ -133,7 +136,7 @@ Response from Microsoft Threat Experts varies according to your inquiry. They wi - Investigation requires more time - Initial information was enough to conclude the investigation -It is crucial to respond in a timely manner to keep the investigation moving. +It is crucial to respond in quickly to keep the investigation moving. ## Related topic - [Microsoft Threat Experts overview](microsoft-threat-experts.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index 7f7ce8196d..852f5ff3b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -1,7 +1,7 @@ --- title: Configure managed security service provider support -description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP +description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh @@ -24,9 +24,9 @@ ms.date: 09/03/2018 **Applies to:** -- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -44,7 +44,7 @@ The integration will allow MSSPs to take the following actions: - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools -Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal. +Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal. Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP. @@ -54,7 +54,7 @@ In general, the following configuration steps need to be taken: - **Grant the MSSP access to Microsoft Defender Security Center**
-This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant. +This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant. - **Configure alert notifications sent to MSSPs**
@@ -97,7 +97,7 @@ Granting access to guest user is done the same way as granting access to a user If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md). -If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac.md). +If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md). >[!NOTE] @@ -166,7 +166,7 @@ Step 3: allow your application on Microsoft Defender Security Center ### Step 1: Create an application in Azure Active Directory (Azure AD) -You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant. +You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant. 1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/). @@ -296,7 +296,7 @@ You'll need to have **Manage portal system settings** permission to allow the ap 5. Click **Authorize application**. -You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md). +You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md). - In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index c910870e7e..94f58cc685 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -1,5 +1,5 @@ --- -title: Configure machine proxy and Internet connection settings +title: Configure device proxy and Internet connection settings description: Configure the Microsoft Defender ATP proxy and internet settings to enable communication with the cloud service. keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure machine proxy and Internet connectivity settings +# Configure device proxy and Internet connectivity settings **Applies to:** @@ -106,8 +106,8 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning. > [!NOTE] -> settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.
-> URLs that include v20 in them are only needed if you have Windows 10 machines running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 machine running version 1803 or later and onboarded to US Data Storage region. +> settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.
+> URLs that include v20 in them are only needed if you have Windows 10 devices running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 device running version 1803 or later and onboarded to US Data Storage region. Service location | Microsoft.com DNS record -|- @@ -156,7 +156,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on. -2. Extract the contents of MDATPClientAnalyzer.zip on the machine. +2. Extract the contents of MDATPClientAnalyzer.zip on the device. 3. Open an elevated command-line: @@ -200,5 +200,5 @@ However, if the connectivity check results indicate a failure, an HTTP error is ## Related topics -- [Onboard Windows 10 machines](configure-endpoints.md) +- [Onboard Windows 10 devices](configure-endpoints.md) - [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 537ebb95b2..642a65bde0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -1,7 +1,7 @@ --- title: Onboard servers to the Microsoft Defender ATP service description: Onboard servers so that they can send sensor data to the Microsoft Defender ATP sensor. -keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers +keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -78,7 +78,7 @@ You'll need to take the following steps if you choose to onboard servers through Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). > [!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). ### Configure and update System Center Endpoint Protection clients @@ -92,9 +92,9 @@ The following steps are required to enable this integration: ### Turn on Server monitoring from the Microsoft Defender Security Center portal -1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. +1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**. -2. Select Windows Server 2012 R2 and 2016 as the operating system. +2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system. 3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. @@ -123,7 +123,7 @@ Once completed, you should see onboarded servers in the portal within an hour. ### Option 2: Onboard servers through Azure Security Center -1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. +1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**. 2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system. @@ -143,13 +143,13 @@ Supported tools include: - Group Policy - Microsoft Endpoint Configuration Manager - System Center Configuration Manager 2012 / 2012 R2 1511 / 1602 -- VDI onboarding scripts for non-persistent machines +- VDI onboarding scripts for non-persistent devices -For more information, see [Onboard Windows 10 machines](configure-endpoints.md). +For more information, see [Onboard Windows 10 devices](configure-endpoints.md). Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. -1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md). +1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md). 2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly: @@ -195,7 +195,7 @@ The following capabilities are included in this integration: ## Offboard servers -You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client machines. +You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices. For other server versions, you have two options to offboard servers from the service: - Uninstall the MMA agent @@ -228,7 +228,7 @@ To offboard the server, you can use either of the following methods: 1. In the navigation pane, select **Settings** > **Onboarding**. - 1. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID: + 1. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system and get your Workspace ID: ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png) @@ -244,8 +244,8 @@ To offboard the server, you can use either of the following methods: ``` ## Related topics -- [Onboard Windows 10 machines](configure-endpoints.md) -- [Onboard non-Windows machines](configure-endpoints-non-windows.md) +- [Onboard Windows 10 devices](configure-endpoints.md) +- [Onboard non-Windows devices](configure-endpoints-non-windows.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md) +- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) - [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index d5f2d69d6c..a72dbb0a7b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -29,8 +29,8 @@ ms.topic: article >[!NOTE] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. ->- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). +>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. +>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md index 2d543f5b2d..bc7f7201e2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md @@ -20,7 +20,7 @@ ms.topic: conceptual # Connected applications in Microsoft Defender ATP **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) Connected applications integrates with the Microsoft Defender ATP platform using APIs. diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index 0f087e2e04..6efcb63fd5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -64,7 +64,7 @@ DeviceEvents You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app: -1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. +1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index 0a85cb240c..d08c4e2bba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -28,7 +28,7 @@ Creates new [Alert](alerts.md) on top of **Event**.
**Microsoft Defender ATP Event** is required for the alert creation.
You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
You can use an event found in Advanced Hunting API or Portal. -
If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it. +
If there existing an open alert on the same Device with the same Title, the new created alert will be merged with it.
An automatic investigation starts automatically on alerts created via the API. @@ -48,7 +48,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request @@ -71,7 +71,7 @@ Property | Type | Description :---|:---|:--- eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**. reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**. -machineId | String | Id of the machine on which the event was identified. **Required**. +machineId | String | Id of the device on which the event was identified. **Required**. severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**. title | String | Title for the alert. **Required**. description | String | Description of the alert. **Required**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index fcfeb45219..7481a4362e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. +Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. > [!NOTE] > To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. @@ -36,9 +36,9 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an #### Required columns in the query results To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns. -There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine. +There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device. -The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. +The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function. ```kusto DeviceEvents @@ -72,19 +72,19 @@ When saved, a new or edited custom detection rule immediately runs and checks fo Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts. -### 3. Specify actions on files or machines. -Your custom detection rule can automatically take actions on files or machines that are returned by the query. +### 3. Specify actions on files or devices. +Your custom detection rule can automatically take actions on files or devices that are returned by the query. -#### Actions on machines -These actions are applied to machines in the `DeviceId` column of the query results: -- **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network) -- **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines) -- **Run antivirus scan** — performs a full Microsoft Defender Antivirus scan on the machine -- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the machine +#### Actions on devices +These actions are applied to devices in the `DeviceId` column of the query results: +- **Isolate device** — applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) +- **Collect investigation package** — collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) +- **Run antivirus scan** — performs a full Microsoft Defender Antivirus scan on the device +- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the device #### Actions on files These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results: -- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected machine groups. This scope is independent of the scope of the rule. +- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule. - **Quarantine file** — deletes the file from its current location and places a copy in quarantine ### 4. Click **Create** to save and turn on the rule. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index 7853dd9b56..6a0da83f4f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -113,7 +113,7 @@ An allowed application or service only has write access to a controlled folder a ### Use Group Policy to allow specific apps -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index 30dd08b49c..13358eb288 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -25,7 +25,7 @@ manager: dansimp Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. -You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. +You configure these settings using the Windows Security app on an individual device, and then export the configuration as an XML file that you can deploy to other devices. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works. @@ -136,7 +136,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations. -Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. +Exporting the configuration as an XML file allows you to copy the configuration from one device onto other devices. ## PowerShell reference @@ -145,7 +145,7 @@ Exporting the configuration as an XML file allows you to copy the configuration The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. >[!IMPORTANT] - >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden. + >Any changes that are deployed to a device through Group Policy will override the local configuration. When setting up an initial configuration, use a device that will not have a Group Policy configuration applied to ensure your changes aren't overridden. You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md index 2769a45bcd..6eb879daae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md @@ -30,16 +30,16 @@ This section covers some of the most frequently asked questions regarding privac ## What data does Microsoft Defender ATP collect? -Microsoft Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. +Microsoft Defender ATP will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. -Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). +Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and device details (such as device identifiers, names, and the operating system version). Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578). This data enables Microsoft Defender ATP to: - Proactively identify indicators of attack (IOAs) in your organization - Generate alerts if a possible attack was detected -- Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. +- Provide your security operations with a view into devices, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. Microsoft does not use your data for advertising. diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md index 5421596f11..50ce80ff33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender Antivirus compatibility with Microsoft Defender ATP description: Learn about how Windows Defender works with Microsoft Defender ATP and how it functions when a third-party antimalware client is used. -keywords: windows defender compatibility, defender, windows defender atp +keywords: windows defender compatibility, defender, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -35,12 +35,12 @@ The Microsoft Defender Advanced Threat Protection agent depends on Microsoft Def >[!IMPORTANT] >Microsoft Defender ATP does not adhere to the Microsoft Defender Antivirus Exclusions settings. -You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). +You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). -If an onboarded machine is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode. +If an onboarded device is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode. Microsoft Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client. -The Microsoft Defender Antivirus interface will be disabled, and users on the machine will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options. +The Microsoft Defender Antivirus interface will be disabled, and users on the device will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options. For more information, see the [Microsoft Defender Antivirus and Microsoft Defender ATP compatibility topic](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md index a04a30abf0..5daf2b2aa2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md @@ -33,7 +33,7 @@ There are three phases in deploying Microsoft Defender ATP: The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP. -There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md). +There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md). ## In Scope diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index af6a7cbb1e..65f8212bc5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -73,15 +73,15 @@ The following image shows an instance of unwanted software that was detected and ### Will EDR in block mode have any impact on a user's antivirus protection? -No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. +No. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. ### Why do I need to keep Microsoft Defender Antivirus up to date? -Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date. +Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date. ### Why do we need cloud protection on? -Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models. +Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models. ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 61cf625503..1fe945f148 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -34,7 +34,7 @@ You can enable controlled folder access by using any of these methods: * [Group Policy](#group-policy) * [PowerShell](#powershell) -[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine. +[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the device. Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include: @@ -91,7 +91,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt ## Group Policy -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 9c926b6d06..b0cad379e8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -41,9 +41,9 @@ You can enable each mitigation separately by using any of these methods: Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options. -You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines. +You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other devices. -You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine. +You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the device. ## Windows Security app @@ -132,7 +132,7 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt ## Group Policy -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index 382f789aa7..f827607d8a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -29,7 +29,7 @@ Enable security information and event management (SIEM) integration so you can p >[!NOTE] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. >- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Prerequisites diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md index 1741fdf531..1d8f56f5e3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md @@ -1,5 +1,5 @@ --- -title: Enable Microsoft Defender ATP Insider Machine +title: Enable Microsoft Defender ATP Insider Device description: Install and use Microsoft Defender ATP for Mac. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh @@ -17,9 +17,9 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Enable Microsoft Defender ATP Insider Machine +# Enable Microsoft Defender ATP Insider Device -Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac machine to be an "Insider" machine as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune). +Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune). >[!IMPORTANT] >Make sure you have enabled [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md) and [manual deployment](mac-install-manually.md) instructions. @@ -125,7 +125,7 @@ h. Select  **Manage > Assignments**. In the  **Include**  tab, select  * >[!WARNING] >You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product. -## Enable the Insider program manually on a single machine +## Enable the Insider program manually on a single device In terminal, run: @@ -145,16 +145,16 @@ For versions earlier than 100.78.0, run: To get the latest version of the Microsoft Defender ATP for Mac, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate). -To verify you are running the correct version, run ‘mdatp --health’ on the machine. +To verify you are running the correct version, run ‘mdatp --health’ on the device. * The required version is 100.72.15 or later. * If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running ‘defaults read com.microsoft.autoupdate2’ from terminal. * To change update settings use documentation in [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1). * If you are not using Office for Mac, download and run the AutoUpdate tool. -### A machine still does not appear on Microsoft Defender Security Center +### A device still does not appear on Microsoft Defender Security Center -After a successful deployment and onboarding of the correct version, check that the machine has connectivity to the cloud service by running ‘mdatp --connectivity-test’. +After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running ‘mdatp --connectivity-test’. * Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”. diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index a77a399d92..980238995f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -47,7 +47,7 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode ``` > [!TIP] -> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s). You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md index 1d9da1a791..ae0a15fe7f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md @@ -45,7 +45,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode ``` > [!TIP] -> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s). You can also use Group Policy, Intune, MDM, or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md). ## Review controlled folder access events in Windows Event Viewer diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index 4685d38d83..f85dc02558 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -18,12 +18,12 @@ ms.topic: article # Microsoft Defender ATP evaluation lab **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation. +Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and device configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation. -The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. +The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM] @@ -31,7 +31,7 @@ With the simplified set-up experience, you can focus on running your own test sc You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers. -You can add Windows 10 or Windows Server 2019 machines that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed. +You can add Windows 10 or Windows Server 2019 devices that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed. You can also install threat simulators. Microsoft Defender ATP has partnered with industry leading threat simulation platforms to help you test out the Microsoft Defender ATP capabilities without having to leave the portal. @@ -43,7 +43,7 @@ You'll need to fulfill the [licensing requirements](minimum-requirements.md#lice You must have **Manage security settings** permissions to: - Create the lab -- Create machines +- Create devices - Reset password - Create simulations @@ -58,12 +58,12 @@ You can access the lab from the menu. In the navigation menu, select **Evaluatio ![Image of the evaluation lab on the menu](images/evaluation-lab-menu.png) >[!NOTE] ->- Each environment is provisioned with a limited set of test machines. ->- Depending the type of environment structure you select, machines will be available for the specified number of hours from the day of activation. ->- When you've used up the provisioned machines, no new machines are provided. A deleted machine does not refresh the available test machine count. ->- Given the limited resources, it’s advisable to use the machines carefully. +>- Each environment is provisioned with a limited set of test devices. +>- Depending the type of environment structure you select, devices will be available for the specified number of hours from the day of activation. +>- When you've used up the provisioned devices, no new devices are provided. A deleted device does not refresh the available test device count. +>- Given the limited resources, it’s advisable to use the devices carefully. -Already have a lab? Make sure to enable the new threat simulators and have active machines. +Already have a lab? Make sure to enable the new threat simulators and have active devices. ## Setup the evaluation lab @@ -71,7 +71,7 @@ Already have a lab? Make sure to enable the new threat simulators and have activ ![Image of the evaluation lab welcome page](images/evaluation-lab-setup.png) -2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a longer period or more machines for a shorter period. Select your preferred lab configuration then select **Next**. +2. Depending on your evaluation needs, you can choose to setup an environment with fewer devices for a longer period or more devices for a shorter period. Select your preferred lab configuration then select **Next**. ![Image of lab configuration options](images/lab-creation-page.png) @@ -83,28 +83,28 @@ Already have a lab? Make sure to enable the new threat simulators and have activ >[!IMPORTANT] >You'll first need to accept and provide consent to the terms and information sharing statements. -4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the machines you add. +4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the devices you add. ![Image of summary page](images/lab-setup-summary.png) 5. Review the summary and select **Setup lab**. -After the lab setup process is complete, you can add machines and run simulations. +After the lab setup process is complete, you can add devices and run simulations. -## Add machines -When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with connection details. You can add Windows 10 or Windows Server 2019 machines. +## Add devices +When you add a device to your environment, Microsoft Defender ATP sets up a well-configured device with connection details. You can add Windows 10 or Windows Server 2019 devices. -The machine will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals. +The device will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals. >[!TIP] - > Need more machines in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team. + > Need more devices in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team. -If you chose to add a threat simulator during the lab setup, all machines will have the threat simulator agent installed in the machines that you add. +If you chose to add a threat simulator during the lab setup, all devices will have the threat simulator agent installed in the devices that you add. -The machine will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side. +The device will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side. - The following security components are pre-configured in the test machines: + The following security components are pre-configured in the test devices: - [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) - [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) @@ -116,35 +116,35 @@ The machine will automatically be onboarded to your tenant with the recommended - [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview) >[!NOTE] -> Microsoft Defender Antivirus will be on (not in audit). If Microsoft Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). +> Microsoft Defender Antivirus will be on (not in audit). If Microsoft Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the device through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md). >[!NOTE] ->The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. +>The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections. -1. From the dashboard, select **Add machine**. +1. From the dashboard, select **Add device**. -2. Choose the type of machine to add. You can choose to add Windows 10 or Windows Server 2019. +2. Choose the type of device to add. You can choose to add Windows 10 or Windows Server 2019. - ![Image of lab setup with machine options](images/add-machine-options.png) + ![Image of lab setup with device options](images/add-machine-options.png) >[!NOTE] - >If something goes wrong with the machine creation process, you'll be notified and you'll need to submit a new request. If the machine creation fails, it will not be counted against the overall allowed quota. + >If something goes wrong with the device creation process, you'll be notified and you'll need to submit a new request. If the device creation fails, it will not be counted against the overall allowed quota. -3. The connection details are displayed. Select **Copy** to save the password for the machine. +3. The connection details are displayed. Select **Copy** to save the password for the device. >[!NOTE] >The password is only displayed once. Be sure to save it for later use. - ![Image of machine added with connection details](images/add-machine-eval-lab.png) + ![Image of device added with connection details](images/add-machine-eval-lab.png) -4. Machine set up begins. This can take up to approximately 30 minutes. +4. Device set up begins. This can take up to approximately 30 minutes. -5. See the status of test machines, the risk and exposure levels, and the status of simulator installations by selecting the **Machines** tab. +5. See the status of test devices, the risk and exposure levels, and the status of simulator installations by selecting the **Devices** tab. - ![Image of machines tab](images/machines-tab.png) + ![Image of devices tab](images/machines-tab.png) >[!TIP] @@ -153,7 +153,7 @@ Automated investigation settings will be dependent on tenant settings. It will b ## Simulate attack scenarios -Use the test machines to run your own attack simulations by connecting to them. +Use the test devices to run your own attack simulations by connecting to them. You can simulate attack scenarios using: - The ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials) @@ -166,11 +166,11 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself" >[!NOTE] ->The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections. +>The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections. -1. Connect to your machine and run an attack simulation by selecting **Connect**. +1. Connect to your device and run an attack simulation by selecting **Connect**. - ![Image of the connect button for test machines](images/test-machine-table.png) + ![Image of the connect button for test devices](images/test-machine-table.png) 2. Save the RDP file and launch it by selecting **Connect**. @@ -179,24 +179,24 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself" >[!NOTE] >If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting **Reset password** from the menu: > ![Image of reset password](images/reset-password-test-machine.png)
- > The machine will change it’s state to “Executing password reset", then you’ll be presented with your new password in a few minutes. + > The device will change it’s state to “Executing password reset", then you’ll be presented with your new password in a few minutes. -3. Enter the password that was displayed during the machine creation step. +3. Enter the password that was displayed during the device creation step. ![Image of window to enter credentials](images/enter-password.png) -4. Run Do-it-yourself attack simulations on the machine. +4. Run Do-it-yourself attack simulations on the device. ### Threat simulator scenarios -If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab machines. +If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab devices. Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender ATP capabilities within the confines of a lab environment. >[!NOTE] >Before you can run simulations, ensure the following requirements are met: ->- Machines must be added to the evaluation lab +>- Devices must be added to the evaluation lab >- Threat simulators must be installed in the evaluation lab 1. From the portal select **Create simulation**. @@ -221,8 +221,6 @@ Running threat simulations using third-party platforms is a good way to evaluate After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if the attack simulations you ran triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature. - - Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics. @@ -249,7 +247,7 @@ Each simulation comes with an in-depth description of the attack scenario and re ## Evaluation report -The lab reports summarize the results of the simulations conducted on the machines. +The lab reports summarize the results of the simulations conducted on the devices. ![Image of the evaluation report](images/eval-report.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md index aa9e94343c..7f19406d2e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md @@ -29,12 +29,12 @@ ms.date: 05/21/2018 -You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual machines. +You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices. -For example, if machines are not appearing in the **Machines list**, you might need to look for event IDs on the machines. You can then use this table to determine further troubleshooting steps. +For example, if devices are not appearing in the **Devices list**, you might need to look for event IDs on the devices. You can then use this table to determine further troubleshooting steps. > [!NOTE] -> It can take several days for machines to begin reporting to the Microsoft Defender ATP service. +> It can take several days for devices to begin reporting to the Microsoft Defender ATP service. **Open Event Viewer and find the Microsoft Defender ATP service event log:** @@ -67,7 +67,7 @@ For example, if machines are not appearing in the **Machines list**, you might n 2 Microsoft Defender Advanced Threat Protection service shutdown. -Occurs when the machine is shut down or offboarded. +Occurs when the device is shut down or offboarded. Normal operating notification; no action required. @@ -93,17 +93,17 @@ The service could not contact the external processing servers at that URL. 6 Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. -The machine did not onboard correctly and will not be reporting to the portal. +The device did not onboard correctly and will not be reporting to the portal. Onboarding must be run before starting the service.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 7 Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: variable. -Variable = detailed error description. The machine did not onboard correctly and will not be reporting to the portal. +Variable = detailed error description. The device did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 8 @@ -111,28 +111,28 @@ See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 9 Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable. -During onboarding: The machine did not onboard correctly and will not be reporting to the portal.

During offboarding: Failed to change the service start type. The offboarding process continues. +During onboarding: The device did not onboard correctly and will not be reporting to the portal.

During offboarding: Failed to change the service start type. The offboarding process continues. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 10 Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable. -The machine did not onboard correctly and will not be reporting to the portal. +The device did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 11 Onboarding or re-onboarding of Microsoft Defender Advanced Threat Protection service completed. -The machine onboarded correctly. +The device onboarded correctly. Normal operating notification; no action required.
-It may take several hours for the machine to appear in the portal. +It may take several hours for the device to appear in the portal. 12 @@ -142,7 +142,7 @@ It may take several hours for the machine to appear in the portal. 13 -Microsoft Defender Advanced Threat Protection machine ID calculated: variable. +Microsoft Defender Advanced Threat Protection device ID calculated: variable. Normal operating process. Normal operating notification; no action required. @@ -159,7 +159,7 @@ The service could not contact the external processing servers at that URL. An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 18 @@ -183,25 +183,25 @@ If this error persists after a system restart, ensure all Windows updates have f 25 Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: variable. -The machine did not onboard correctly. +The device did not onboard correctly. It will report to the portal, however the service may not appear as registered in SCCM or the registry. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 26 Microsoft Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: variable. -The machine did not onboard correctly.
+The device did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 27 Microsoft Defender Advanced Threat Protection service failed to enable SENSE aware mode in Microsoft Defender Antivirus. Onboarding process failed. Failure code: variable. -Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP. +Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Microsoft Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines.
+See Onboard Windows 10 devices.
Ensure real-time antimalware protection is running properly. @@ -210,20 +210,20 @@ Ensure real-time antimalware protection is running properly. An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 29 Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 This event occurs when the system can't read the offboarding parameters. -Ensure the machine has Internet access, then run the entire offboarding process again. Ensure the offboarding package has not expired. +Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package has not expired. 30 Microsoft Defender Advanced Threat Protection service failed to disable SENSE aware mode in Microsoft Defender Antivirus. Failure code: variable. -Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP. +Normally, Microsoft Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Microsoft Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines
+See Onboard Windows 10 devices
Ensure real-time antimalware protection is running properly. @@ -236,14 +236,14 @@ Ensure real-time antimalware protection is running properly. 32 Microsoft Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1 An error occurred during offboarding. -Reboot the machine. +Reboot the device. 33 Microsoft Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: variable. -A unique identifier is used to represent each machine that is reporting to the portal.
-If the identifier does not persist, the same machine might appear twice in the portal. -Check registry permissions on the machine to ensure the service can update the registry. +A unique identifier is used to represent each device that is reporting to the portal.
+If the identifier does not persist, the same device might appear twice in the portal. +Check registry permissions on the device to ensure the service can update the registry. 34 @@ -251,7 +251,7 @@ If the identifier does not persist, the same machine might appear twice in the p An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See Onboard Windows 10 machines. +See Onboard Windows 10 devices. 35 @@ -269,31 +269,31 @@ See [!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md index 4fa6891d4f..5fed8ccf11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md @@ -1,7 +1,7 @@ --- title: Get machines security states collection API -description: Retrieve a collection of machine security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP. -keywords: apis, graph api, supported apis, get, machine, security, state +description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP. +keywords: apis, graph api, supported apis, get, device, security, state search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -23,7 +23,7 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Retrieves a collection of machines security states. +Retrieves a collection of devices security states. ## Permissions User needs read permissions. @@ -60,7 +60,7 @@ Content-type: application/json **Response** Here is an example of the response. -Field *id* contains machine id and equal to the field *id** in machines info. +Field *id* contains device id and equal to the field *id** in devices info. ``` HTTP/1.1 200 OK diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index 86ce1c9e6a..3b41ca66ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -1,7 +1,7 @@ --- -title: Get missing KBs by machine ID -description: Retrieves missing KBs by machine Id -keywords: apis, graph api, supported apis, get, list, file, information, machine id, threat & vulnerability management api, mdatp tvm api +title: Get missing KBs by device ID +description: Retrieves missing KBs by device Id +keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -16,13 +16,13 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get missing KBs by machine ID +# Get missing KBs by device ID **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Retrieves missing KBs by machine Id +Retrieves missing KBs by device Id ## HTTP request @@ -42,7 +42,7 @@ Empty ## Response -If successful, this method returns 200 OK, with the specified machine missing kb data in the body. +If successful, this method returns 200 OK, with the specified device missing kb data in the body. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index 986c832afc..3ecec47c0d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -38,7 +38,7 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md index 449efaf986..9c2965fd9c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -1,7 +1,7 @@ --- -title: List machines by recommendation -description: Retrieves a list of machines associated with the security recommendation. -keywords: apis, graph api, supported apis, get, security recommendation for vulnerable machines, threat and vulnerability management, threat and vulnerability management api +title: List devices by recommendation +description: Retrieves a list of devices associated with the security recommendation. +keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -16,13 +16,13 @@ ms.collection: M365-security-compliance ms.topic: article --- -# List machines by recommendation +# List devices by recommendation **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [!include[Prerelease information](../../includes/prerelease.md)] -Retrieves a list of machines associated with the security recommendation. +Retrieves a list of devices associated with the security recommendation. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. @@ -48,7 +48,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful, this method returns 200 OK with the list of machines associated with the security recommendation. +If successful, this method returns 200 OK with the list of devices associated with the security recommendation. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md index 61ca64ff6b..67e29e0532 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -1,7 +1,7 @@ --- title: Get security recommendations -description: Retrieves a collection of security recommendations related to a given machine ID. -keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per machine, threat & vulnerability management api, mdatp tvm api +description: Retrieves a collection of security recommendations related to a given device ID. +keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -22,7 +22,7 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] -Retrieves a collection of security recommendations related to a given machine ID. +Retrieves a collection of security recommendations related to a given device ID. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md index c57fe74368..2276c784bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -1,6 +1,6 @@ --- title: Get software by Id -description: Retrieves a list of exposure scores by machine group. +description: Retrieves a list of exposure scores by device group. keywords: apis, graph api, supported apis, get, software, mdatp tvm api search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index b2e2bce19f..0a052683b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index ec84fa1f38..e55f0b9188 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -1,6 +1,6 @@ --- title: Get user related machines API -description: Retrieves a collection of machines related to a given user ID. +description: Retrieves a collection of devices related to a given user ID. keywords: apis, graph api, supported apis, get, user, user related alerts search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -24,7 +24,7 @@ ms.topic: article ## API description -Retrieves a collection of machines related to a given user ID. +Retrieves a collection of devices related to a given user ID. ## Limitations @@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/07e6d4119f265037e3b80a20a73b856f.png b/windows/security/threat-protection/microsoft-defender-atp/images/07e6d4119f265037e3b80a20a73b856f.png new file mode 100644 index 0000000000..c0227b91bb Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/07e6d4119f265037e3b80a20a73b856f.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0a6536f2c4024c08709cac8fcf800060.png b/windows/security/threat-protection/microsoft-defender-atp/images/0a6536f2c4024c08709cac8fcf800060.png index 6ecfd587f2..53f124a119 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/0a6536f2c4024c08709cac8fcf800060.png and b/windows/security/threat-protection/microsoft-defender-atp/images/0a6536f2c4024c08709cac8fcf800060.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0ccfe3e803be4b56c668b220b51da7f7.png b/windows/security/threat-protection/microsoft-defender-atp/images/0ccfe3e803be4b56c668b220b51da7f7.png index 03b88ba1b1..63daa18743 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/0ccfe3e803be4b56c668b220b51da7f7.png and b/windows/security/threat-protection/microsoft-defender-atp/images/0ccfe3e803be4b56c668b220b51da7f7.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/0f79cb37900b57c3e2bb0effad1c19cb.png b/windows/security/threat-protection/microsoft-defender-atp/images/0f79cb37900b57c3e2bb0effad1c19cb.png new file mode 100644 index 0000000000..cc772a98e5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/0f79cb37900b57c3e2bb0effad1c19cb.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/13201b477bc9a9ae0020814915fe80cc.png b/windows/security/threat-protection/microsoft-defender-atp/images/13201b477bc9a9ae0020814915fe80cc.png deleted file mode 100644 index f09c0502a5..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/13201b477bc9a9ae0020814915fe80cc.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1566ad81bae3d714cc9e0d47575a8cbd.png b/windows/security/threat-protection/microsoft-defender-atp/images/1566ad81bae3d714cc9e0d47575a8cbd.png index a28b8fdac5..59aba9df64 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/1566ad81bae3d714cc9e0d47575a8cbd.png and b/windows/security/threat-protection/microsoft-defender-atp/images/1566ad81bae3d714cc9e0d47575a8cbd.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/190a979ec5b6a8f57c9067fe1304cda8.png b/windows/security/threat-protection/microsoft-defender-atp/images/190a979ec5b6a8f57c9067fe1304cda8.png new file mode 100644 index 0000000000..8be53e4024 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/190a979ec5b6a8f57c9067fe1304cda8.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1a62eac0222a9ba3c2fd62744bece76e.png b/windows/security/threat-protection/microsoft-defender-atp/images/1a62eac0222a9ba3c2fd62744bece76e.png new file mode 100644 index 0000000000..dd7923c7ef Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/1a62eac0222a9ba3c2fd62744bece76e.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/1b9f85316170cfe24b46330afa8517d5.png b/windows/security/threat-protection/microsoft-defender-atp/images/1b9f85316170cfe24b46330afa8517d5.png deleted file mode 100644 index dd1e768536..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/1b9f85316170cfe24b46330afa8517d5.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2020-06-16_10-39-32.png b/windows/security/threat-protection/microsoft-defender-atp/images/2020-06-16_10-39-32.png new file mode 100644 index 0000000000..6aa1fdbaa6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2020-06-16_10-39-32.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/206b3d954f06cc58b3466fb7a0bd9f74.png b/windows/security/threat-protection/microsoft-defender-atp/images/206b3d954f06cc58b3466fb7a0bd9f74.png new file mode 100644 index 0000000000..1c1d7284c9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/206b3d954f06cc58b3466fb7a0bd9f74.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/23c125534852dcef09b8e37c98e82148.png b/windows/security/threat-protection/microsoft-defender-atp/images/23c125534852dcef09b8e37c98e82148.png new file mode 100644 index 0000000000..694118d01b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/23c125534852dcef09b8e37c98e82148.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/24bfb16ed561cbb468bd8ce51130ca9d.png b/windows/security/threat-protection/microsoft-defender-atp/images/24bfb16ed561cbb468bd8ce51130ca9d.png index ccba2cefda..2452f7d952 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/24bfb16ed561cbb468bd8ce51130ca9d.png and b/windows/security/threat-protection/microsoft-defender-atp/images/24bfb16ed561cbb468bd8ce51130ca9d.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/26efa2711bca78f6b6d73712f86b5bd9.png b/windows/security/threat-protection/microsoft-defender-atp/images/26efa2711bca78f6b6d73712f86b5bd9.png deleted file mode 100644 index 79fb39ee6c..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/26efa2711bca78f6b6d73712f86b5bd9.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/33f08a38f2f4dd12a364f8eac95e8c6b.png b/windows/security/threat-protection/microsoft-defender-atp/images/33f08a38f2f4dd12a364f8eac95e8c6b.png index 52392e9097..d7f4a64bbc 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/33f08a38f2f4dd12a364f8eac95e8c6b.png and b/windows/security/threat-protection/microsoft-defender-atp/images/33f08a38f2f4dd12a364f8eac95e8c6b.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/34e6b9a0dae125d085c84593140180ed.png b/windows/security/threat-protection/microsoft-defender-atp/images/34e6b9a0dae125d085c84593140180ed.png new file mode 100644 index 0000000000..e08fb904df Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/34e6b9a0dae125d085c84593140180ed.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/363bf30f7d69a94db578e8af0ddd044b.png b/windows/security/threat-protection/microsoft-defender-atp/images/363bf30f7d69a94db578e8af0ddd044b.png new file mode 100644 index 0000000000..59b5e9aa52 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/363bf30f7d69a94db578e8af0ddd044b.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/36c7c2ed737f2f4b54918a4f20791d4b.png b/windows/security/threat-protection/microsoft-defender-atp/images/36c7c2ed737f2f4b54918a4f20791d4b.png index a6947f5624..f64ed2739d 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/36c7c2ed737f2f4b54918a4f20791d4b.png and b/windows/security/threat-protection/microsoft-defender-atp/images/36c7c2ed737f2f4b54918a4f20791d4b.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3876ca687391bfc0ce215d221c683970.png b/windows/security/threat-protection/microsoft-defender-atp/images/3876ca687391bfc0ce215d221c683970.png index 786273e269..750f71b758 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/3876ca687391bfc0ce215d221c683970.png and b/windows/security/threat-protection/microsoft-defender-atp/images/3876ca687391bfc0ce215d221c683970.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3a01c7970ce3ec977a35883c0a01f0a2.png b/windows/security/threat-protection/microsoft-defender-atp/images/3a01c7970ce3ec977a35883c0a01f0a2.png deleted file mode 100644 index 20f45112fc..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/3a01c7970ce3ec977a35883c0a01f0a2.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/41b9a023bc96364062c2041a8f5c344e.png b/windows/security/threat-protection/microsoft-defender-atp/images/41b9a023bc96364062c2041a8f5c344e.png index 85a0cce645..c119751ae3 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/41b9a023bc96364062c2041a8f5c344e.png and b/windows/security/threat-protection/microsoft-defender-atp/images/41b9a023bc96364062c2041a8f5c344e.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4a37f3687e6ff53a593d3670b1dad3aa.png b/windows/security/threat-protection/microsoft-defender-atp/images/4a37f3687e6ff53a593d3670b1dad3aa.png deleted file mode 100644 index 6aefd54b7b..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/4a37f3687e6ff53a593d3670b1dad3aa.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png b/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png new file mode 100644 index 0000000000..74de422642 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/513cf5d59eaaef5d2b5bc122715b5844.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5420a8790c550f39f189830775a6d4c9.png b/windows/security/threat-protection/microsoft-defender-atp/images/5420a8790c550f39f189830775a6d4c9.png index 3222b68426..8ffda9a595 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/5420a8790c550f39f189830775a6d4c9.png and b/windows/security/threat-protection/microsoft-defender-atp/images/5420a8790c550f39f189830775a6d4c9.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/579ff59f31f599414cedf63051628b2e.png b/windows/security/threat-protection/microsoft-defender-atp/images/579ff59f31f599414cedf63051628b2e.png new file mode 100644 index 0000000000..1513c96784 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/579ff59f31f599414cedf63051628b2e.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/653db482c7ccaf31d06f29fb2aa24b7a.png b/windows/security/threat-protection/microsoft-defender-atp/images/653db482c7ccaf31d06f29fb2aa24b7a.png deleted file mode 100644 index c38fa668f8..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/653db482c7ccaf31d06f29fb2aa24b7a.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/728c10ef26042bbdbcd270b6343f1a8a.png b/windows/security/threat-protection/microsoft-defender-atp/images/728c10ef26042bbdbcd270b6343f1a8a.png index 6004368075..504ca47ae2 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/728c10ef26042bbdbcd270b6343f1a8a.png and b/windows/security/threat-protection/microsoft-defender-atp/images/728c10ef26042bbdbcd270b6343f1a8a.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/7cf9311ad676ec5142002a4d0c2323ca.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/7cf9311ad676ec5142002a4d0c2323ca.jpg new file mode 100644 index 0000000000..20ce87cb7f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/7cf9311ad676ec5142002a4d0c2323ca.jpg differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png b/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png new file mode 100644 index 0000000000..9c2f6b242e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/86cbe56f88bb6e93e9c63303397fc24f.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8999dd697e3b495c04eb911f8b68a1ef.png b/windows/security/threat-protection/microsoft-defender-atp/images/8999dd697e3b495c04eb911f8b68a1ef.png index d44ef55ea4..debae31a4a 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/8999dd697e3b495c04eb911f8b68a1ef.png and b/windows/security/threat-protection/microsoft-defender-atp/images/8999dd697e3b495c04eb911f8b68a1ef.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/900c0197aa59f9b7abd762ab2b32e80c.png b/windows/security/threat-protection/microsoft-defender-atp/images/900c0197aa59f9b7abd762ab2b32e80c.png new file mode 100644 index 0000000000..246439b6ea Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/900c0197aa59f9b7abd762ab2b32e80c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/91b738e4b97c4272fd6d438d8c2d5269.png b/windows/security/threat-protection/microsoft-defender-atp/images/91b738e4b97c4272fd6d438d8c2d5269.png index 04e48619f5..0c69ec5140 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/91b738e4b97c4272fd6d438d8c2d5269.png and b/windows/security/threat-protection/microsoft-defender-atp/images/91b738e4b97c4272fd6d438d8c2d5269.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9336bbd778cff5e666328bb3db7c76fd.png b/windows/security/threat-protection/microsoft-defender-atp/images/9336bbd778cff5e666328bb3db7c76fd.png new file mode 100644 index 0000000000..5626565ac5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9336bbd778cff5e666328bb3db7c76fd.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png index 50aaff6186..d3288fc4f8 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png and b/windows/security/threat-protection/microsoft-defender-atp/images/945c9c5d66797037c3caeaa5c19f135c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/95d23a07c2c8bc79176788f28cef7557.png b/windows/security/threat-protection/microsoft-defender-atp/images/95d23a07c2c8bc79176788f28cef7557.png index 8e07f27524..f5ba41c8af 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/95d23a07c2c8bc79176788f28cef7557.png and b/windows/security/threat-protection/microsoft-defender-atp/images/95d23a07c2c8bc79176788f28cef7557.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9736e0358e86bc778ce1bd4c516adb8b.png b/windows/security/threat-protection/microsoft-defender-atp/images/9736e0358e86bc778ce1bd4c516adb8b.png index a205159bcc..d4d14edc67 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/9736e0358e86bc778ce1bd4c516adb8b.png and b/windows/security/threat-protection/microsoft-defender-atp/images/9736e0358e86bc778ce1bd4c516adb8b.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9fc07ffc150171f169dc6e57fe6f1c74.png b/windows/security/threat-protection/microsoft-defender-atp/images/9fc07ffc150171f169dc6e57fe6f1c74.png new file mode 100644 index 0000000000..188da9eac3 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9fc07ffc150171f169dc6e57fe6f1c74.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9fe378a1dce0f143005c3aa53d8c4f51.png b/windows/security/threat-protection/microsoft-defender-atp/images/9fe378a1dce0f143005c3aa53d8c4f51.png new file mode 100644 index 0000000000..fac1c0ebaf Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9fe378a1dce0f143005c3aa53d8c4f51.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a28afc02c1940d5220b233640364970c.png b/windows/security/threat-protection/microsoft-defender-atp/images/a28afc02c1940d5220b233640364970c.png index ed201870fc..7bee906681 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/a28afc02c1940d5220b233640364970c.png and b/windows/security/threat-protection/microsoft-defender-atp/images/a28afc02c1940d5220b233640364970c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a8b934dab2dbba289cf64fe30e0e8aa4.png b/windows/security/threat-protection/microsoft-defender-atp/images/a8b934dab2dbba289cf64fe30e0e8aa4.png index c37385be18..8ad259fea4 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/a8b934dab2dbba289cf64fe30e0e8aa4.png and b/windows/security/threat-protection/microsoft-defender-atp/images/a8b934dab2dbba289cf64fe30e0e8aa4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/action-center-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/action-center-details.png index 6b872cc5a6..873305cd01 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/action-center-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/action-center-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/action-center-package-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/action-center-package-collection.png index a8f70701e2..c095678c15 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/action-center-package-collection.png and b/windows/security/threat-protection/microsoft-defender-atp/images/action-center-package-collection.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png b/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png index 02ad4445e6..09fc82234d 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png and b/windows/security/threat-protection/microsoft-defender-atp/images/action-center.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png index 849bacfa44..66bcfe0cb5 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/active-alerts-tile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/adc17988b0984ca2aa3ff8f41ddacaf9.png b/windows/security/threat-protection/microsoft-defender-atp/images/adc17988b0984ca2aa3ff8f41ddacaf9.png deleted file mode 100644 index 82dee6a0cc..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/adc17988b0984ca2aa3ff8f41ddacaf9.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/add-machine-eval-lab.png b/windows/security/threat-protection/microsoft-defender-atp/images/add-machine-eval-lab.png index 2b5b014a6b..5a7df2e6ae 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/add-machine-eval-lab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/add-machine-eval-lab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/add-machine-options.png b/windows/security/threat-protection/microsoft-defender-atp/images/add-machine-options.png index 1e9dc0b534..a3e557be70 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/add-machine-options.png and b/windows/security/threat-protection/microsoft-defender-atp/images/add-machine-options.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png b/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png index 5483c98dd4..1718e4a802 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png and b/windows/security/threat-protection/microsoft-defender-atp/images/add-permission.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alert-air-and-alert-description.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-air-and-alert-description.png index f6545e9184..99f1a0eb73 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/alert-air-and-alert-description.png and b/windows/security/threat-protection/microsoft-defender-atp/images/alert-air-and-alert-description.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alert-details-resolved-true.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-details-resolved-true.png index 7cd8e4cdde..a53209c01a 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/alert-details-resolved-true.png and b/windows/security/threat-protection/microsoft-defender-atp/images/alert-details-resolved-true.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alert-device-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-device-details.png index 6791b18a41..53d9c179d4 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/alert-device-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/alert-device-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alert-false-suppression-rule.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-false-suppression-rule.png index 435f9b9a5f..c745e92b81 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/alert-false-suppression-rule.png and b/windows/security/threat-protection/microsoft-defender-atp/images/alert-false-suppression-rule.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alert-landing-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-landing-view.png index e925e50d7f..71f1a601a0 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/alert-landing-view.png and b/windows/security/threat-protection/microsoft-defender-atp/images/alert-landing-view.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png index 69836b943c..1dd6215077 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png and b/windows/security/threat-protection/microsoft-defender-atp/images/alert-notification.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alert-story-tree.png b/windows/security/threat-protection/microsoft-defender-atp/images/alert-story-tree.png index e7757be9b9..6893288201 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/alert-story-tree.png and b/windows/security/threat-protection/microsoft-defender-atp/images/alert-story-tree.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alerts-device.png b/windows/security/threat-protection/microsoft-defender-atp/images/alerts-device.png new file mode 100644 index 0000000000..0d355914d9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/alerts-device.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alerts-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/alerts-machine.png deleted file mode 100644 index a68ccc6e70..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/alerts-machine.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-list.png index b62bd16313..9500bcd5df 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-list.png and b/windows/security/threat-protection/microsoft-defender-atp/images/alerts-queue-list.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png index 39c4236d7c..37cf6809de 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png and b/windows/security/threat-protection/microsoft-defender-atp/images/analysis-results-nothing.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/android-auto-grant.png b/windows/security/threat-protection/microsoft-defender-atp/images/android-auto-grant.png new file mode 100644 index 0000000000..4c90c6afde Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/android-auto-grant.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app-config.png b/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app-config.png new file mode 100644 index 0000000000..8d8cfc310c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app-config.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app.png b/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app.png new file mode 100644 index 0000000000..bc91973dc7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/android-create-app.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/android-mem.png b/windows/security/threat-protection/microsoft-defender-atp/images/android-mem.png new file mode 100644 index 0000000000..0f158e3d5a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/android-mem.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/android-review-create.png b/windows/security/threat-protection/microsoft-defender-atp/images/android-review-create.png new file mode 100644 index 0000000000..aeedcfb63e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/android-review-create.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/android-select-group.png b/windows/security/threat-protection/microsoft-defender-atp/images/android-select-group.png new file mode 100644 index 0000000000..0ce478541a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/android-select-group.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png b/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png index 1f4f508c8c..6661cda775 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png and b/windows/security/threat-protection/microsoft-defender-atp/images/app-and-tenant-ids.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png index 3fc32f22db..f5bf0f1422 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png and b/windows/security/threat-protection/microsoft-defender-atp/images/application-permissions-public-client.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png index 2f027e9054..c454aa1ffe 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png and b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each-value.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png index 741770b06a..31979b5184 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png and b/windows/security/threat-protection/microsoft-defender-atp/images/apply-to-each.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png index 43394cf2aa..980cb3952a 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-active-investigations-tile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png index 1db12b6733..1c2acbcd61 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-actor-alert.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png index 495ac3cb26..f2bccbbe69 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-advanced-hunting.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png index f6ae75b2cd..6f5ae307a0 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png index 3480437d09..7691c33b54 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alert-view.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png index 7423e63ab9..832c8d3035 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-related-to-file.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png index 3290ef44c9..6ed0c8bffb 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-alerts-selected.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png index a80f24b421..5e77f6980d 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-analyze-auto-ir.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-app-restriction.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-app-restriction.png index ae493ad999..5f2ccd9cde 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-app-restriction.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-app-restriction.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png index da9b66063b..7bc408e5c6 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-auto-investigations-list.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-automated-investigations-statistics.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-automated-investigations-statistics.png index deefc7b684..3958b1671e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-automated-investigations-statistics.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-automated-investigations-statistics.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png index e04f757cff..2828e8bea9 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-azure-new-app2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-detection-rule-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-detection-rule-details.png index 65ecd31a2a..7f2224e722 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-detection-rule-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-custom-detection-rule-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-daily-devices-reporting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-daily-devices-reporting.png new file mode 100644 index 0000000000..bc0e7986ee Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-daily-devices-reporting.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-daily-machines-reporting.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-daily-machines-reporting.png deleted file mode 100644 index 2d4b4fc334..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-daily-machines-reporting.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png index 9f868ac29e..0997e57035 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-data-not-available.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-device-health-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-device-health-details.png new file mode 100644 index 0000000000..e5057cba0f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-device-health-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-devices-list-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-devices-list-page.png new file mode 100644 index 0000000000..42f9330226 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-devices-list-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-devices-with-sensor-issues-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-devices-with-sensor-issues-tile.png new file mode 100644 index 0000000000..3194095cbc Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-devices-with-sensor-issues-tile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png index 8e878d29a0..56614a5129 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-action.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-reason.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-reason.png new file mode 100644 index 0000000000..2dbe185c16 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file-reason.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file.PNG deleted file mode 100644 index 06dcfc796c..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-download-file.PNG and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png index 56e2d7dcf0..712bfb50d9 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-information.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG index 3bf537a3ea..7a9aebd2bd 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-file-names.PNG differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png index b8117dc41d..d18b5d3f75 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png index c937e8fd04..37098592d8 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-device-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-device-tab.png new file mode 100644 index 0000000000..b9e757a915 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-device-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png index ffb98eef37..a193aca139 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-evidence-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png index a952df593f..23760ac321 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png index 4a5462d01a..484b8df5b2 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-graph-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png index 62f5f70047..1f30dfb9aa 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-investigations-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png deleted file mode 100644 index dc353f8c25..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-machine-tab.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png index 89bc5c8f90..9ff0d2563f 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incident-queue.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png index f0dcb7626b..1f08635316 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-alerts-reason.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png index 5292a0a77f..8d89569ba2 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-incidents-mgt-pane.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mac-install.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mac-install.png new file mode 100644 index 0000000000..8bf145d112 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mac-install.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png deleted file mode 100644 index d628c4780a..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-machine-health-details.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png index 3074e07daa..a7dbf03c78 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping5.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping6.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping6.png index 7c56b48153..177b09d6aa 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping6.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-mapping6.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-isolate.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-isolate.png index e81dd276a4..bac59f43f3 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-isolate.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-notification-isolate.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png index c835d12524..5dd82d45e0 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-observed-machines.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png index 7dd1c6d0e6..e46e820fc0 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux-2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png index 232b46993b..91c96bddc7 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-portal-onboarding-linux.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png index d053776856..df7c9bfed9 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-preview-features.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png index a540d9947a..513f3c65c1 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png index b8d078d435..eb4f048820 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-sec-ops-dashboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-offboarding-workspaceid.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-offboarding-workspaceid.png index 1d1cbb4448..57e30708ab 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-offboarding-workspaceid.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-server-offboarding-workspaceid.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-aip.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-aip.png index f66b75a274..d1f65327ba 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-aip.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-settings-aip.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png index eaf5e89d60..94d296d229 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-setup-permissions-wdatp-portal.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png index fddaf0076c..01f458b33e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping13.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping3.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping3.png index 4891cca8d7..a946ccab9b 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping3.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping4.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping4.png index 7d984e8eb0..b30cdf7a48 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping4.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-siem-mapping4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png index 55730d43ee..762eec45f5 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine-file.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png index 85d190c821..33c3dfba1b 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stop-quarantine.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png index 3cc33d038b..f30cbc96a9 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-stopnquarantine-file.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png index e5c1b21246..b4503af4cb 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-tile-sensor-health.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png new file mode 100644 index 0000000000..89dfff1d11 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-user-details-view.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/atp-users-at-risk.png b/windows/security/threat-protection/microsoft-defender-atp/images/atp-users-at-risk.png index dc9414f4cf..46ef8c511d 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/atp-users-at-risk.png and b/windows/security/threat-protection/microsoft-defender-atp/images/atp-users-at-risk.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png index f02cd3b7c4..97c9d9f6d3 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png and b/windows/security/threat-protection/microsoft-defender-atp/images/behavblockcontain-initialaccessalert.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png b/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png index e9cb104a05..b60c18550e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png and b/windows/security/threat-protection/microsoft-defender-atp/images/blocked-behav-alert.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png index 615e107f78..ef6fac6c88 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png and b/windows/security/threat-protection/microsoft-defender-atp/images/build-flow.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c039b2e05dba1ade6fb4512456380c9f.png b/windows/security/threat-protection/microsoft-defender-atp/images/c039b2e05dba1ade6fb4512456380c9f.png index d829f21d90..9e23c2e2d0 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/c039b2e05dba1ade6fb4512456380c9f.png and b/windows/security/threat-protection/microsoft-defender-atp/images/c039b2e05dba1ade6fb4512456380c9f.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c2e647fc8fa31c4f2349c76f2497bc0e.png b/windows/security/threat-protection/microsoft-defender-atp/images/c2e647fc8fa31c4f2349c76f2497bc0e.png new file mode 100644 index 0000000000..6e16d764c8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c2e647fc8fa31c4f2349c76f2497bc0e.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cd7daeb392ad5a36f2d3a15d650f1e96.png b/windows/security/threat-protection/microsoft-defender-atp/images/cd7daeb392ad5a36f2d3a15d650f1e96.png index 94c9207f1e..b383104544 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/cd7daeb392ad5a36f2d3a15d650f1e96.png and b/windows/security/threat-protection/microsoft-defender-atp/images/cd7daeb392ad5a36f2d3a15d650f1e96.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/collect-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/collect-package.png index a230dfb6ea..5a9b93a704 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/collect-package.png and b/windows/security/threat-protection/microsoft-defender-atp/images/collect-package.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png b/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png index 25b0fe742a..5a8376e5ac 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png and b/windows/security/threat-protection/microsoft-defender-atp/images/condition3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png b/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png index 714a61e399..b3c1051195 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/conditions-2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-config-settings.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-config-settings.png new file mode 100644 index 0000000000..0d150e04de Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-config-settings.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png index fe2925eca1..705f7d6f12 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-confirm.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png index 7e23f6385d..dd7c57c541 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-device-collection.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png index 92acd79c2f..fb6fadf6c6 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-create-policy.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png index 42c18d2b1c..e4236a489d 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-criteria.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-deploy.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-deploy.png new file mode 100644 index 0000000000..6c8b63c1f6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-deploy.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png index fd3d91a008..49ddfb752c 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-device-collections.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png index cac48b7605..0787c53c9b 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-direct-membership.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png index 37fa96777b..6aacd44a0e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-limiting-collection.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png index 22b6b6419e..c842a6af45 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-membership-rules.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png index d1987ab4cb..87066f6a54 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-policy-name.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png index ecef165279..d4df9726d8 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-query-rule.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-select-collection.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-select-collection.png new file mode 100644 index 0000000000..a4567e0c88 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-select-collection.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png index 6712c06845..0079e3ada2 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-simple-value.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-telemetry.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-telemetry.png new file mode 100644 index 0000000000..1980f10edc Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-telemetry.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-verify-configuration.png b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-verify-configuration.png new file mode 100644 index 0000000000..f48adab441 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/configmgr-verify-configuration.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cve-detection-logic.png b/windows/security/threat-protection/microsoft-defender-atp/images/cve-detection-logic.png index f3fabfe3ba..0153eccb1a 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/cve-detection-logic.png and b/windows/security/threat-protection/microsoft-defender-atp/images/cve-detection-logic.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/d18e40c9e60aecf1f9a93065cb7567bd.png b/windows/security/threat-protection/microsoft-defender-atp/images/d18e40c9e60aecf1f9a93065cb7567bd.png index 51953de984..b928059c0f 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/d18e40c9e60aecf1f9a93065cb7567bd.png and b/windows/security/threat-protection/microsoft-defender-atp/images/d18e40c9e60aecf1f9a93065cb7567bd.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png b/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png index 13d572f10f..b47b6fc09b 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png and b/windows/security/threat-protection/microsoft-defender-atp/images/data-operations.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/data-sensitivity-column.png b/windows/security/threat-protection/microsoft-defender-atp/images/data-sensitivity-column.png index d979d3e367..4603159344 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/data-sensitivity-column.png and b/windows/security/threat-protection/microsoft-defender-atp/images/data-sensitivity-column.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/data-sensitivity-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/data-sensitivity-filter.png index c751747d7d..6446bad985 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/data-sensitivity-filter.png and b/windows/security/threat-protection/microsoft-defender-atp/images/data-sensitivity-filter.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/device-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/device-list.png new file mode 100644 index 0000000000..b73be00163 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/device-list.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/device-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/device-reports.png new file mode 100644 index 0000000000..81c4d4305e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/device-reports.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/devices-at-risk-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/devices-at-risk-tile.png new file mode 100644 index 0000000000..590f05763c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/devices-at-risk-tile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/discovered-vulnerabilities-device.png b/windows/security/threat-protection/microsoft-defender-atp/images/discovered-vulnerabilities-device.png new file mode 100644 index 0000000000..b845b86af0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/discovered-vulnerabilities-device.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/discovered-vulnerabilities-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/discovered-vulnerabilities-machine.png deleted file mode 100644 index 989f6884b1..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/discovered-vulnerabilities-machine.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e78d36e06495c2f70eb14230de6f7429.png b/windows/security/threat-protection/microsoft-defender-atp/images/e78d36e06495c2f70eb14230de6f7429.png new file mode 100644 index 0000000000..248870076b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e78d36e06495c2f70eb14230de6f7429.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png b/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png new file mode 100644 index 0000000000..5fd6b06a58 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ea06643280075f16265a596fb9a96042.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/eba67e1a3adfec2c77c35a34cb030fba.png b/windows/security/threat-protection/microsoft-defender-atp/images/eba67e1a3adfec2c77c35a34cb030fba.png new file mode 100644 index 0000000000..4424fc7c2f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/eba67e1a3adfec2c77c35a34cb030fba.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/enable_siem.png b/windows/security/threat-protection/microsoft-defender-atp/images/enable_siem.png index ac8a62b883..de64e8f3df 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/enable_siem.png and b/windows/security/threat-protection/microsoft-defender-atp/images/enable_siem.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/enter-password.png b/windows/security/threat-protection/microsoft-defender-atp/images/enter-password.png index 40f7d094e8..c5634b3207 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/enter-password.png and b/windows/security/threat-protection/microsoft-defender-atp/images/enter-password.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/eos-upcoming-eos.png b/windows/security/threat-protection/microsoft-defender-atp/images/eos-upcoming-eos.png index 270a3502c5..d5b22d6dee 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/eos-upcoming-eos.png and b/windows/security/threat-protection/microsoft-defender-atp/images/eos-upcoming-eos.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/eval-report.png b/windows/security/threat-protection/microsoft-defender-atp/images/eval-report.png index b9d1d0dd29..c723c30390 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/eval-report.png and b/windows/security/threat-protection/microsoft-defender-atp/images/eval-report.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png b/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png index 2977a16c2d..125debb6ab 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png and b/windows/security/threat-protection/microsoft-defender-atp/images/evaluation-lab-setup.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png index 05ac6c4637..a71d38b0df 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/event-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f5508317cd8c7870627cb4726acd5f3d.png b/windows/security/threat-protection/microsoft-defender-atp/images/f5508317cd8c7870627cb4726acd5f3d.png index b900487c3e..6866f6602f 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/f5508317cd8c7870627cb4726acd5f3d.png and b/windows/security/threat-protection/microsoft-defender-atp/images/f5508317cd8c7870627cb4726acd5f3d.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/f91f406e6e0aae197a947d3b0e8b2d0d.png b/windows/security/threat-protection/microsoft-defender-atp/images/f91f406e6e0aae197a947d3b0e8b2d0d.png index 37a9e5ac2e..e932c2e3ac 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/f91f406e6e0aae197a947d3b0e8b2d0d.png and b/windows/security/threat-protection/microsoft-defender-atp/images/f91f406e6e0aae197a947d3b0e8b2d0d.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png b/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png new file mode 100644 index 0000000000..d1f02b93a7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/fa4ac18a6333335db3775630b8e6b353.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ffecfdda1c4df14148f1526c22cc0236.png b/windows/security/threat-protection/microsoft-defender-atp/images/ffecfdda1c4df14148f1526c22cc0236.png new file mode 100644 index 0000000000..2045d1c748 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ffecfdda1c4df14148f1526c22cc0236.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png b/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png index 3d274ebf9f..1440b67d05 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png and b/windows/security/threat-protection/microsoft-defender-atp/images/flow-apply.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png b/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png index 68eb6483c1..2beb8a83cb 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/http-conditions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/incident-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/incident-page.png index f29e8dff64..1cc6566da8 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/incident-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/incident-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png b/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png index c477df78f0..d2f7d26866 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png and b/windows/security/threat-protection/microsoft-defender-atp/images/install-agent.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/investigate-devices-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/investigate-devices-tab.png new file mode 100644 index 0000000000..5ca970430e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/investigate-devices-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/investigate-machines-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/investigate-machines-tab.png deleted file mode 100644 index 5c0d13944e..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/investigate-machines-tab.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/isolate-device.png b/windows/security/threat-protection/microsoft-defender-atp/images/isolate-device.png new file mode 100644 index 0000000000..fff8893ec3 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/isolate-device.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/isolate-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/isolate-machine.png deleted file mode 100644 index 09b816dd70..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/isolate-machine.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png index 316e3e0700..652c44625e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/lab-creation-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png index 68c1dcf142..1c456319fc 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png and b/windows/security/threat-protection/microsoft-defender-atp/images/lab-setup-summary.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/logged-on-users.png b/windows/security/threat-protection/microsoft-defender-atp/images/logged-on-users.png index c3f6572fd5..fd9af30b1d 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/logged-on-users.png and b/windows/security/threat-protection/microsoft-defender-atp/images/logged-on-users.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png b/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png index 598ea2fd78..730757651c 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png and b/windows/security/threat-protection/microsoft-defender-atp/images/machine-info-datatype-example.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machine-list.png b/windows/security/threat-protection/microsoft-defender-atp/images/machine-list.png deleted file mode 100644 index 7dbfddc46f..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/machine-list.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machine-reports.png b/windows/security/threat-protection/microsoft-defender-atp/images/machine-reports.png deleted file mode 100644 index 44bf616eb0..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/machine-reports.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machine-timeline-labels.png b/windows/security/threat-protection/microsoft-defender-atp/images/machine-timeline-labels.png index 0e5fd8cf8f..ee53299707 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/machine-timeline-labels.png and b/windows/security/threat-protection/microsoft-defender-atp/images/machine-timeline-labels.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machines-at-risk-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/machines-at-risk-tile.png deleted file mode 100644 index 04480e2b04..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/machines-at-risk-tile.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png index 4275f94ded..3647054207 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/machines-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/manage-tags.png b/windows/security/threat-protection/microsoft-defender-atp/images/manage-tags.png index 9fc89ec6de..2099c997e5 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/manage-tags.png and b/windows/security/threat-protection/microsoft-defender-atp/images/manage-tags.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png index 26eed612da..dbdb4f4df6 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-apis.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-deployment-strategy.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-deployment-strategy.png index 790f6b8e57..cb257a987c 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-deployment-strategy.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-deployment-strategy.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png index 6118910639..510a451f5c 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png index 9a84e73ad0..46df7172d5 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png index a08711f23f..c1a171876c 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-portal-overview.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/missing-kbs-device.png b/windows/security/threat-protection/microsoft-defender-atp/images/missing-kbs-device.png new file mode 100644 index 0000000000..8cd70da4dd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/missing-kbs-device.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/more-manage-tags.png b/windows/security/threat-protection/microsoft-defender-atp/images/more-manage-tags.png index 3f40a773d0..3753f1cc45 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/more-manage-tags.png and b/windows/security/threat-protection/microsoft-defender-atp/images/more-manage-tags.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-applicationconfirmation.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-applicationconfirmation.png index 2c04ad2fc8..938e38ecc2 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mte-applicationconfirmation.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-applicationconfirmation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-apply.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-apply.png index a7096ee4aa..edb2612007 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mte-apply.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-apply.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-collaboratewithmte.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-collaboratewithmte.png index 862c5ffbd7..9a1123e6ee 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mte-collaboratewithmte.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-collaboratewithmte.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png index 895a4973e6..8088e53c33 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-alerts.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-fullsubscription.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-fullsubscription.png index aecffb5789..a74c98f09c 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-fullsubscription.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-fullsubscription.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png index 5d227c08c3..a7a3432a64 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod-machines.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod.png b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod.png index 2bd08bd9fa..7a50de412d 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mte-eod.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png index 03c10910cb..f3a6a38382 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/nativeapp-create2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png index 7d64c71ac8..b7aedcaad2 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png and b/windows/security/threat-protection/microsoft-defender-atp/images/new-flow.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/new-tags.png b/windows/security/threat-protection/microsoft-defender-atp/images/new-tags.png index 952183b048..6323e3b5da 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/new-tags.png and b/windows/security/threat-protection/microsoft-defender-atp/images/new-tags.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboarding_package_1.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboarding_package_1.png new file mode 100644 index 0000000000..1053c9a0f1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboarding_package_1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/overview-device.png b/windows/security/threat-protection/microsoft-defender-atp/images/overview-device.png new file mode 100644 index 0000000000..a05af05652 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/overview-device.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png index 2c6069ab3d..e078073243 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json-schema.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png index 6931f21e5a..e6f0ed9b71 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png and b/windows/security/threat-protection/microsoft-defender-atp/images/parse-json.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png b/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png index 43a41fbd3b..b96ea27eea 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png and b/windows/security/threat-protection/microsoft-defender-atp/images/recurrence-add.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remediation_flyouteolsw.png b/windows/security/threat-protection/microsoft-defender-atp/images/remediation_flyouteolsw.png index fe88265080..111080014e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/remediation_flyouteolsw.png and b/windows/security/threat-protection/microsoft-defender-atp/images/remediation_flyouteolsw.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/remote-connection.png b/windows/security/threat-protection/microsoft-defender-atp/images/remote-connection.png index bc85a983d0..ad4b4083b6 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/remote-connection.png and b/windows/security/threat-protection/microsoft-defender-atp/images/remote-connection.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png index 12f0d72fac..c53ecb65a2 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png and b/windows/security/threat-protection/microsoft-defender-atp/images/report-inaccuracy500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/reset-password-test-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/reset-password-test-machine.png index b2842092e8..44c67b2ac1 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/reset-password-test-machine.png and b/windows/security/threat-protection/microsoft-defender-atp/images/reset-password-test-machine.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/response-actions.png b/windows/security/threat-protection/microsoft-defender-atp/images/response-actions.png index 29dbc99425..fae226b48b 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/response-actions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/response-actions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/restrict-app-execution.png b/windows/security/threat-protection/microsoft-defender-atp/images/restrict-app-execution.png index 4c75a8afb6..ac6458158e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/restrict-app-execution.png and b/windows/security/threat-protection/microsoft-defender-atp/images/restrict-app-execution.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/risk-level-small.png b/windows/security/threat-protection/microsoft-defender-atp/images/risk-level-small.png index 9c62fa26c5..898b06a9bc 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/risk-level-small.png and b/windows/security/threat-protection/microsoft-defender-atp/images/risk-level-small.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png index 67f0679c18..3949bef631 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png and b/windows/security/threat-protection/microsoft-defender-atp/images/rules-indicators.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png b/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png index 39895c6e01..acc46f875e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png and b/windows/security/threat-protection/microsoft-defender-atp/images/run-antivirus.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_card.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_card.png index dbf9cf07fa..64909a2553 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_card.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_card.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_m365exlusions.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_m365exlusions.png index 65d9ad6967..7298ac837c 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_m365exlusions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_asr_m365exlusions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_card.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_card.png index c88ea0f49c..d159774b1a 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_card.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_card.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png index 78c605fd6d..db9ad04fe9 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png index bcfd6506d9..77b75d6cb9 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png index 0e1f7069f5..46b018e931 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png index 93111cb58b..9e0116fa78 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_intune_permissions.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_intune_permissions.png index c40ac907c4..bd0f4fe695 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_intune_permissions.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_intune_permissions.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_main.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_main.png index 551526ae72..d6299bb193 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_main.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_main.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png index 1f46df00ee..bbf5902484 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_1deviceconfprofile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_card.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_card.png index 331ad032a6..c7f3680435 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_card.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_onboarding_card.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secrec-flyouteolsw.png b/windows/security/threat-protection/microsoft-defender-atp/images/secrec-flyouteolsw.png index ca51512b09..b41ddf1119 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secrec-flyouteolsw.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secrec-flyouteolsw.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/security-assessments.png b/windows/security/threat-protection/microsoft-defender-atp/images/security-assessments.png index 04d199c31f..d5454b6c59 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/security-assessments.png and b/windows/security/threat-protection/microsoft-defender-atp/images/security-assessments.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/security-center-attack-surface-mgnt-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/security-center-attack-surface-mgnt-tile.png new file mode 100644 index 0000000000..df45fc2e25 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/security-center-attack-surface-mgnt-tile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/security-center-left-menu.png b/windows/security/threat-protection/microsoft-defender-atp/images/security-center-left-menu.png new file mode 100644 index 0000000000..332c553f5e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/security-center-left-menu.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/security-recommendations-device.png b/windows/security/threat-protection/microsoft-defender-atp/images/security-recommendations-device.png new file mode 100644 index 0000000000..5f4e73734e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/security-recommendations-device.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/security-recommendations-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/security-recommendations-machine.png deleted file mode 100644 index d2cdbe97eb..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/security-recommendations-machine.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png b/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png index e98bc4b89e..32e6e233c8 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png and b/windows/security/threat-protection/microsoft-defender-atp/images/select-simulator.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png b/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png index f4f0bca971..9610d05400 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png and b/windows/security/threat-protection/microsoft-defender-atp/images/send-email.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png b/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png index f7d6472ba7..8c57d74dc7 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/send-us-feedback-eval-lab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png index 1b5f4378e8..a7c7bbf689 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png and b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png index ed1c3f4f2c..5b723108a6 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/setup-preferences2.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png index ef062f0c8e..21d6470625 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/siem_details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png index 9eeb6d31cd..36f37b5b9d 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png and b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-aiq.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png index 706bd97b0c..8323b31ed9 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png and b/windows/security/threat-protection/microsoft-defender-atp/images/simulation-details-sb.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png index 4e84bc76f1..0e41d8616f 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png and b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-catalog.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png index 437ee70e30..360c3c6d32 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png and b/windows/security/threat-protection/microsoft-defender-atp/images/simulations-tab.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software-drilldown-eos.png b/windows/security/threat-protection/microsoft-defender-atp/images/software-drilldown-eos.png index b3893cd5ec..d440aa03b5 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/software-drilldown-eos.png and b/windows/security/threat-protection/microsoft-defender-atp/images/software-drilldown-eos.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-device.png b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-device.png new file mode 100644 index 0000000000..85fd8cf8c4 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-device.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-machine.png deleted file mode 100644 index e845f93cf3..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/software-inventory-machine.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software_inventory_filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/software_inventory_filter.png index e7fdf586b6..0fcea8aa93 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/software_inventory_filter.png and b/windows/security/threat-protection/microsoft-defender-atp/images/software_inventory_filter.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/specific-device.png b/windows/security/threat-protection/microsoft-defender-atp/images/specific-device.png new file mode 100644 index 0000000000..c468b24077 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/specific-device.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/specific-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/specific-machine.png deleted file mode 100644 index 0ad322d1e2..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/specific-machine.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/status-tile.png b/windows/security/threat-protection/microsoft-defender-atp/images/status-tile.png index bdc4ec022d..82ed094838 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/status-tile.png and b/windows/security/threat-protection/microsoft-defender-atp/images/status-tile.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png b/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png index fea2bf16f9..55aac61238 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/submit-file.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png index 11d2edcf3e..1a142cd7ac 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/test-machine-table.png b/windows/security/threat-protection/microsoft-defender-atp/images/test-machine-table.png index 2ff6a038af..2d6e428cd2 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/test-machine-table.png and b/windows/security/threat-protection/microsoft-defender-atp/images/test-machine-table.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/timeline-device.png b/windows/security/threat-protection/microsoft-defender-atp/images/timeline-device.png new file mode 100644 index 0000000000..53da23ea09 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/timeline-device.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/timeline-machine.png b/windows/security/threat-protection/microsoft-defender-atp/images/timeline-machine.png deleted file mode 100644 index 146dca1470..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/timeline-machine.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png b/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png index ea977eacef..38f6a27394 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png and b/windows/security/threat-protection/microsoft-defender-atp/images/top-security-recommendations350.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-breach-insights.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-breach-insights.png index 6407cd8f57..936d8afbfc 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-breach-insights.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-breach-insights.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-discovered-vulnerabilities.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-discovered-vulnerabilities.png index 4659dcc51f..fffe4d852b 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-discovered-vulnerabilities.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-discovered-vulnerabilities.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png index df675109cc..391d03a644 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png index 7d80bca932..1dfcdec04e 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png index 3f8ead879c..0d1b944bfc 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-dashboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png index 6cafba6c3d..2b6dec67d4 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-filters.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png index 072835588a..652966f8eb 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-impact.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png index 98d59f5c07..15d64d5abd 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exception-option.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png index c7c9c0b861..85d7057ec6 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-remediation-activities-card.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png index 48af27eb1f..72972dd212 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-evidence.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png index 5a7ce86cbd..322baf01fd 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory-flyout500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png index d8b73ba265..e42ff5b807 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png index 2f9717883f..ab3449f829 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-threat-insights.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software500.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software500.png index d78ed19c8d..9a44f90df6 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software500.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software500.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-overview.png index dc677108ac..363840369c 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-overview.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-overview.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png index 580b189700..cf130d3aac 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_dashboard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_exp_score.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_exp_score.png index 301fdf1d11..30fbca437f 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_exp_score.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_exp_score.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machinetoinvestigate.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machinetoinvestigate.png index 864dff2f13..692ee407eb 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machinetoinvestigate.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_machinetoinvestigate.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_remediation_task_created.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_remediation_task_created.png index 49850a80e1..304eb17f0b 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_remediation_task_created.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_remediation_task_created.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_save_csv_file.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_save_csv_file.png index fb099b05f2..51269a5395 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_save_csv_file.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_save_csv_file.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png index ee0608e4b0..7b3ce166b2 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm_security_controls.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec-updated.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec-updated.png index 80dbf3635b..15c016946b 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec-updated.png and b/windows/security/threat-protection/microsoft-defender-atp/images/tvmsecrec-updated.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/version-eos-date.png b/windows/security/threat-protection/microsoft-defender-atp/images/version-eos-date.png index 731fa3bcf4..7ca85921dc 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/version-eos-date.png and b/windows/security/threat-protection/microsoft-defender-atp/images/version-eos-date.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png index d01215dee9..39ff19f202 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png and b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-by-category600.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png index d9fc4ed73a..c8479d6da2 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png and b/windows/security/threat-protection/microsoft-defender-atp/images/web-activity-summary.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png index c6c86c4c3b..35ecd7e3f3 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png and b/windows/security/threat-protection/microsoft-defender-atp/images/web-content-filtering-summary.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png index bba1d35a38..3251889dd0 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection-report-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png index 7b47ead343..88b668828b 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png and b/windows/security/threat-protection/microsoft-defender-atp/images/web-protection.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png b/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png index 98886ae426..d6373f6066 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png and b/windows/security/threat-protection/microsoft-defender-atp/images/welcome1.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/windows-server-drilldown.png b/windows/security/threat-protection/microsoft-defender-atp/images/windows-server-drilldown.png index 72a97b7f26..1824190e34 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/windows-server-drilldown.png and b/windows/security/threat-protection/microsoft-defender-atp/images/windows-server-drilldown.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wtp-browser-blocking-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/wtp-browser-blocking-page.png index d23566de8b..6bee00bd23 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/wtp-browser-blocking-page.png and b/windows/security/threat-protection/microsoft-defender-atp/images/wtp-browser-blocking-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/wtp-website-details.png b/windows/security/threat-protection/microsoft-defender-atp/images/wtp-website-details.png index dd601b87bf..50c91d59d1 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/wtp-website-details.png and b/windows/security/threat-protection/microsoft-defender-atp/images/wtp-website-details.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index 95806be4e6..f5439add6d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -27,7 +27,7 @@ Exploit protection applies helps protect devices from malware that use exploits Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/help/2458544/) are now included in exploit protection. -You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings. +You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple devices on your network so they all have the same set of mitigation settings. You can also convert and import an existing EMET configuration XML file into an exploit protection configuration XML. @@ -39,7 +39,7 @@ The [Evaluation Package](https://demo.wd.microsoft.com/Page/EP) contains a sampl Before you export a configuration file, you need to ensure you have the correct settings. -You should first configure exploit protection on a single, dedicated machine. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations. +You should first configure exploit protection on a single, dedicated device. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations. When you have configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell. @@ -77,7 +77,7 @@ When you have configured exploit protection to your desired state (including bot **Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml** > [!IMPORTANT] -> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. +> When you deploy the configuration using Group Policy, all devices that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. ## Import a configuration file @@ -136,14 +136,14 @@ You can only do this conversion in PowerShell. ## Manage or deploy a configuration -You can use Group Policy to deploy the configuration you've created to multiple machines in your network. +You can use Group Policy to deploy the configuration you've created to multiple devices in your network. > [!IMPORTANT] -> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location. +> When you deploy the configuration using Group Policy, all devices that will use the configuration must be able to access the configuration XML file. Ensure you place the file in a shared location. ### Use Group Policy to distribute the configuration -1. On your Group Policy management machine, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management device, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/desktop/gpmc/group-policy-management-console-portal), right-click the Group Policy Object you want to configure and click **Edit**. 2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md index 6f16b9a43a..b3c0ba3d56 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md @@ -24,7 +24,7 @@ ms.topic: article A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected. -Microsoft Defender ATP helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve machines with sensitive information such as confidential information. +Microsoft Defender ATP helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve devices with sensitive information such as confidential information. ## Investigate incidents that involve sensitive data Learn how to use data sensitivity labels to prioritize incident investigation. @@ -34,7 +34,7 @@ Learn how to use data sensitivity labels to prioritize incident investigation. 1. In Microsoft Defender Security Center, select **Incidents**. -2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on machines related to the incidents providing an indication of whether sensitive files may be impacted by the incident. +2. Scroll to the right to see the **Data sensitivity** column. This column reflects sensitivity labels that have been observed on devices related to the incidents providing an indication of whether sensitive files may be impacted by the incident. ![Image of data sensitivity column](images/data-sensitivity-column.png) @@ -46,16 +46,16 @@ Learn how to use data sensitivity labels to prioritize incident investigation. ![Image of incident page details](images/incident-page.png) -4. Select the **Machines** tab to identify machines storing files with sensitivity labels. +4. Select the **Devices** tab to identify devices storing files with sensitivity labels. - ![Image of machine tab](images/investigate-machines-tab.png) + ![Image of device tab](images/investigate-devices-tab.png) -5. Select the machines that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected. +5. Select the devices that store sensitive data and search through the timeline to identify which files may be impacted then take appropriate action to ensure that data is protected. - You can narrow down the events shown on the machine timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name. + You can narrow down the events shown on the device timeline by searching for data sensitivity labels. Doing this will show only events associated with files that have said label name. - ![Image of machine timeline with narrowed down search results based on label](images/machine-timeline-labels.png) + ![Image of device timeline with narrowed down search results based on label](images/machine-timeline-labels.png) >[!TIP] diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index 3e95295b96..e8685bb77b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -1,6 +1,6 @@ --- title: Start Investigation API -description: Use this API to start investigation on a machine. +description: Use this API to start investigation on a device. keywords: apis, graph api, supported apis, investigation search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -24,7 +24,7 @@ ms.topic: article ## API description -Start automated investigation on a machine. +Start automated investigation on a device.
See [Overview of automated investigations](automated-investigations.md) for more information. @@ -43,7 +43,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md index 297de5d17d..f4d0a71105 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md @@ -1,7 +1,7 @@ --- title: Investigate Microsoft Defender Advanced Threat Protection alerts description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them. -keywords: investigate, investigation, machines, machine, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP +keywords: investigate, investigation, devices, device, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -40,13 +40,13 @@ You'll also see a status of the automated investigation on the upper right corne ![Image of the alert page](images/atp-alert-view.png) -The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the machine or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand. +The alert context tile shows the where, who, and when context of the alert. As with other pages, you can click on the icon beside the name or user account to bring up the device or user details pane. The alert details view also has a status tile that shows the status of the alert in the queue. You'll also see a description and a set of recommended actions which you can expand. For more information about managing alerts, see [Manage alerts](manage-alerts.md). The alert details page also shows the alert process tree, an incident graph, and an artifact timeline. -You can click on the machine link from the alert view to navigate to the machine. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Machine timeline**. If the alert appeared more than once on the machine, the latest occurrence will be displayed in the **Machine timeline**. +You can click on the device link from the alert view to navigate to the device. The alert will be highlighted automatically, and the timeline will display the appearance of the alert and its evidence in the **Device timeline**. If the alert appeared more than once on the device, the latest occurrence will be displayed in the **Device timeline**. Alerts attributed to an adversary or actor display a colored tile with the actor's name. @@ -78,7 +78,7 @@ The alert details pane helps you take a deeper look at the details about the ale ## Incident graph -The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other machines. It provides a graphical mapping from the original machine and evidence expanding to show other machines in the organization where the triggering evidence was also observed. +The **Incident Graph** provides a visual representation of the organizational footprint of the alert and its evidence: where the evidence that triggered the alert was observed on other devices. It provides a graphical mapping from the original device and evidence expanding to show other devices in the organization where the triggering evidence was also observed. ![Image of the Incident graph](images/atp-incident-graph.png) @@ -86,10 +86,10 @@ The **Incident Graph** supports expansion by File, Process, command line, or Des The **Incident Graph** expansion by destination IP Address, shows the organizational footprint of communications with this IP Address without having to change context by navigating to the IP Address page. -You can click the full circles on the incident graph to expand the nodes and view the expansion to other machines where the matching criteria were observed. +You can click the full circles on the incident graph to expand the nodes and view the expansion to other devices where the matching criteria were observed. ## Artifact timeline -The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the machine, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the machine. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the machine earlier - without triggering an alert. +The **Artifact timeline** feature provides an additional view of the evidence that triggered the alert on the device, and shows the date and time the evidence triggering the alert was observed, as well as the first time it was observed on the device. This can help in understanding if the evidence was first observed at the time of the alert, or whether it was observed on the device earlier - without triggering an alert. ![Image of artifact timeline](images/atp-alert-timeline.png) @@ -99,7 +99,7 @@ Selecting an alert detail brings up the **Details pane** where you'll be able to - [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) - [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) - [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) - [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md index 0ef1449bfa..4bace3c6df 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md @@ -32,7 +32,7 @@ The proxy acts as if it was the target endpoint. In these cases, simple network Microsoft Defender ATP supports advanced HTTP level monitoring through network protection. When turned on, a new type of event is surfaced which exposes the real target domain names. ## Use network protection to monitor network connection behind a firewall -Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a machine timeline, turn network protection on (at the minimum in audit mode). +Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a device timeline, turn network protection on (at the minimum in audit mode). Network protection can be controlled using the following modes: @@ -47,9 +47,9 @@ If you do not configure it, network blocking will be turned off by default. For more information, see [Enable network protection](enable-network-protection.md). ## Investigation impact -When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up. +When network protection is turned on, you'll see that on a device's timeline the IP address will keep representing the proxy, while the real target address shows up. -![Image of network events on machine's timeline](images/atp-proxy-investigation.png) +![Image of network events on device's timeline](images/atp-proxy-investigation.png) Additional events triggered by the network protection layer are now available to surface the real domain names even behind a proxy. diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md index 5b10ecbcd6..3ab170260a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md @@ -1,7 +1,7 @@ --- title: Investigate Microsoft Defender Advanced Threat Protection domains -description: Use the investigation options to see if machines and servers have been communicating with malicious domains. -keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL +description: Use the investigation options to see if devices and servers have been communicating with malicious domains. +keywords: investigate domain, domain, malicious domain, microsoft defender atp, alert, URL search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -28,16 +28,16 @@ ms.date: 04/24/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink) -Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. +Investigate a domain to see if devices and servers in your enterprise network have been communicating with a known malicious domain. -You can investigate a domain by using the search feature or by clicking on a domain link from the **Machine timeline**. +You can investigate a domain by using the search feature or by clicking on a domain link from the **Device timeline**. You can see information from the following sections in the URL view: - URL details, Contacts, Nameservers - Alerts related to this URL - URL in organization -- Most recent observed machines with URL +- Most recent observed devices with URL ## URL worldwide @@ -61,7 +61,7 @@ The Alerts tab can be adjusted to show more or less information, by selecting ** ## Observed in organization -The **Observed in organization** tab provides a chronological view on the events and associated alerts that were observed on the URL. This tab includes a timeline and a customizable table listing event details, such as the time, machine, and a brief description of what happened. +The **Observed in organization** tab provides a chronological view on the events and associated alerts that were observed on the URL. This tab includes a timeline and a customizable table listing event details, such as the time, device, and a brief description of what happened. You can view events from different periods of time by entering the dates into the text fields above the table headers. You can also customize the time range by selecting different areas of the timeline. @@ -69,15 +69,15 @@ You can view events from different periods of time by entering the dates into th 1. Select **URL** from the **Search bar** drop-down menu. 2. Enter the URL in the **Search** field. -3. Click the search icon or press **Enter**. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from machines in the organization. -4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the URL, the file associated with the communication and the last date observed. -5. Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. +3. Click the search icon or press **Enter**. Details about the URL are displayed. Note: search results will only be returned for URLs observed in communications from devices in the organization. +4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all devices in the organization observed communicating with the URL, the file associated with the communication and the last date observed. +5. Clicking any of the device names will take you to that device's view, where you can continue investigate reported alerts, behaviors, and events. ## Related topics - [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) - [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) - [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md index ba6d70f4b3..ee59109437 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md @@ -30,7 +30,7 @@ ms.date: 04/24/2018 Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. -There are many ways to access the detailed profile page of a specific file. For example, you can use the search feature, click on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or select an event listed in the **Machine timeline**. +There are many ways to access the detailed profile page of a specific file. For example, you can use the search feature, click on a link from the **Alert process tree**, **Incident graph**, **Artifact timeline**, or select an event listed in the **Device timeline**. Once on the detailed profile page, you can switch between the new and old page layouts by toggling **new File page**. The rest of this article describes the newer page layout. @@ -67,7 +67,7 @@ You'll see details such as the file’s MD5, the Virus Total detection ratio, an ## Alerts -The **Alerts** tab provides a list of alerts that are associated with the file. This list covers much of the same information as the Alerts queue, except for the machine group, if any, the affected machine belongs to. You can choose what kind of information is shown by selecting **Customize columns** from the toolbar above the column headers. +The **Alerts** tab provides a list of alerts that are associated with the file. This list covers much of the same information as the Alerts queue, except for the device group, if any, the affected device belongs to. You can choose what kind of information is shown by selecting **Customize columns** from the toolbar above the column headers. ![Image of alerts related to the file section](images/atp-alerts-related-to-file.png) @@ -76,9 +76,9 @@ The **Alerts** tab provides a list of alerts that are associated with the file. The **Observed in organization** tab allows you to specify a date range to see which devices have been observed with the file. >[!NOTE] ->This tab will show a maximum number of 100 machines. To see _all_ devices with the file, export the tab to a CSV file, by selecting **Export** from the action menu above the tab's column headers. +>This tab will show a maximum number of 100 devices. To see _all_ devices with the file, export the tab to a CSV file, by selecting **Export** from the action menu above the tab's column headers. -![Image of most recent observed machine with the file](images/atp-observed-machines.png) +![Image of most recent observed device with the file](images/atp-observed-machines.png) Use the slider or the range selector to quickly specify a time period that you want to check for events involving the file. You can specify a time window as small as a single day. This will allow you to see only files that communicated with that IP Address at that time, drastically reducing unnecessary scrolling and searching. @@ -92,14 +92,14 @@ The **Deep analysis** tab allows you to [submit the file for deep analysis](resp The **File names** tab lists all names the file has been observed to use, within your organizations. -![Image of file names tab](images/atp-file-names.PNG) +![Image of file names tab](images/atp-file-names.png) ## Related topics - [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) - [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) - [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) - [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md index 664d337477..1bdc888c78 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md @@ -1,7 +1,7 @@ --- title: Investigate incidents in Microsoft Defender ATP description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident -keywords: investigate, incident, alerts, metadata, risk, detection source, affected machines, patterns, correlation +keywords: investigate, incident, alerts, metadata, risk, detection source, affected devices, patterns, correlation search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -28,13 +28,13 @@ Investigate incidents that affect your network, understand what they mean, and c When you investigate an incident, you'll see: - Incident details - Incident comments and actions -- Tabs (alerts, machines, investigations, evidence, graph) +- Tabs (alerts, devices, investigations, evidence, graph) > [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUV] ## Analyze incident details -Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph). +Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, devices, investigations, evidence, graph). ![Image of incident details](images/atp-incident-details.png) @@ -44,7 +44,7 @@ Alerts are grouped into incidents based on the following reasons: - Automated investigation - The automated investigation triggered the linked alert while investigating the original alert - File characteristics - The files associated with the alert have similar characteristics - Manual association - A user manually linked the alerts -- Proximate time - The alerts were triggered on the same machine within a certain timeframe +- Proximate time - The alerts were triggered on the same device within a certain timeframe - Same file - The files associated with the alert are exactly the same - Same URL - The URL that triggered the alert is exactly the same @@ -52,10 +52,10 @@ Alerts are grouped into incidents based on the following reasons: You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts.md). -### Machines -You can also investigate the machines that are part of, or related to, a given incident. For more information, see [Investigate machines](investigate-machines.md). +### Devices +You can also investigate the devices that are part of, or related to, a given incident. For more information, see [Investigate devices](investigate-machines.md). -![Image of machines tab in incident details page](images/atp-incident-machine-tab.png) +![Image of devices tab in incident details page](images/atp-incident-device-tab.png) ### Investigations Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts. @@ -72,7 +72,7 @@ Each of the analyzed entities will be marked as infected, remediated, or suspici Microsoft Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. ### Incident graph -The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. etc. +The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which device. etc. ![Image of the incident graph](images/atp-incident-graph-tab.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md index fd55917f2d..81a124863d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md @@ -1,7 +1,7 @@ --- title: Investigate an IP address associated with an alert -description: Use the investigation options to examine possible communication between machines and external IP addresses. -keywords: investigate, investigation, IP address, alert, windows defender atp, external IP +description: Use the investigation options to examine possible communication between devices and external IP addresses. +keywords: investigate, investigation, IP address, alert, microsoft defender atp, external IP search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -26,9 +26,9 @@ ms.date: 04/24/2018 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) -Examine possible communication between your machines and external internet protocol (IP) addresses. +Examine possible communication between your devices and external internet protocol (IP) addresses. -Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines. +Identifying all devices in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected devices. You can find information from the following sections in the IP address view: @@ -52,11 +52,11 @@ The **IP in organization** section provides details on the prevalence of the IP ## Prevalence -The **Prevalence** section displays how many machines have connected to this IP address, and when the IP was first and last seen. You can filter the results of this section by time period; the default period is 30 days. +The **Prevalence** section displays how many devices have connected to this IP address, and when the IP was first and last seen. You can filter the results of this section by time period; the default period is 30 days. -## Most recent observed machines with IP +## Most recent observed devices with IP -The **Most recent observed machines** with IP section provides a chronological view on the events and associated alerts that were observed on the IP address. +The **Most recent observed devices** with IP section provides a chronological view on the events and associated alerts that were observed on the IP address. **Investigate an external IP:** @@ -64,14 +64,14 @@ The **Most recent observed machines** with IP section provides a chronological v 2. Enter the IP address in the **Search** field. 3. Click the search icon or press **Enter**. -Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of machines in the organization that communicated with this IP Address (during selectable time period), and the machines in the organization that were observed communicating with this IP address. +Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of devices in the organization that communicated with this IP Address (during selectable time period), and the devices in the organization that were observed communicating with this IP address. > [!NOTE] -> Search results will only be returned for IP addresses observed in communication with machines in the organization. +> Search results will only be returned for IP addresses observed in communication with devices in the organization. -Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed. +Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all devices in the organization observed communicating with the IP address, the file associated with the communication and the last date observed. -Clicking any of the machine names will take you to that machine's view, where you can continue investigate reported alerts, behaviors, and events. +Clicking any of the device names will take you to that device's view, where you can continue investigate reported alerts, behaviors, and events. ## Related topics @@ -79,6 +79,6 @@ Clicking any of the machine names will take you to that machine's view, where yo - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) - [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) - [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index 301ad65ba0..5fd56526b0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -1,7 +1,7 @@ --- -title: Investigate machines in the Microsoft Defender ATP Machines list -description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health. -keywords: machines, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health +title: Investigate devices in the Microsoft Defender ATP Devices list +description: Investigate affected devices by reviewing alerts, network connection information, adding device tags and groups, and checking the service health. +keywords: devices, tags, groups, endpoint, alerts queue, alerts, device name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Investigate machines in the Microsoft Defender ATP Machines list +# Investigate devices in the Microsoft Defender ATP Devices list **Applies to:** @@ -25,55 +25,142 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) -Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of the breach. +Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach. -You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas: +You can click on affected devices whenever you see them in the portal to open a detailed report about that device. Affected devices are identified in the following areas: -- [Machines list](investigate-machines.md) +- [Devices list](investigate-machines.md) - [Alerts queue](alerts-queue.md) - [Security operations dashboard](security-operations-dashboard.md) - Any individual alert - Any individual file details view - Any IP address or domain details view -When you investigate a specific machine, you'll see: +When you investigate a specific device, you'll see: -- Machine details +- Device details - Response actions +- Tabs (overview, alerts, timeline, security recommendations, software inventory, discovered vulnerabilities, missing KBs) - Cards (active alerts, logged on users, security assessment) -- Tabs (alerts, timeline, security recommendations, software inventory, discovered vulnerabilities) -![Image of machine view](images/specific-machine.png) +![Image of device view](images/specific-device.png) -## Machine details +## Device details -The machine details section provides information such as the domain, OS, and health state of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package. +The device details section provides information such as the domain, OS, and health state of the device. If there's an investigation package available on the device, you'll see a link that allows you to download the package. ## Response actions -Response actions run along the top of a specific machine page and include: +Response actions run along the top of a specific device page and include: - Manage tags -- Initiate automated investigation -- Initiate Live Response Session -- Collect investigation package -- Run antivirus scan +- Isolate device - Restrict app execution -- Isolate machine +- Run antivirus scan +- Collect investigation package +- Initiate Live Response Session +- Initiate automated investigation - Consult a threat expert - Action center -You can take response actions in the Action center, in a specific machine page, or in a specific file page. +You can take response actions in the Action center, in a specific device page, or in a specific file page. -For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts.md). +For more information on how to take action on a device, see [Take response action on a device](respond-machine-alerts.md). For more information, see [Investigate user entities](investigate-user.md). +## Tabs + +The tabs provide relevant security and threat prevention information related to the device. In each tab, you can customize the columns that are shown by selecting **Customize columns** from the bar above the column headers. + +### Overview +The **Overview** tab displays the [cards](#cards) for active alerts, logged on users, and security assessment. + +![Image of overview tab on the device page](images/overview-device.png) + +### Alerts + +The **Alerts** tab provides a list of alerts that are associated with the device. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts. + +![Image of alerts related to the device](images/alerts-device.png) + +When the circle icon to the left of an alert is selected, a fly-out appears. From this panel you can manage the alert and view more details such as incident number and related devices. Multiple alerts can be selected at a time. + +To see a full page view of an alert including incident graph and process tree, select the title of the alert. + +### Timeline + +The **Timeline** tab provides a chronological view of the events and associated alerts that have been observed on the device. This can help you correlate any events, files, and IP addresses in relation to the device. + +The timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a device over a selected time period. To further control your view, you can filter by event groups or customize the columns. + +>[!NOTE] +> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection). +>Firewall covers the following events +> +>- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped +>- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network +>- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection + +![Image of device timeline with events](images/timeline-device.png) + +Some of the functionality includes: + +- Search for specific events + - Use the search bar to look for specific timeline events. +- Filter events from a specific date + - Select the calendar icon in the upper left of the table to display events in the past day, week, 30 days, or custom range. By default, the device timeline is set to display the events from the past 30 days. + - Use the timeline to jump to a specific moment in time by highlighting the section. The arrows on the timeline pinpoint automated investigations +- Export detailed device timeline events + - Export the device timeline for the current date or a specified date range up to seven days. + +More details about certain events are provided in the **Additional information** section. These details vary depending on the type of event, for example: + +- Contained by Application Guard - the web browser event was restricted by an isolated container +- Active threat detected - the threat detection occurred while the threat was running +- Remediation unsuccessful - an attempt to remediate the detected threat was invoked but failed +- Remediation successful - the detected threat was stopped and cleaned +- Warning bypassed by user - the Windows Defender SmartScreen warning was dismissed and overridden by a user +- Suspicious script detected - a potentially malicious script was found running +- The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided + +You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific device. + +#### Event details +Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown. + +To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query will return the selected event and the list of other events that occurred around the same time on the same endpoint. + +![Image of the event details panel](images/event-details.png) + +### Security recommendations + +**Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details. + +![Image of security recommendations tab](images/security-recommendations-device.png) + +### Software inventory + +The **Software inventory** tab lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed devices, and version distribution. See [Software inventory](tvm-software-inventory.md) for details + +![Image of software inventory tab](images/software-inventory-device.png) + +### Discovered vulnerabilities + +The **Discovered vulnerabilities** tab shows the name, severity, and threat insights of discovered vulnerabilities on the device. Selecting specific vulnerabilities will show a description and details. + +![Image of discovered vulnerabilities tab](images/discovered-vulnerabilities-device.png) + +### Missing KBs +The **Missing KBs** tab lists the missing security updates for the device. + +![Image of missing kbs tab](images/missing-kbs-device.png) + ## Cards ### Active alerts -The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the machine and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More information is available in the "Alerts" drill down. +The **Azure Advanced Threat Protection** card will display a high-level overview of alerts related to the device and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More information is available in the "Alerts" drill down. ![Image of active alerts card](images/risk-level-small.png) @@ -88,87 +175,10 @@ The **Logged on users** card shows how many users have logged on in the past 30 ### Security assessments -The **Security assessments** card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A machine's exposure level is determined by the cumulative impact of its pending security recommendations. +The **Security assessments** card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A device's exposure level is determined by the cumulative impact of its pending security recommendations. ![Image of security assessments card](images/security-assessments.png) -## Tabs - -The five tabs under the cards section show relevant security and threat prevention information related to the machine. In each tab, you can customize the columns that are shown by selecting **Customize columns** from the bar above the column headers. - -### Alerts - -The **Alerts** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue.md), and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts. - -![Image of alerts related to the machine](images/alerts-machine.png) - -When the circle icon to the left of an alert is selected, a fly-out appears. From this panel you can manage the alert and view more details such as incident number and related machines. Multiple alerts can be selected at a time. - -To see a full page view of an alert including incident graph and process tree, select the title of the alert. - -### Timeline - -The **Timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine. This can help you correlate any events, files, and IP addresses in relation to the machine. - -The timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period. To further control your view, you can filter by event groups or customize the columns. - ->[!NOTE] -> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection). ->Firewall covers the following events -> ->- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped ->- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network ->- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection - -![Image of machine timeline with events](images/timeline-machine.png) - -Some of the functionality includes: - -- Search for specific events - - Use the search bar to look for specific timeline events. -- Filter events from a specific date - - Select the calendar icon in the upper left of the table to display events in the past day, week, 30 days, or custom range. By default, the machine timeline is set to display the events from the past 30 days. - - Use the timeline to jump to a specific moment in time by highlighting the section. The arrows on the timeline pinpoint automated investigations -- Export detailed machine timeline events - - Export the machine timeline for the current date or a specified date range up to seven days. - -More details about certain events are provided in the **Additional information** section. These details vary depending on the type of event, for example: - -- Contained by Application Guard - the web browser event was restricted by an isolated container -- Active threat detected - the threat detection occurred while the threat was running -- Remediation unsuccessful - an attempt to remediate the detected threat was invoked but failed -- Remediation successful - the detected threat was stopped and cleaned -- Warning bypassed by user - the Windows Defender SmartScreen warning was dismissed and overridden by a user -- Suspicious script detected - a potentially malicious script was found running -- The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided - -You can also use the [Artifact timeline](investigate-alerts.md#artifact-timeline) feature to see the correlation between alerts and events on a specific machine. - -#### Event details -Select an event to view relevant details about that event. A panel displays to show general event information. When applicable and data is available, a graph showing related entities and their relationships are also shown. - -To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query will return the selected event and the list of other events that occurred around the same time on the same endpoint. - -![Image of the event details panel](images/event-details.png) - -### Security recommendations - -**Security recommendations** are generated from Microsoft Defender ATP's [Threat & Vulnerability Management](tvm-dashboard-insights.md) capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See [Security recommendation](tvm-security-recommendation.md) for details. - -![Image of security recommendations tab](images/security-recommendations-machine.png) - -### Software inventory - -The **Software inventory** section lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed machines, and version distribution. See [Software inventory](tvm-software-inventory.md) for details - -![Image of software inventory tab](images/software-inventory-machine.png) - -### Discovered vulnerabilities - -The **Discovered vulnerabilities** section shows the name, severity, and threat insights of discovered vulnerabilities on the device. Selecting specific vulnerabilities will show a description and details. - -![Image of discovered vulnerabilities tab](images/discovered-vulnerabilities-machine.png) - ## Related topics - [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md index e086f41f6b..841262e0fe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md @@ -1,7 +1,7 @@ --- title: Investigate a user account in Microsoft Defender ATP description: Investigate a user account for potential compromised credentials or pivot on the associated user account during an investigation. -keywords: investigate, account, user, user entity, alert, windows defender atp +keywords: investigate, account, user, user entity, alert, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -27,52 +27,47 @@ ms.date: 04/24/2018 ## Investigate user account entities -Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or machine to identify possible lateral movement between machines with that user account. +Identify user accounts with the most active alerts (displayed on dashboard as "Users at risk") and investigate cases of potential compromised credentials, or pivot on the associated user account when investigating an alert or device to identify possible lateral movement between devices with that user account. You can find user account information in the following views: - Dashboard - Alert queue -- Machine details page +- Device details page A clickable user account link is available in these views, that will take you to the user account details page where more details about the user account are shown. When you investigate a user account entity, you'll see: -- User account details, Azure Advanced Threat Protection (Azure ATP) alerts, and Logged on machines +- User account details, Azure Advanced Threat Protection (Azure ATP) alerts, and logged on devices, role, logon type, and other details +- Overview of the incidents and user's devices - Alerts related to this user -- Observed in organization (machines logged on to) +- Observed in organization (devices logged on to) -![Image of the user account entity details page](images/atp-user-details-view-azureatp.png) - -The user account details, Azure ATP alerts, and logged on machines cards display various attributes about the user account. +![Image of the user account entity details page](images/atp-user-details-view.png) ### User details -The **User details** card provides information about the user, such as when the user was first and last seen. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. - -### Azure Advanced Threat Protection - -The **Azure Advanced Threat Protection** card will contain a link that will take you to the Azure ATP page, if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts. This card also provides details such as the last AD site, total group memberships, and login failure associated with the user. +The **User details** pane on left provides information about the user, such as related open incidents, active alerts, SAM name, SID, Azure ATP alerts, number of devices the user is logged on to, when the user was first and last seen, role, and logon types. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. The **Azure ATP alerts** section contains a link that will take you to the Azure ATP page, if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts. >[!NOTE] >You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md). -### Logged on machines +The Overview, Alerts, and Observed in organization are different tabs that display various attributes about the user account. -The **Logged on machines** card shows a list of the machines that the user has logged on to. You can expand these to see details of the log-on events for each machine. +### Overview -## Alerts related to this user +The **Overview** tab shows the incidents details and a list of the devices that the user has logged on to. You can expand these to see details of the log-on events for each device. -The **Alerts related to this user** section provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the machine associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert. +### Alerts -## Observed in organization +The **Alerts** tab provides a list of alerts that are associated with the user account. This list is a filtered view of the [Alert queue](alerts-queue.md), and shows alerts where the user context is the selected user account, the date when the last activity was detected, a short description of the alert, the device associated with the alert, the alert's severity, the alert's status in the queue, and who is assigned the alert. -The **Observed in organization** section allows you to specify a date range to see a list of machines where this user was observed logged on to, the most frequent and least frequent logged on user account for each of these machines, and total observed users on each machine. +### Observed in organization -Selecting an item on the Observed in organization table will expand the item, revealing more details about the machine. Directly selecting a link within an item will send you to the corresponding page. +The **Observed in organization** tab allows you to specify a date range to see a list of devices where this user was observed logged on to, the most frequent and least frequent logged on user account for each of these devices, and total observed users on each device. -![Image of observed in organization section](images/atp-observed-in-organization.png) +Selecting an item on the Observed in organization table will expand the item, revealing more details about the device. Directly selecting a link within an item will send you to the corresponding page. ## Search for specific user accounts @@ -80,7 +75,7 @@ Selecting an item on the Observed in organization table will expand the item, re 2. Enter the user account in the **Search** field. 3. Click the search icon or press **Enter**. -A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of machines it was observed logged on to in the last 30 days. +A list of users matching the query text is displayed. You'll see the user account's domain and name, when the user account was last seen, and the total number of devices it was observed logged on to in the last 30 days. You can filter the results by the following time periods: @@ -96,6 +91,6 @@ You can filter the results by the following time periods: - [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) - [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) - [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md index ec516a1afc..9b1015434d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md @@ -30,7 +30,7 @@ Method|Return Type |Description :---|:---|:--- [List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation [Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity. -[Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a machine. +[Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device. ## Properties @@ -42,8 +42,8 @@ endTime | DateTime Nullable | The date and time when the investigation was compl cancelledBy | String | The ID of the user/application that cancelled that investigation. investigationState | Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign', 'Failed', 'PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert'. statusDetails | String | Additional information about the state of the investigation. -machineId | String | The ID of the machine on which the investigation is executed. -computerDnsName | String | The name of the machine on which the investigation is executed. +machineId | String | The ID of the device on which the investigation is executed. +computerDnsName | String | The name of the device on which the investigation is executed. triggeringAlertId | String | The ID of the alert that triggered the investigation. diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 8b8c759287..ca9dbdfdd3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -1,7 +1,7 @@ --- title: Isolate machine API -description: Use this API to create calls related isolating a machine. -keywords: apis, graph api, supported apis, isolate machine +description: Use this API to create calls related isolating a device. +keywords: apis, graph api, supported apis, isolate device search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -24,14 +24,14 @@ ms.topic: article ## API description -Isolates a machine from accessing external network. +Isolates a device from accessing external network. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -[!include[Machine actions note](../../includes/machineactionsnote.md)] +[!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.Isolate | 'Isolate machine' >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request @@ -69,7 +69,7 @@ IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'S **IsolationType** controls the type of isolation to perform and can be one of the following: - Full – Full isolation -- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details) +- Selective – Restrict only limited set of applications from accessing the network (see [Isolate devices from the network](respond-machine-alerts.md#isolate-devices-from-the-network) for more details) ## Response @@ -93,4 +93,4 @@ Content-type: application/json } -- To unisolate a machine, see [Release machine from isolation](unisolate-machine.md). +- To unisolate a device, see [Release device from isolation](unisolate-machine.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md index 2c56cd3ef7..3c07af2507 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md @@ -41,7 +41,7 @@ The follow table shows the exclusion types supported by Microsoft Defender ATP f Exclusion | Definition | Examples ---|---|--- -File extension | All files with the extension, anywhere on the machine | `.test` +File extension | All files with the extension, anywhere on the device | `.test` File | A specific file identified by the full path | `/var/log/test.log`
`/var/log/*.log`
`/var/log/install.?.log` Folder | All files under the specified folder | `/var/log/`
`/var/*/` Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`
`cat`
`c?t` diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index ef65ef7094..dc8160ff0a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -236,8 +236,8 @@ In order to preview new features and provide early feedback, it is recommended t Download the onboarding package from Microsoft Defender Security Center: -1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. -2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script (for up to 10 machines)** as the deployment method. +1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**. +2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Local Script (for up to 10 devices)** as the deployment method. 3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip. ![Microsoft Defender Security Center screenshot](images/atp-portal-onboarding-linux.png) @@ -263,9 +263,9 @@ Download the onboarding package from Microsoft Defender Security Center: ## Client configuration -1. Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target machine. +1. Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target device. - Initially the client machine is not associated with an organization. Note that the *orgId* attribute is blank: + Initially the client device is not associated with an organization. Note that the *orgId* attribute is blank: ```bash mdatp health --field org_id @@ -277,7 +277,7 @@ Download the onboarding package from Microsoft Defender Security Center: python MicrosoftDefenderATPOnboardingLinuxServer.py ``` -3. Verify that the machine is now associated with your organization and reports a valid organization identifier: +3. Verify that the device is now associated with your organization and reports a valid organization identifier: ```bash mdatp health --field org_id @@ -296,7 +296,7 @@ Download the onboarding package from Microsoft Defender Security Center: > ``` > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Microsoft Defender ATP for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration). -5. Run a detection test to verify that the machine is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded machine: +5. Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device: - Ensure that real-time protection is enabled (denoted by a result of `1` from running the following command): diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index f6753d00a3..378fbbc6a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -60,7 +60,7 @@ Before you get started, please see [the main Microsoft Defender ATP for Linux pa Download the onboarding package from Microsoft Defender Security Center: -1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. +1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**. 2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method. 3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip. @@ -81,7 +81,7 @@ Download the onboarding package from Microsoft Defender Security Center: Create subtask or role files that contribute to an actual task. First create the `download_copy_blob.yml` file under the `/etc/ansible/roles` directory: -- Copy the onboarding package to all client machines: +- Copy the onboarding package to all client devices: ```bash - name: Copy the zip file diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 0db0c18a3a..3d93fef08d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -41,7 +41,7 @@ In addition, for Puppet deployment, you need to be familiar with Puppet administ Download the onboarding package from Microsoft Defender Security Center: -1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. +1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**. 2. In the first drop-down menu, select **Linux Server** as the operating system. In the second drop-down menu, select **Your preferred Linux configuration management tool** as the deployment method. 3. Select **Download onboarding package**. Save the file as WindowsDefenderATPOnboardingPackage.zip. @@ -171,7 +171,7 @@ Enrolled agent devices periodically poll the Puppet Server, and install new conf ## Monitor Puppet deployment -On the agent machine, you can also check the onboarding status by running: +On the agent device, you can also check the onboarding status by running: ```bash $ mdatp health diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md index 828c7b8f00..4e59ea8aad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md @@ -259,18 +259,29 @@ Determines whether suspicious samples (that are likely to contain threats) are s | **Data type** | String | | **Possible values** | none
safe (default)
all | +#### Enable / disable automatic security intelligence updates + +Determines whether security intelligence updates are installed automatically: + +||| +|:---|:---| +| **Key** | automaticDefinitionUpdateEnabled | +| **Data type** | Boolean | +| **Possible values** | true (default)
false | + ## Recommended configuration profile To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides. The following configuration profile will: -- Enable real-time protection (RTP). +- Enable real-time protection (RTP) - Specify how the following threat types are handled: - - **Potentially unwanted applications (PUA)** are blocked. - - **Archive bombs** (file with a high compression rate) are audited to the product logs. -- Enable cloud-delivered protection. -- Enable automatic sample submission at `safe` level. + - **Potentially unwanted applications (PUA)** are blocked + - **Archive bombs** (file with a high compression rate) are audited to the product logs +- Enable automatic security intelligence updates +- Enable cloud-delivered protection +- Enable automatic sample submission at `safe` level ### Sample profile @@ -290,6 +301,7 @@ The following configuration profile will: ] }, "cloudService":{ + "automaticDefinitionUpdateEnabled":true, "automaticSampleSubmissionConsent":"safe", "enabled":true } @@ -350,7 +362,8 @@ The following configuration profile contains entries for all settings described "cloudService":{ "enabled":true, "diagnosticLevel":"optional", - "automaticSampleSubmissionConsent":"safe" + "automaticSampleSubmissionConsent":"safe", + "automaticDefinitionUpdateEnabled":true } } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md index 7a7de6e01f..448b784c40 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md @@ -84,7 +84,7 @@ The following fields are considered common for all events: | machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | | sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | | org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. | -| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| hostname | Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | | product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. | | app_version | Version of the Microsoft Defender ATP for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| | sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. | @@ -125,7 +125,7 @@ The following fields are collected: | cloud_service.service_uri | URI used to communicate with the cloud. | | cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). | | cloud_service.automatic_sample_submission | Automatic sample submission level of the device (none, safe, all). | -| edr.early_preview | Whether the machine should run EDR early preview features. | +| edr.early_preview | Whether the device should run EDR early preview features. | | edr.group_id | Group identifier used by the detection and response component. | | edr.tags | User-defined tags. | | features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md index 9682edb6d0..a892d04701 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md @@ -97,11 +97,11 @@ In the Microsoft Defender ATP portal, you'll see two categories of information: - Antivirus alerts, including: - Severity - Scan type - - Device information (hostname, machine identifier, tenant identifier, app version, and OS type) + - Device information (hostname, device identifier, tenant identifier, app version, and OS type) - File information (name, path, size, and hash) - Threat information (name, type, and state) - Device information, including: - - Machine identifier + - Device identifier - Tenant identifier - App version - Hostname @@ -110,3 +110,12 @@ In the Microsoft Defender ATP portal, you'll see two categories of information: - Computer model - Processor architecture - Whether the device is a virtual machine + +### Known issues + +- Logged on users do not appear in the Microsoft Defender Security Center portal. +- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered: + + ```bash + $ sudo SUSEConnect --status-text + ``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md index a124167305..d774cafe00 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -32,7 +32,7 @@ To test if Microsoft Defender ATP for Linux can communicate to the cloud with th $ mdatp connectivity test ``` -If the connectivity test fails, check if the machine has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall. +If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall. ## Troubleshooting steps for environments without proxy or with transparent proxy diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md index 33a756f573..49399fbe9f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md @@ -25,7 +25,7 @@ ms.topic: article Learn about common commands used in live response and see examples on how they are typically used. -Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on machines using live response](live-response.md). +Depending on the role that's been granted to you, you can run basic or advanced live response commands. For more information on basic and advanced commands, see [Investigate entities on devices using live response](live-response.md). ## analyze diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 8ab5475888..38818e6a2f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -1,6 +1,6 @@ --- -title: Investigate entities on machines using live response in Microsoft Defender ATP -description: Access a machine using a secure remote shell connection to do investigative work and take immediate response actions on a machine in real time. +title: Investigate entities on devices using live response in Microsoft Defender ATP +description: Access a device using a secure remote shell connection to do investigative work and take immediate response actions on a device in real time. keywords: remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file, search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -60,8 +60,8 @@ You'll need to enable the live response capability in the [Advanced features set >[!NOTE] >Only users with manage security or global admin roles can edit these settings. -- **Ensure that the machine has an Automation Remediation level assigned to it**.
-You'll need to enable, at least, the minimum Remediation Level for a given Machine Group. Otherwise you won't be able to establish a Live Response session to a member of that group. +- **Ensure that the device has an Automation Remediation level assigned to it**.
+You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group. - **Enable live response unsigned script execution** (optional).
@@ -92,11 +92,11 @@ The dashboard also gives you access to: - Command log -## Initiate a live response session on a machine +## Initiate a live response session on a device 1. Log in to Microsoft Defender Security Center. -2. Navigate to the devices list page and select a machine to investigate. The machines page opens. +2. Navigate to the devices list page and select a device to investigate. The devices page opens. 3. Launch the live response session by selecting **Initiate live response session**. A command console is displayed. Wait while the session connects to the device. @@ -152,7 +152,7 @@ The commands that you can use in the console follow similar principles as [Windo The advanced commands offer a more robust set of actions that allow you to take more powerful actions such as download and upload a file, run scripts on the device, and take remediation actions on an entity. -### Get a file from the machine +### Get a file from the device For scenarios when you'd like get a file from a device you're investigating, you can use the `getfile` command. This allows you to save the file from the device for further investigation. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index c2941c40da..448468935d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -36,7 +36,7 @@ Before you get started, see [the main Microsoft Defender ATP for macOS page](mic Download the installation and onboarding packages from Microsoft Defender Security Center: -1. In Microsoft Defender Security Center, go to **Settings > Machine Management > Onboarding**. +1. In Microsoft Defender Security Center, go to **Settings > Device Management > Onboarding**. 2. In Section 1 of the page, set operating system to **macOS** and Deployment method to **Local script**. 3. In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory. 4. In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory. @@ -47,7 +47,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi ## Application installation -To complete this process, you must have admin privileges on the machine. +To complete this process, you must have admin privileges on the device. 1. Navigate to the downloaded wdav.pkg in Finder and open it. @@ -72,13 +72,13 @@ To complete this process, you must have admin privileges on the machine. > If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](mac-support-kext.md) for information on how to resolve this. > [!NOTE] -> macOS may request to reboot the machine upon the first installation of Microsoft Defender. Real-time protection will not be available until the machine is rebooted. +> macOS may request to reboot the device upon the first installation of Microsoft Defender. Real-time protection will not be available until the device is rebooted. ## Client configuration -1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for macOS. +1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender ATP for macOS. - The client machine is not associated with orgId. Note that the *orgId* attribute is blank. + The client device is not associated with orgId. Note that the *orgId* attribute is blank. ```bash mdatp --health orgId @@ -90,7 +90,7 @@ To complete this process, you must have admin privileges on the machine. /usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py ``` -3. Verify that the machine is now associated with your organization and reports a valid *orgId*: +3. Verify that the device is now associated with your organization and reports a valid *orgId*: ```bash mdatp --health orgId diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 2a03c67c16..270e61656a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -58,13 +58,13 @@ The following table summarizes the steps you would need to take to deploy and ma Download the installation and onboarding packages from Microsoft Defender Security Center: 1. In Microsoft Defender Security Center, go to **Settings** > **Device Management** > **Onboarding**. -2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS, or Android** and the deployment method to **Mobile Device Management / Microsoft Intune**. -3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. -4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. +2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**. + + ![Onboarding settings screenshot](images/atp-mac-install.png) + +3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory. +4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/intune/lob-apps-macos](https://docs.microsoft.com/intune/lob-apps-macos). - - ![Microsoft Defender Security Center screenshot](../microsoft-defender-antivirus/images/MDATP-2-DownloadPackages.png) - 6. From a command prompt, verify that you have the three files. Extract the contents of the .zip files: @@ -110,11 +110,11 @@ You do not need any special provisioning for a Mac device beyond a standard [Com 1. Confirm device management. -![Confirm device management screenshot](../microsoft-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png) + ![Confirm device management screenshot](../microsoft-defender-antivirus/images/MDATP-3-ConfirmDeviceMgmt.png) -Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: + Select **Open System Preferences**, locate **Management Profile** on the list, and select **Approve...**. Your Management Profile would be displayed as **Verified**: -![Management profile screenshot](../microsoft-defender-antivirus/images/MDATP-4-ManagementProfile.png) + ![Management profile screenshot](../microsoft-defender-antivirus/images/MDATP-4-ManagementProfile.png) 2. Select **Continue** and complete the enrollment. @@ -320,7 +320,7 @@ Once the Intune changes are propagated to the enrolled devices, you can see them > [!CAUTION] > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. > - > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client machine, then uninstall Defender and push the updated policy. + > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client device, then uninstall Defender and push the updated policy. ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index 32d0727488..6f844e39a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -55,19 +55,16 @@ The following table summarizes the steps you would need to take to deploy and ma Download the installation and onboarding packages from Microsoft Defender Security Center: -1. In Microsoft Defender Security Center, go to **Settings > Machine management > Onboarding**. -2. In Section 1 of the page, set the operating system to **Linux, macOS, iOS or Android**. -3. Set the deployment method to **Mobile Device Management / Microsoft Intune**. +1. In Microsoft Defender Security Center, go to **Settings > Device management > Onboarding**. +2. Set the operating system to **macOS** and the deployment method to **Mobile Device Management / Microsoft Intune**. + ![Onboarding settings screenshot](images/atp-mac-install.png) > [!NOTE] > Jamf falls under **Mobile Device Management**. -4. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory. -5. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. - - ![Microsoft Defender Security Center screenshot](../microsoft-defender-antivirus/images/jamf-onboarding.png) - -6. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: +3. Select **Download installation package**. Save it as _wdav.pkg_ to a local directory. +4. Select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory. +5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so: ```bash $ ls -l @@ -140,7 +137,7 @@ Use the **Logs** tab to monitor deployment status for each enrolled device. ### Notification settings -Starting in macOS 10.15 (Catalina) a user must manually allow to display notifications in UI. To auto-enable notifications from Defender and Auto Update, you can import the .mobileconfig below into a separate configuration profile and assign it to all machines with Defender: +Starting in macOS 10.15 (Catalina) a user must manually allow to display notifications in UI. To auto-enable notifications from Defender and Auto Update, you can import the .mobileconfig below into a separate configuration profile and assign it to all devices with Defender: ```xml @@ -287,4 +284,4 @@ Your policy should contain a single script: ![Microsoft Defender uninstall script screenshot](../microsoft-defender-antivirus/images/MDATP-27-UninstallScript.png) -Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy. +Configure the appropriate scope in the **Scope** tab to specify the devices that will receive this policy. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md index 05fc7da212..29dbf4fa14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md @@ -36,20 +36,20 @@ If your organization uses a Mobile Device Management (MDM) solution that is not Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features: -- Deploy a macOS .pkg to managed machines. -- Deploy macOS system configuration profiles to managed machines. -- Run an arbitrary admin-configured tool/script on managed machines. +- Deploy a macOS .pkg to managed devices. +- Deploy macOS system configuration profiles to managed devices. +- Run an arbitrary admin-configured tool/script on managed devices. Most modern MDM solutions include these features, however, they may call them differently. You can deploy Defender without the last requirement from the preceding list, however: - You will not be able to collect status in a centralized way -- If you decide to uninstall Defender, you will need to logon to the client machine locally as an administrator +- If you decide to uninstall Defender, you will need to logon to the client device locally as an administrator ## Deployment -Most MDM solutions use the same model for managing macOS machines, with similar terminology. Use [JAMF-based deployment](mac-install-with-jamf.md) as a template. +Most MDM solutions use the same model for managing macOS devices, with similar terminology. Use [JAMF-based deployment](mac-install-with-jamf.md) as a template. ### Package @@ -68,7 +68,7 @@ Your system may support an arbitrary property list in XML format. You can upload Alternatively, it may require you to convert the property list to a different format first. Typically, your custom profile has an id, name, or domain attribute. You must use exactly "com.microsoft.wdav.atp" for this value. -MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client machine, and Defender uses this file for loading the onboarding information. +MDM uses it to deploy the settings file to **/Library/Managed Preferences/com.microsoft.wdav.atp.plist** on a client device, and Defender uses this file for loading the onboarding information. ### Kernel extension policy @@ -76,4 +76,4 @@ Set up a KEXT or kernel extension policy. Use team identifier **UBF8T346G9** to ## Check installation status -Run [mdatp](mac-install-with-jamf.md#check-onboarding-status) on a client machine to check the onboarding status. +Run [mdatp](mac-install-with-jamf.md#check-onboarding-status) on a client device to check the onboarding status. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index 19065efe0b..018c229b01 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -277,6 +277,16 @@ Determines whether suspicious samples (that are likely to contain threats) are s | **Data type** | Boolean | | **Possible values** | true (default)
false | +#### Enable / disable automatic security intelligence updates + +Determines whether security intelligence updates are installed automatically: + +||| +|:---|:---| +| **Key** | automaticDefinitionUpdateEnabled | +| **Data type** | Boolean | +| **Possible values** | true (default)
false | + ### User interface preferences Manage the preferences for the user interface of Microsoft Defender ATP for Mac. @@ -314,7 +324,7 @@ Manage the preferences of the endpoint detection and response (EDR) component of Specify a tag name and its value. -- The GROUP tag, tags the machine with the specified value. The tag is reflected in the portal under the machine page and can be used for filtering and grouping machines. +- The GROUP tag, tags the device with the specified value. The tag is reflected in the portal under the device page and can be used for filtering and grouping devices. ||| |:---|:---| @@ -358,6 +368,7 @@ The following configuration profile (or, in case of JAMF, a property list that c - Specify how the following threat types are handled: - **Potentially unwanted applications (PUA)** are blocked - **Archive bombs** (file with a high compression rate) are audited to Microsoft Defender ATP logs +- Enable automatic security intelligence updates - Enable cloud-delivered protection - Enable automatic sample submission @@ -394,6 +405,8 @@ The following configuration profile (or, in case of JAMF, a property list that c automaticSampleSubmission + automaticDefinitionUpdateEnabled + @@ -471,6 +484,8 @@ The following configuration profile (or, in case of JAMF, a property list that c automaticSampleSubmission + automaticDefinitionUpdateEnabled + @@ -563,6 +578,8 @@ The following templates contain entries for all settings described in this docum optional automaticSampleSubmission + automaticDefinitionUpdateEnabled + edr @@ -701,6 +718,8 @@ The following templates contain entries for all settings described in this docum optional automaticSampleSubmission + automaticDefinitionUpdateEnabled + edr diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md index 9add09b4df..4cb8256cd5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md @@ -80,7 +80,7 @@ The following fields are considered common for all events: | machine_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | | sense_guid | Unique identifier associated with the device. Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | | org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. | -| hostname | Local machine name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | +| hostname | Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | | product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. | | app_version | Version of the Microsoft Defender ATP for Mac application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| | sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. | @@ -122,7 +122,7 @@ The following fields are collected: | cloud_service.service_uri | URI used to communicate with the cloud. | | cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). | | cloud_service.automatic_sample_submission | Whether automatic sample submission is turned on or not. | -| edr.early_preview | Whether the machine should run EDR early preview features. | +| edr.early_preview | Whether the device should run EDR early preview features. | | edr.group_id | Group identifier used by the detection and response component. | | edr.tags | User-defined tags. | | features.\[optional feature name\] | List of preview features, along with whether they are enabled or not. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index f7626685ae..a4780aaea9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -97,8 +97,8 @@ Important tasks, such as controlling product settings and triggering on-demand s |Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | |Protection |Request a security intelligence update |`mdatp --definition-update` | |EDR |Turn on/off EDR preview for Mac |`mdatp --edr --early-preview [true/false]` OR `mdatp --edr --earlyPreview [true/false]` for versions earlier than 100.78.0 | -|EDR |Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` | -|EDR |Remove group tag from machine |`mdatp --edr --remove-tag [name]` | +|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` | +|EDR |Remove group tag from device |`mdatp --edr --remove-tag [name]` | ## Client Microsoft Defender ATP quarantine directory diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 3613ce2eb0..8e3150af35 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -26,6 +26,12 @@ ms.topic: conceptual > > If you have previously allowed the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to allow the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to allow the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics. +## 101.01.54 + +- Improvements around compatibility with Time Machine +- Accessibility improvements +- Performance improvements & bug fixes + ## 101.00.31 - Improved [product onboarding experience for Intune users](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md index cd57c99e3a..55b903fa52 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md @@ -1,7 +1,7 @@ --- -title: Create and manage machine groups in Microsoft Defender ATP -description: Create machine groups and set automated remediation levels on them by confiring the rules that apply on the group -keywords: machine groups, groups, remediation, level, rules, aad group, role, assign, rank +title: Create and manage device groups in Microsoft Defender ATP +description: Create device groups and set automated remediation levels on them by confiring the rules that apply on the group +keywords: device groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Create and manage machine groups +# Create and manage device groups **Applies to:** @@ -25,64 +25,64 @@ ms.topic: article - Office 365 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -In an enterprise scenario, security operation teams are typically assigned a set of machines. These machines are grouped together based on a set of attributes such as their domains, computer names, or designated tags. +In an enterprise scenario, security operation teams are typically assigned a set of devices. These devices are grouped together based on a set of attributes such as their domains, computer names, or designated tags. -In Microsoft Defender ATP, you can create machine groups and use them to: +In Microsoft Defender ATP, you can create device groups and use them to: - Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac.md) -- Configure different auto-remediation settings for different sets of machines +- Configure different auto-remediation settings for different sets of devices - Assign specific remediation levels to apply during automated investigations -- In an investigation, filter the **Machines list** to just specific machine groups by using the **Group** filter. +- In an investigation, filter the **Devices list** to just specific device groups by using the **Group** filter. -You can create machine groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the machine group(s) to a user group. For more information, see [Manage portal access using role-based access control](rbac.md). +You can create device groups in the context of role-based access (RBAC) to control who can take specific action or see information by assigning the device group(s) to a user group. For more information, see [Manage portal access using role-based access control](rbac.md). >[!TIP] > For a comprehensive look into RBAC application, read: [Is your SOC running flat with RBAC](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Is-your-SOC-running-flat-with-limited-RBAC/ba-p/320015). -As part of the process of creating a machine group, you'll: +As part of the process of creating a device group, you'll: - Set the automated remediation level for that group. For more information on remediation levels, see [Use Automated investigation to investigate and remediate threats](automated-investigations.md). -- Specify the matching rule that determines which machine group belongs to the group based on the machine name, domain, tags, and OS platform. If a machine is also matched to other groups, it is added only to the highest ranked machine group. -- Select the Azure AD user group that should have access to the machine group. -- Rank the machine group relative to other groups after it is created. +- Specify the matching rule that determines which device group belongs to the group based on the device name, domain, tags, and OS platform. If a device is also matched to other groups, it is added only to the highest ranked device group. +- Select the Azure AD user group that should have access to the device group. +- Rank the device group relative to other groups after it is created. >[!NOTE] ->A machine group is accessible to all users if you don’t assign any Azure AD groups to it. +>A device group is accessible to all users if you don’t assign any Azure AD groups to it. -## Create a machine group +## Create a device group -1. In the navigation pane, select **Settings** > **Machine groups**. +1. In the navigation pane, select **Settings** > **Device groups**. -2. Click **Add machine group**. +2. Click **Add device group**. -3. Enter the group name and automation settings and specify the matching rule that determines which machines belong to the group. See [How the automated investigation starts](automated-investigations.md#how-the-automated-investigation-starts). +3. Enter the group name and automation settings and specify the matching rule that determines which devices belong to the group. See [How the automated investigation starts](automated-investigations.md#how-the-automated-investigation-starts). >[!TIP] - >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Create and manage machine tags](machine-tags.md). + >If you want to group devices by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Create and manage device tags](machine-tags.md). -4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **User access** tab. +4. Preview several devices that will be matched by this rule. If you are satisfied with the rule, click the **User access** tab. -5. Assign the user groups that can access the machine group you created. +5. Assign the user groups that can access the device group you created. >[!NOTE] >You can only grant access to Azure AD user groups that have been assigned to RBAC roles. 6. Click **Close**. The configuration changes are applied. -## Manage machine groups +## Manage device groups -You can promote or demote the rank of a machine group so that it is given higher or lower priority during matching. When a machine is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups. +You can promote or demote the rank of a device group so that it is given higher or lower priority during matching. When a device is matched to more than one group, it is added only to the highest ranked group. You can also edit and delete groups. >[!WARNING] ->Deleting a machine group may affect email notification rules. If a machine group is configured under an email notification rule, it will be removed from that rule. If the machine group is the only group configured for an email notification, that email notification rule will be deleted along with the machine group. +>Deleting a device group may affect email notification rules. If a device group is configured under an email notification rule, it will be removed from that rule. If the device group is the only group configured for an email notification, that email notification rule will be deleted along with the device group. -By default, machine groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the machine group. +By default, device groups are accessible to all users with portal access. You can change the default behavior by assigning Azure AD user groups to the device group. -Machines that are not matched to any groups are added to Ungrouped machines (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group. +Devices that are not matched to any groups are added to Ungrouped devices (default) group. You cannot change the rank of this group or delete it. However, you can change the remediation level of this group, and define the Azure AD user groups that can access this group. >[!NOTE] -> Applying changes to machine group configuration may take up to several minutes. +> Applying changes to device group configuration may take up to several minutes. ## Related topics - [Manage portal access using role-based based access control](rbac.md) -- [Create and manage machine tags](machine-tags.md) -- [Get list of tenant machine groups using Graph API](get-machinegroups-collection.md) +- [Create and manage device tags](machine-tags.md) +- [Get list of tenant device groups using Graph API](get-machinegroups-collection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md index e2f2b119a3..6ff6a3213c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md @@ -1,6 +1,6 @@ --- -title: Machine health and compliance report in Microsoft Defender ATP -description: Track machine health state detections, antivirus status, OS platform, and Windows 10 versions using the machine health and compliance report +title: Device health and compliance report in Microsoft Defender ATP +description: Track device health state detections, antivirus status, OS platform, and Windows 10 versions using the device health and compliance report keywords: health state, antivirus, os platform, windows 10 version, version, health, compliance, state search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,25 +17,25 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Machine health and compliance report in Microsoft Defender ATP +# Device health and compliance report in Microsoft Defender ATP **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -The machines status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions. +The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions. The dashboard is structured into two sections: - ![Image of the machine report](images/machine-reports.png) + ![Image of the device report](images/device-reports.png) Section | Description :---|:--- -1 | Machine trends -2 | Machine summary (current day) +1 | Device trends +2 | Device summary (current day) -## Machine trends -By default, the machine trends displays machine information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options: +## Device trends +By default, the device trends displays device information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options: - 30 days - 3 months @@ -43,42 +43,42 @@ By default, the machine trends displays machine information from the 30-day peri - Custom >[!NOTE] ->These filters are only applied on the machine trends section. It doesn't affect the machine summary section. +>These filters are only applied on the device trends section. It doesn't affect the device summary section. -## Machine summary -While the machines trends shows trending machine information, the machine summary shows machine information scoped to the current day. +## Device summary +While the devices trends shows trending device information, the device summary shows device information scoped to the current day. >[!NOTE] >The data reflected in the summary section is scoped to 180 days prior to the current date. For example if today's date is March 27, 2019, the data on the summary section will reflect numbers starting from September 28, 2018 to March 27, 2019.
> The filter applied on the trends section is not applied on the summary section. -The machine trends section allows you to drill down to the machines list with the corresponding filter applied to it. For example, clicking on the Inactive bar in the Sensor health state card will bring you the machines list with results showing only machines whose sensor status is inactive. +The device trends section allows you to drill down to the devices list with the corresponding filter applied to it. For example, clicking on the Inactive bar in the Sensor health state card will bring you the devices list with results showing only devices whose sensor status is inactive. -## Machine attributes -The report is made up of cards that display the following machine attributes: +## Device attributes +The report is made up of cards that display the following device attributes: - **Health state**: shows information about the sensor state on devices, providing an aggregated view of devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen. -- **Antivirus status for active Windows 10 machines**: shows the number of machines and status of Microsoft Defender Antivirus. +- **Antivirus status for active Windows 10 devices**: shows the number of devices and status of Microsoft Defender Antivirus. - **OS platforms**: shows the distribution of OS platforms that exists within your organization. -- **Windows 10 versions**: shows the distribution of Windows 10 machines and their versions in your organization. +- **Windows 10 versions**: shows the distribution of Windows 10 devices and their versions in your organization. ## Filter data -Use the provided filters to include or exclude machines with certain attributes. +Use the provided filters to include or exclude devices with certain attributes. -You can select multiple filters to apply from the machine attributes. +You can select multiple filters to apply from the device attributes. >[!NOTE] >These filters apply to **all** the cards in the report. -For example, to show data about Windows 10 machines with Active sensor health state: +For example, to show data about Windows 10 devices with Active sensor health state: 1. Under **Filters > Sensor health state > Active**. 2. Then select **OS platforms > Windows 10**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md index 9da990fe57..0ee6e199c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md @@ -1,7 +1,7 @@ --- -title: Create and manage machine tags -description: Use machine tags to group machines to capture context and enable dynamic list creation as part of an incident -keywords: tags, machine tags, machine groups, groups, remediation, level, rules, aad group, role, assign, rank +title: Create and manage device tags +description: Use device tags to group devices to capture context and enable dynamic list creation as part of an incident +keywords: tags, device tags, device groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,28 +17,28 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Create and manage machine tags +# Create and manage device tags -Add tags on machines to create a logical group affiliation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in **Machines list** view, or to group machines. For more information on machine grouping, see [Create and manage machine groups](machine-groups.md). +Add tags on devices to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. Tags can be used as a filter in **Devices list** view, or to group devices. For more information on device grouping, see [Create and manage device groups](machine-groups.md). -You can add tags on machines using the following ways: +You can add tags on devices using the following ways: - Using the portal - Setting a registry key value > [!NOTE] -> There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine page. +> There may be some latency between the time a tag is added to a device and its availability in the devices list and device page. -To add machine tags using API, see [Add or remove machine tags API](add-or-remove-machine-tags.md). +To add device tags using API, see [Add or remove device tags API](add-or-remove-machine-tags.md). -## Add and manage machine tags using the portal +## Add and manage device tags using the portal -1. Select the machine that you want to manage tags on. You can select or search for a machine from any of the following views: +1. Select the device that you want to manage tags on. You can select or search for a device from any of the following views: - - **Security operations dashboard** - Select the machine name from the Top machines with active alerts section. - - **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. - - **Machines list** - Select the machine name from the list of machines. - - **Search box** - Select Machine from the drop-down menu and enter the machine name. + - **Security operations dashboard** - Select the device name from the Top devices with active alerts section. + - **Alerts queue** - Select the device name beside the device icon from the alerts queue. + - **Devices list** - Select the device name from the list of devices. + - **Search box** - Select Device from the drop-down menu and enter the device name. You can also get to the alert page through the file and IP views. @@ -48,21 +48,21 @@ To add machine tags using API, see [Add or remove machine tags API](add-or-remov 3. Type to find or create tags - ![Image of adding tags on a machine](images/new-tags.png) + ![Image of adding tags on a device](images/new-tags.png) -Tags are added to the machine view and will also be reflected on the **Machines list** view. You can then use the **Tags** filter to see the relevant list of machines. +Tags are added to the device view and will also be reflected on the **Devices list** view. You can then use the **Tags** filter to see the relevant list of devices. >[!NOTE] > Filtering might not work on tag names that contain parenthesis. You can also delete tags from this view. -![Image of adding tags on a machine](images/more-manage-tags.png) +![Image of adding tags on a device](images/more-manage-tags.png) -## Add machine tags by setting a registry key value +## Add device tags by setting a registry key value >[!NOTE] -> Applicable only on the following machines: +> Applicable only on the following devices: >- Windows 10, version 1709 or later >- Windows Server, version 1803 or later >- Windows Server 2016 @@ -74,15 +74,15 @@ You can also delete tags from this view. > [!NOTE] > The maximum number of characters that can be set in a tag is 200. -Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. +Devices with similar tags can be handy when you need to apply contextual action on a specific list of devices. -Use the following registry key entry to add a tag on a machine: +Use the following registry key entry to add a tag on a device: - Registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging\` - Registry key value (REG_SZ): `Group` - Registry key data: `Name of the tag you want to set` >[!NOTE] ->The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. +>The device tag is part of the device information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new device information report. > > If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md index f243b53767..2b4a77dcc3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md @@ -1,7 +1,7 @@ --- -title: View and organize the Microsoft Defender ATP machines list -description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the list to enhance investigations. -keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software +title: View and organize the Microsoft Defender ATP devices list +description: Learn about the available features that you can use from the Devices list such as sorting, filtering, and exporting the list to enhance investigations. +keywords: sort, filter, export, csv, device name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# View and organize the Microsoft Defender ATP Machines list +# View and organize the Microsoft Defender ATP Devices list **Applies to:** @@ -25,35 +25,35 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink) -The **Machines list** shows a list of the machines in your network where alerts were generated. By default, the queue displays machines with alerts seen in the last 30 days. +The **Devices list** shows a list of the devices in your network where alerts were generated. By default, the queue displays devices with alerts seen in the last 30 days. -At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of machines most at risk. +At a glance you'll see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk. -There are several options you can choose from to customize the machines list view. On the top navigation you can: +There are several options you can choose from to customize the devices list view. On the top navigation you can: - Add or remove columns - Export the entire list in CSV format - Select the number of items to show per page - Apply filters -During the onboarding process, the **Machines list** is gradually populated with machines as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis. +During the onboarding process, the **Devices list** is gradually populated with devices as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online, or download the complete endpoint list as a CSV file for offline analysis. >[!NOTE] -> If you export the machine list, it will contain every machine in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself. +> If you export the device list, it will contain every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself. -![Image of machines list with list of machines](images/machine-list.png) +![Image of devices list with list of devices](images/device-list.png) -## Sort and filter the machine list +## Sort and filter the device list You can apply the following filters to limit the list of alerts and get a more focused view. ### Risk level -The risk level reflects the overall risk assessment of the machine based on a combination of factors, including the types and severity of active alerts on the machine. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level. +The risk level reflects the overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level. ### Exposure level -The exposure level reflects the current exposure of the machine based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your machines are less vulnerable from exploitation. +The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations. The possible levels are low, medium, and high. Low exposure means your devices are less vulnerable from exploitation. If the exposure level says "No data available," there are a few reasons why this may be the case: @@ -67,19 +67,19 @@ Select only the OS platforms you're interested in investigating. ### Health state -Filter by the following machine health states: +Filter by the following device health states: -- **Active** – Machines that are actively reporting sensor data to the service. -- **Inactive** – Machines that have completely stopped sending signals for more than 7 days. -- **Misconfigured** – Machines that have impaired communications with service or are unable to send sensor data. Misconfigured machines can further be classified to: +- **Active** – Devices that are actively reporting sensor data to the service. +- **Inactive** – Devices that have completely stopped sending signals for more than 7 days. +- **Misconfigured** – Devices that have impaired communications with service or are unable to send sensor data. Misconfigured devices can further be classified to: - No sensor data - Impaired communications - For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealthy-sensors.md). + For more information on how to address issues on misconfigured devices see, [Fix unhealthy sensors](fix-unhealthy-sensors.md). ### Antivirus status -Filter machines by antivirus status. Applies to active Windows 10 machines only. +Filter devices by antivirus status. Applies to active Windows 10 devices only. - **Disabled** - Virus & threat protection is turned off. - **Not reporting** - Virus & threat protection is not reporting. @@ -89,7 +89,7 @@ For more information, see [View the Threat & Vulnerability Management dashboard] ### Threat mitigation status -To view machines that may be affected by a certain threat, select the threat from the dropdown menu, and then select what vulnerability aspect needs to be mitigated. +To view devices that may be affected by a certain threat, select the threat from the dropdown menu, and then select what vulnerability aspect needs to be mitigated. To learn more about certain threats, see [Threat analytics](threat-analytics.md). For mitigation information, see [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md). @@ -99,8 +99,8 @@ Select only the Windows 10 versions you're interested in investigating. ### Tags & Groups -Filter the list based on the grouping and tagging that you've added to individual machines. See [Create and manage machine tags](machine-tags.md) and [Create and manage machine groups](machine-groups.md). +Filter the list based on the grouping and tagging that you've added to individual devices. See [Create and manage device tags](machine-tags.md) and [Create and manage device groups](machine-groups.md). ## Related topics -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index 531278a14a..3359a3bbc8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -26,7 +26,7 @@ ms.topic: article Microsoft Defender ATP notifies you of possible malicious events, attributes, and contextual information through alerts. A summary of new alerts is displayed in the **Security operations dashboard**, and you can access all alerts in the **Alerts queue**. -You can manage alerts by selecting an alert in the **Alerts queue**, or the **Alerts** tab of the Machine page for an individual device. +You can manage alerts by selecting an alert in the **Alerts queue**, or the **Alerts** tab of the Device page for an individual device. Selecting an alert in either of those places brings up the **Alert management pane**. @@ -48,7 +48,7 @@ When a suppression rule is created, it will take effect from the point when the There are two contexts for a suppression rule that you can choose from: -- **Suppress alert on this machine** +- **Suppress alert on this device** - **Suppress alert in my organization** The context of the rule lets you tailor what gets surfaced into the portal and ensure that only real security alerts are surfaced into the portal. @@ -57,8 +57,8 @@ You can use the examples in the following table to help you choose the context f | **Context** | **Definition** | **Example scenarios** | |:--------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Suppress alert on this machine** | Alerts with the same alert title and on that specific machine only will be suppressed.

All other alerts on that machine will not be suppressed. |

| -| **Suppress alert in my organization** | Alerts with the same alert title on any machine will be suppressed. |
  • A benign administrative tool is used by everyone in your organization.
| +| **Suppress alert on this device** | Alerts with the same alert title and on that specific device only will be suppressed.

All other alerts on that device will not be suppressed. |
  • A security researcher is investigating a malicious script that has been used to attack other devices in your organization.
  • A developer regularly creates PowerShell scripts for their team.
| +| **Suppress alert in my organization** | Alerts with the same alert title on any device will be suppressed. |
  • A benign administrative tool is used by everyone in your organization.
| ### Suppress an alert and create a new suppression rule: Create custom rules to control when alerts are suppressed, or resolved. You can control the context for when an alert is suppressed by specifying the alert title, Indicator of compromise, and the conditions. After specifying the context, you’ll be able to configure the action and scope on the alert. @@ -79,7 +79,7 @@ Create custom rules to control when alerts are suppressed, or resolved. You can 3. Select the **Triggering IOC**. 4. Specify the action and scope on the alert.
- You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and machine timeline and will appear as resolved across Microsoft Defender ATP APIs.

Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs. + You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and device timeline and will appear as resolved across Microsoft Defender ATP APIs.

Alerts that are marked as hidden will be suppressed from the entire system, both on the device's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs. 5. Enter a rule name and a comment. @@ -100,7 +100,7 @@ You can categorize alerts (as **New**, **In Progress**, or **Resolved**) by chan For example, a team leader can review all **New** alerts, and decide to assign them to the **In Progress** queue for further analysis. -Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a machine that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert. +Alternatively, the team leader might assign the alert to the **Resolved** queue if they know the alert is benign, coming from a device that is irrelevant (such as one belonging to a security administrator), or is being dealt with through an earlier alert. @@ -120,7 +120,7 @@ Added comments instantly appear on the pane. - [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) - [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) - [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) +- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) - [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) - [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) - [Investigate a user account in Microsoft Defender ATP](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index 8ae4bbb815..d1823bc880 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -1,7 +1,7 @@ --- title: Review and approve actions following automated investigations in the Microsoft Defender Security Center description: Review and approve (or reject) remediation actions following an automated investigation. -keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, machines, duration, filter export +keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, devices, duration, filter export search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md index 0d82ce51ba..2fb891a0ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md @@ -20,13 +20,13 @@ ms.topic: conceptual # Manage endpoint detection and response capabilities -Manage the alerts queue, investigate machines in the machines list, take response actions, and hunt for possible threats in your organization using advanced hunting. +Manage the alerts queue, investigate devices in the devices list, take response actions, and hunt for possible threats in your organization using advanced hunting. ## In this section Topic | Description :---|:--- [Alerts queue](alerts-queue-endpoint-detection-response.md)| View the alerts surfaced in Microsoft Defender Security Center. -[Machines list](machines-view-overview.md) | Learn how you can view and manage the machines list, manage machine groups, and investigate machine related alerts. -[Take response actions](response-actions.md)| Take response actions on machines and files to quickly respond to detected attacks and contain threats. +[Devices list](machines-view-overview.md) | Learn how you can view and manage the devices list, manage device groups, and investigate device related alerts. +[Take response actions](response-actions.md)| Take response actions on devices and files to quickly respond to detected attacks and contain threats. [Query data using advanced hunting](advanced-hunting-query-language.md)| Proactively hunt for possible threats across your organization using a powerful search and query tool. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index 235ff31864..2350c4c54c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -28,7 +28,7 @@ ms.topic: article Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response). -Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to. +Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the device group to apply it to. Currently supported sources are the cloud detection engine of Microsoft Defender ATP, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV). @@ -61,7 +61,7 @@ You can create an indicator for: ## Create indicators for files -You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. +You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization. There are two ways you can create indicators for files: - By creating an indicator through the settings page @@ -72,7 +72,7 @@ It's important to understand the following prerequisites prior to creating indic - This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). - The Antimalware client version must be 4.18.1901.x or later. -- Supported on machines on Windows 10, version 1703 or later. +- Supported on devices on Windows 10, version 1703 or later. - To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. - This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. @@ -95,14 +95,14 @@ It's important to understand the following prerequisites prior to creating indic 4. Specify the following details: - Indicator - Specify the entity details and define the expiration of the indicator. - Action - Specify the action to be taken and provide a description. - - Scope - Define the scope of the machine group according to your [user permissions](machine-groups.md). + - Scope - Define the scope of the device group according to your [user permissions](machine-groups.md). 5. Review the details in the Summary tab, then click **Save**. ### Create a contextual indicator from the file details page One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file. -When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it. +When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it. Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue. @@ -111,13 +111,13 @@ Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, thr The threat intelligence data set for this has been managed by Microsoft. -By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others. +By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by device groups if you deem certain groups to be more or less at risk than others. ### Before you begin It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: - URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md). - The Antimalware client version must be 4.18.1906.x or later. -- Supported on machines on Windows 10, version 1709 or later. +- Supported on devices on Windows 10, version 1709 or later. - Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md). @@ -144,7 +144,7 @@ It's important to understand the following prerequisites prior to creating indic 4. Specify the following details: - Indicator - Specify the entity details and define the expiration of the indicator. - Action - Specify the action to be taken and provide a description. - - Scope - Define the scope of the machine group. + - Scope - Define the scope of the device group. 5. Review the details in the Summary tab, then click **Save**. @@ -162,7 +162,7 @@ It's important to understand the following requirements prior to creating indica - This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). - The Antimalware client version must be 4.18.1901.x or later. -- Supported on machines on Windows 10, version 1703 or later. +- Supported on devices on Windows 10, version 1703 or later. - The virus and threat protection definitions must be up-to-date. - This feature currently supports entering .CER or .PEM file extensions. @@ -185,7 +185,7 @@ It's important to understand the following requirements prior to creating indica 4. Specify the following details: - Indicator - Specify the entity details and define the expiration of the indicator. - Action - Specify the action to be taken and provide a description. - - Scope - Define the scope of the machine group. + - Scope - Define the scope of the device group. 5. Review the details in the Summary tab, then click **Save**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md index 2634614f1b..24695b7456 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md @@ -31,7 +31,7 @@ Acknowledging that customer environments and structures can vary, Microsoft Defe ## Endpoint onboarding and portal access -Machine onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client machines and Azure Security Center for server machines, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for machines management. +Device onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender ATP supports Group Policy and other third-party tools used for devices management. Microsoft Defender ATP provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure: - Globally distributed organizations and security teams @@ -57,9 +57,9 @@ Microsoft Defender ATP offers a layered API model exposing data and capabilities Watch this video for a quick overview of Microsoft Defender ATP's APIs. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M] -The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, machine, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md). +The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md). -The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate machines from the network, quarantine files, and others. +The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate devices from the network, quarantine files, and others. ## Raw data streaming API Microsoft Defender ATP raw data streaming API provides the ability for customers to ship real-time events and alerts from their instances as they occur within a single data stream, providing a low latency, high throughput delivery mechanism. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md index 5779992a72..7132b8b8a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md @@ -29,7 +29,7 @@ ms.topic: article To benefit from Microsoft Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration. >[!NOTE] ->This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. +>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. > See [Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration) for detailed integration of Microsoft Defender ATP with Microsoft Cloud App Security. @@ -43,7 +43,7 @@ Once activated, Microsoft Defender ATP will immediately start forwarding discove ## View the data collected -To view and access Microsoft Defender ATP data in Microsoft Cloud Apps Security, see [Investigate machines in Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration#investigate-machines-in-cloud-app-security). +To view and access Microsoft Defender ATP data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration#investigate-machines-in-cloud-app-security). For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md index 1dd8377db2..3871f3dc64 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md @@ -28,7 +28,7 @@ ms.date: 10/18/2018 Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements on data stored in the cloud. For more information, see [Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security). >[!NOTE] ->This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. +>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10 version 1809 or later. ## Microsoft Defender ATP and Cloud App Security integration diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index b6eaffbafa..9f2bcb6ccd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -34,7 +34,7 @@ Microsoft Defender ATP uses the following combination of technology built into W collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP. -- **Cloud security analytics**: Leveraging big-data, machine-learning, and +- **Cloud security analytics**: Leveraging big-data, device-learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md new file mode 100644 index 0000000000..b2b8409121 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md @@ -0,0 +1,100 @@ +--- +title: Microsoft Defender ATP for Android +ms.reviewer: +description: Describes how to install and use Microsoft Defender ATP for Android +keywords: microsoft, defender, atp, android, installation, deploy, uninstallation, intune +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: dansimp +author: dansimp +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Microsoft Defender Advanced Threat Protection for Android + +> [!IMPORTANT] +> **PUBLIC PREVIEW EDITION** +> +> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability. +> +> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments. +> +> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today. + +This topic describes how to install, configure, update, and use Microsoft Defender ATP for Android. + +> [!CAUTION] +> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Android is likely to cause performance problems and unpredictable system errors. + + + +## How to install Microsoft Defender ATP for Android + +### Prerequisites + +- **For end users** + + - Microsoft Defender ATP license assigned to the end user(s) of the app. + + - Intune Company Portal app can be downloaded from [Google + Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal) + and is available on the Android device. + + - Additionally, device(s) can be + [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal) + via the Intune Company Portal app to enforce Intune device compliance + policies. This requires the end user to be assigned a Microsoft Intune license. + + - For more information on how to assign licenses, see [Assign licenses to + users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign). + + +- **For Administrators** + + - Access to the Microsoft Defender Security Center portal. + + > [!NOTE] + > Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender ATP for Android. Currently only enrolled devices are supported for enforcing Microsoft Defender ATP for Android related device compliance policies in Intune. + + - Access [Microsoft Endpoint Manager admin + center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the + app to enrolled user groups in your organization. + +### System Requirements + +- Android devices running Android 6.0 and above. +- Intune Company Portal app is downloaded from [Google + Play](https://play.google.com/store/apps/details?id=com.microsoft.windowsintune.companyportal) + and installed. Device enrollment is required for Intune device compliance policies to be enforced. + +### Installation instructions + +Microsoft Defender ATP for Android supports installation on both modes of +enrolled devices - the legacy Device Administrator and Android Enterprise modes + +Deployment of Microsoft Defender ATP for Android is via Microsoft Intune (MDM). +For more information, see [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md). + + +> [!NOTE] +> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes.
+> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.** + +## How to Configure Microsoft Defender ATP for Android + +Guidance on how to configure Microsoft Defender ATP for Android features is available in [Configure Microsoft Defender ATP for Android features](android-configure.md). + + + +## Related topics +- [Deploy Microsoft Defender ATP for with Microsoft Intune](android-intune.md) +- [Configure Microsoft Defender ATP for Android features](android-configure.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index edc161f217..385bdbecbb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -20,20 +20,7 @@ ms.topic: conceptual # Microsoft Defender ATP for Linux -> [!IMPORTANT] -> **PUBLIC PREVIEW EDITION** -> -> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability. -> -> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments. -> -> If you have preview features turned on in the Microsoft Defender Security Center, you should be able to access the Linux onboarding page immediately. If you have not yet opted into previews, we encourage you to [turn on preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview) in the Microsoft Defender Security Center today. - -This topic describes how to install, configure, update, and use Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux. - -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4q3yP] - -

+This topic describes how to install, configure, update, and use Microsoft Defender ATP for Linux. > [!CAUTION] > Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors. @@ -46,16 +33,6 @@ This topic describes how to install, configure, update, and use Microsoft Defend - Beginner-level experience in Linux and BASH scripting - Administrative privileges on the device (in case of manual deployment) -### Known issues - -- Logged on users do not appear in the ATP portal. -- Running the product on CentOS / RHEL / Oracle Linux 7.0 or 7.1 with kernel versions lower than 3.10.0-327 can result in hanging the operating system. We recommend that you upgrade to version 7.2 or newer. -- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered: - - ```bash - $ sudo SUSEConnect --status-text - ``` - ### Installation instructions There are several methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Linux. @@ -108,8 +85,6 @@ If you experience any installation failures, refer to [Troubleshooting installat - `vfat` - `xfs` - More file system types will be added in the future. - After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints. ### Network connections diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index fe71625482..5d2922bccc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -34,7 +34,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend > [!TIP] > If you have any feedback that you would like to share, submit it by opening Microsoft Defender ATP for Mac on your device and navigating to **Help** > **Send feedback**. -To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac machines), configure your macOS machine running Microsoft Defender ATP to be an "Insider" machine. See [Enable Microsoft Defender ATP Insider Machine](endpoint-detection-response-mac-preview.md). +To get the latest features, including preview capabilities (such as endpoint detection and response for your Mac devices), configure your macOS device running Microsoft Defender ATP to be an "Insider" device. See [Enable Microsoft Defender ATP Insider Device](endpoint-detection-response-mac-preview.md). ## How to install Microsoft Defender ATP for Mac @@ -105,7 +105,7 @@ The output from this command should be similar to the following: `OK https://cdn.x.cp.wd.microsoft.com/ping` > [!CAUTION] -> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client machines. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default. +> We recommend that you keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) (SIP) enabled on client devices. SIP is a built-in macOS security feature that prevents low-level tampering with the OS, and is enabled by default. Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal: ```bash diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md index a2319405b5..e6acac214c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md @@ -26,12 +26,12 @@ Microsoft Defender Security Center is the portal where you can access Microsoft Topic | Description :---|:--- Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal. -[Onboard machines](onboard-configure.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues. +[Onboard devices](onboard-configure.md) | Learn about onboarding client, server, and non-Windows devices. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues. [Understand the portal](use.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal. -Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats. +Investigate and remediate threats | Investigate alerts, devices, and take response actions to remediate threats. API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Microsoft Defender Security Center. Reporting | Create and build Power BI reports using Microsoft Defender ATP data. -Check service health and sensor state | Verify that the service is running and check the sensor state on machines. +Check service health and sensor state | Verify that the service is running and check the sensor state on devices. [Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure general settings, turn on the preview experience, notifications, and enable other features. [Access the Microsoft Defender ATP Community Center](community.md) | Access the Microsoft Defender ATP Community Center to learn, collaborate, and share experiences about the product. [Troubleshoot service issues](troubleshoot-mdatp.md) | This section addresses issues that might arise as you use the Microsoft Defender Advanced Threat service. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index e75e2033d7..5e28935812 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -44,10 +44,10 @@ Microsoft Threat Experts provides proactive hunting for the most important threa - Scope of compromise and as much context as can be quickly delivered to enable fast SOC response. ## Collaborate with experts, on demand -Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised machines, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can: +Customers can engage our security experts directly from within Microsoft Defender Security Center for timely and accurate response. Experts provide insights needed to better understand the complex threats affecting your organization, from alert inquiries, potentially compromised devices, root cause of a suspicious network connection, to additional threat intelligence regarding ongoing advanced persistent threat campaigns. With this capability, you can: - Get additional clarification on alerts including root cause or scope of the incident -- Gain clarity into suspicious machine behavior and next steps if faced with an advanced attacker +- Gain clarity into suspicious device behavior and next steps if faced with an advanced attacker - Determine risk and protection regarding threat actors, campaigns, or emerging attacker techniques - Seamlessly transition to Microsoft Incident Response (IR) or other third-party Incident Response services when necessary @@ -56,8 +56,8 @@ The option to **Consult a threat expert** is available in several places in the - **Help and support menu**
![Screenshot of MTE-EOD menu option](images/mte-eod-menu.png) -- **Machine page actions menu**
-![Screenshot of MTE-EOD machine page action menu option](images/mte-eod-machines.png) +- **Device page actions menu**
+![Screenshot of MTE-EOD device page action menu option](images/mte-eod-machines.png) - **Alerts page actions menu**
![Screenshot of MTE-EOD alert page action menu option](images/mte-eod-alerts.png) @@ -66,10 +66,12 @@ The option to **Consult a threat expert** is available in several places in the ![Screenshot of MTE-EOD file page action menu option](images/mte-eod-file.png) > [!NOTE] -> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub. Watch this video for a quick overview of the Microsoft Services Hub. -
+> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub. + +Watch this video for a quick overview of the Microsoft Services Hub. + >[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f] -
+ ## Related topic - [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 8923860ea6..0040889daa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -1,6 +1,6 @@ --- title: Minimum requirements for Microsoft Defender ATP -description: Understand the licensing requirements and requirements for onboarding machines to the service +description: Understand the licensing requirements and requirements for onboarding devices to the service keywords: minimum requirements, licensing, comparison table search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -22,7 +22,7 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -There are some minimum requirements for onboarding machines to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service. +There are some minimum requirements for onboarding devices to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service. > Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-minreqs-abovefoldlink). @@ -87,9 +87,9 @@ Access to Microsoft Defender ATP is done through a browser, supporting the follo - Windows Server, version 1803 or later - Windows Server 2019 -Machines on your network must be running one of these editions. +Devices on your network must be running one of these editions. -The hardware requirements for Microsoft Defender ATP on machines is the same as those for the supported editions. +The hardware requirements for Microsoft Defender ATP on devices is the same as those for the supported editions. > [!NOTE] > Machines running mobile versions of Windows are not supported. @@ -122,12 +122,12 @@ When you run the onboarding wizard for the first time, you must choose where you > [!NOTE] > Microsoft Defender ATP doesn't require any specific diagnostic level as long as it's enabled. -You must ensure that the diagnostic data service is enabled on all the machines in your organization. +You must ensure that the diagnostic data service is enabled on all the devices in your organization. By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them. **Use the command line to check the Windows 10 diagnostic data service startup type**: -1. Open an elevated command-line prompt on the machine: +1. Open an elevated command-line prompt on the device: a. Go to **Start** and type **cmd**. @@ -168,21 +168,21 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the #### Internet connectivity -Internet connectivity on machines is required either directly or through proxy. +Internet connectivity on devices is required either directly or through proxy. The Microsoft Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Microsoft Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth. -For more information on additional proxy configuration settings, see [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md). +For more information on additional proxy configuration settings, see [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md). -Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. +Before you onboard devices, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. ## Microsoft Defender Antivirus configuration requirement The Microsoft Defender ATP agent depends on the ability of Microsoft Defender Antivirus to scan files and provide information about them. -You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). +You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). -When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode. If your organization has disabled Microsoft Defender Antivirus through group policy or other methods, machines that are onboarded to Microsoft Defender ATP must be excluded from this group policy. +When Microsoft Defender Antivirus is not the active antimalware in your organization and you use the Microsoft Defender ATP service, Microsoft Defender Antivirus goes on passive mode. If your organization has disabled Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded to Microsoft Defender ATP must be excluded from this group policy. If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md). @@ -193,11 +193,11 @@ If you are onboarding servers and Microsoft Defender Antivirus is not the active For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). ## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled -If you're running Microsoft Defender Antivirus as the primary antimalware product on your machines, the Microsoft Defender ATP agent will successfully onboard. +If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Microsoft Defender ATP agent will successfully onboard. If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). ## Related topics - [Validate licensing and complete setup](licensing.md) -- [Onboard machines](onboard-configure.md) +- [Onboard devices](onboard-configure.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index 5f38878dec..b51e526c2d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -1,7 +1,7 @@ --- title: Threat & Vulnerability Management description: This new capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, windows defender atp, microsoft defender atp, endpoint vulnerabilities, next generation +keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, microsoft defender atp, microsoft defender atp, endpoint vulnerabilities, next generation search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -42,7 +42,7 @@ It is the first solution in the industry to bridge the gap between security admi It provides the following solutions to frequently-cited gaps across security operations, security administration, and IT administration workflows and communication. - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities -- Linked machine vulnerability and security configuration assessment data in the context of exposure discovery +- Linked device vulnerability and security configuration assessment data in the context of exposure discovery - Built-in remediation processes through Microsoft Intune and Configuration Manager ### Real-time discovery @@ -60,7 +60,7 @@ Threat & Vulnerability Management helps customers prioritize and focus on those - Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, Threat & Vulnerability Management dynamically aligns the prioritization of its security recommendations to focus on vulnerabilities that are currently being exploited in the wild and emerging threats that pose the highest risk. - Pinpointing active breaches. Microsoft Defender ATP correlates Threat & Vulnerability Management and EDR insights to provide the unique ability to prioritize vulnerabilities that are currently being exploited in an active breach within the organization. -- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed machines with business-critical applications, confidential data, or high-value users. +- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows Threat & Vulnerability Management to identify the exposed devices with business-critical applications, confidential data, or high-value users. ### Seamless remediation @@ -72,13 +72,13 @@ Microsoft Defender ATP's Threat & Vulnerability Management allows security admin ## Before you begin -Ensure that your machines: +Ensure that your devices: - Are onboarded to Microsoft Defender Advanced Threat Protection - Run with Windows 10 1709 (Fall Creators Update) or later >[!NOTE] ->Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday. +>Threat & Vulnerability Management can also scan devices that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday. - Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates: @@ -90,7 +90,7 @@ Ensure that your machines: > Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) - Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version. -- Have at least one security recommendation that can be viewed in the machine page +- Have at least one security recommendation that can be viewed in the device page - Are tagged or marked as co-managed ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 30538a9a58..2c94a9c19e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -1,6 +1,6 @@ --- title: Offboard machine API -description: Use this API to offboard a machine from WDATP. +description: Use this API to offboard a device from WDATP. keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -24,7 +24,7 @@ ms.topic: article ## API description -Offboard machine from Microsoft Defender ATP. +Offboard device from Microsoft Defender ATP. ## Limitations @@ -48,7 +48,7 @@ Delegated (work or school account) | Machine.Offboard | 'Offboard machine' >[!Note] > When obtaining a token using user credentials: >- The user needs to 'Global Admin' AD role ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md index 5fee273e29..65e82f7f8a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md @@ -1,7 +1,7 @@ --- -title: Offboard machines from the Microsoft Defender ATP service -description: Onboard Windows 10 machines, servers, non-Windows machines from the Microsoft Defender ATP service -keywords: offboarding, windows defender advanced threat protection offboarding, windows atp offboarding +title: Offboard devices from the Microsoft Defender ATP service +description: Onboard Windows 10 devices, servers, non-Windows devices from the Microsoft Defender ATP service +keywords: offboarding, microsoft defender advanced threat protection offboarding, windows atp offboarding search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Offboard machines from the Microsoft Defender ATP service +# Offboard devices from the Microsoft Defender ATP service **Applies to:** - macOS @@ -27,17 +27,17 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-offboardmachines-abovefoldlink) +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-offboarddevices-abovefoldlink) Follow the corresponding instructions depending on your preferred deployment method. -## Offboard Windows 10 machines -- [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script) -- [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy) -- [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools) +## Offboard Windows 10 devices +- [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script) +- [Offboard devices using Group Policy](configure-endpoints-gp.md#offboard-devices-using-group-policy) +- [Offboard devices using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-devices-using-mobile-device-management-tools) ## Offboard Servers - [Offboard servers](configure-server-endpoints.md#offboard-servers) -## Offboard non-Windows machines -- [Offboard non-Windows machines](configure-endpoints-non-windows.md#offboard-non-windows-machines) +## Offboard non-Windows devices +- [Offboard non-Windows devices](configure-endpoints-non-windows.md#offboard-non-windows-devices) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md index 68bfb931a3..23072e7fd3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md @@ -1,7 +1,7 @@ --- -title: Onboard machines to the Microsoft Defender ATP service -description: Onboard Windows 10 machines, servers, non-Windows machines and learn how to run a detection test. -keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test +title: Onboard devices to the Microsoft Defender ATP service +description: Onboard Windows 10 devices, servers, non-Windows devices and learn how to run a detection test. +keywords: onboarding, microsoft defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Onboard machines to the Microsoft Defender ATP service +# Onboard devices to the Microsoft Defender ATP service **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -40,11 +40,11 @@ In general, to onboard devices to the service: ## In this section Topic | Description :---|:--- -[Onboard previous versions of Windows](onboard-downlevel.md)| Onboard Windows 7 and Windows 8.1 machines to Microsoft Defender ATP. -[Onboard Windows 10 machines](configure-endpoints.md) | You'll need to onboard machines for it to report to the Microsoft Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise. +[Onboard previous versions of Windows](onboard-downlevel.md)| Onboard Windows 7 and Windows 8.1 devices to Microsoft Defender ATP. +[Onboard Windows 10 devices](configure-endpoints.md) | You'll need to onboard devices for it to report to the Microsoft Defender ATP service. Learn about the tools and methods you can use to configure devices in your enterprise. [Onboard servers](configure-server-endpoints.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Microsoft Defender ATP -[Onboard non-Windows machines](configure-endpoints-non-windows.md) | Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data. -[Run a detection test on a newly onboarded machine](run-detection-test.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service. +[Onboard non-Windows devices](configure-endpoints-non-windows.md) | Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data. +[Run a detection test on a newly onboarded device](run-detection-test.md) | Run a script on a newly onboarded device to verify that it is properly reporting to the Microsoft Defender ATP service. [Configure proxy and Internet settings](configure-proxy-internet.md)| Enable communication with the Microsoft Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding.md) | Learn about resolving issues that might arise during onboarding. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md index 8e7680a3be..3ad2b3c9db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md @@ -1,6 +1,6 @@ --- title: Onboard previous versions of Windows on Microsoft Defender ATP -description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Microsoft Defender ATP sensor +description: Onboard supported previous versions of Windows devices so that they can send sensor data to the Microsoft Defender ATP sensor keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -40,7 +40,7 @@ To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll - Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below. > [!TIP] -> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). ## Configure and update System Center Endpoint Protection clients > [!IMPORTANT] @@ -77,7 +77,7 @@ Review the following details to verify minimum system requirements: 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604). 2. Obtain the workspace ID: - - In the Microsoft Defender ATP navigation pane, select **Settings > Machine management > Onboarding** + - In the Microsoft Defender ATP navigation pane, select **Settings > Device management > Onboarding** - Select **Windows 7 SP1 and 8.1** as the operating system - Copy the workspace ID and workspace key diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md index 63c3c0eb23..ca0ae8b595 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md @@ -1,7 +1,7 @@ --- -title: Onboard machines without Internet access to Microsoft Defender ATP +title: Onboard devices without Internet access to Microsoft Defender ATP ms.reviewer: -description: Onboard machines without Internet access so that they can send sensor data to the Microsoft Defender ATP sensor +description: Onboard devices without Internet access so that they can send sensor data to the Microsoft Defender ATP sensor keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,19 +18,19 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Onboard machines without Internet access to Microsoft Defender ATP +# Onboard devices without Internet access to Microsoft Defender ATP **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -To onboard machines without Internet access, you'll need to take the following general steps: +To onboard devices without Internet access, you'll need to take the following general steps: > [!IMPORTANT] -> The steps below are applicable only to machines running previous versions of Windows such as: +> The steps below are applicable only to devices running previous versions of Windows such as: Windows Server 2016 and earlier or Windows 8.1 and earlier. > [!NOTE] -> - An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 machines when configured via 'TelemetryProxyServer' registry or GPO. +> - An OMS gateway server cannot be used as proxy for disconnected Windows 10 or Windows Server 2019 devices when configured via 'TelemetryProxyServer' registry or GPO. > - For Windows 10 or Windows Server 2019 - while you may use TelemetryProxyServer, it must point to a standard proxy device or appliance. > - In addition, Windows 10 or Windows Server 2019 in disconnected environments must be able to update Certificate Trust Lists offline via an internal file or web server. > - For more information about updating CTLs offline, see [Configure a file or web server to download the CTL files](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn265983(v=ws.11)#configure-a-file-or-web-server-to-download-the-ctl-files). @@ -38,15 +38,15 @@ Windows Server 2016 and earlier or Windows 8.1 and earlier. For more information about onboarding methods, see the following articles: - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel) - [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) -- [Configure machine proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy) +- [Configure device proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy) -## On-premises machines +## On-premise devices - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID -- Offline machines in the same network of Azure Log Analytics +- Offline devices in the same network of Azure Log Analytics - Configure MMA to point to: - Azure Log Analytics IP as a proxy - Microsoft Defender ATP workspace key & ID diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md index e403692a49..3c3850da7f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md @@ -45,14 +45,14 @@ You'll need to have access to: ![Image of the notification flow](images/build-flow.png) -4. Select the + button to add a new action. The new action will be an HTTP request to the Microsoft Defender ATP security center machine(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines"). +4. Select the + button to add a new action. The new action will be an HTTP request to the Microsoft Defender ATP security center device(s) API. You can also replace it with the out-of-the-box "WDATP Connector" (action: "Machines - Get list of machines"). ![Image of recurrence and add action](images/recurrence-add.png) 5. Enter the following HTTP fields: - - Method: "GET" as a value to get the list of machines. + - Method: "GET" as a value to get the list of devices. - URI: Enter `https://api.securitycenter.windows.com/api/machines`. - Authentication: Select "Active Directory OAuth". - Tenant: Sign-in to https://portal.azure.com and navigate to **Azure Active Directory > App Registrations** and get the Tenant ID value. @@ -159,9 +159,9 @@ You'll need to have access to: ``` -10. Extract the values from the JSON call and check if the onboarded machine(s) is / are already registered at the SharePoint list as an example: +10. Extract the values from the JSON call and check if the onboarded device(s) is / are already registered at the SharePoint list as an example: - If yes, no notification will be triggered -- If no, will register the new onboarded machine(s) in the SharePoint list and a notification will be sent to the Microsoft Defender ATP admin +- If no, will register the new onboarded device(s) in the SharePoint list and a notification will be sent to the Microsoft Defender ATP admin ![Image of apply to each](images/flow-apply.png) @@ -184,16 +184,16 @@ The following image is an example of an email notification. - You can filter here using lastSeen only: - Every 60 min: - - Take all machines last seen in the past 7 days. + - Take all devices last seen in the past 7 days. -- For each machine: +- For each device: - If last seen property is on the one hour interval of [-7 days, -7days + 60 minutes ] -> Alert for offboarding possibility. - If first seen is on the past hour -> Alert for onboarding. In this solution you will not have duplicate alerts: -There are tenants that have numerous machines. Getting all those machines might be very expensive and might require paging. +There are tenants that have numerous devices. Getting all those devices might be very expensive and might require paging. You can split it to two queries: 1. For offboarding take only this interval using the OData $filter and only notify if the conditions are met. -2. Take all machines last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too). +2. Take all devices last seen in the past hour and check first seen property for them (if the first seen property is on the past hour, the last seen must be there too). diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index 15f9de0423..c73e519c52 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -142,30 +142,28 @@ Manager and deploy that policy to Windows 10 devices. 9. Navigate to the location of the downloaded file from step 4 above. - ![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png) - 10. Click **Next**. 11. Configure the Agent with the appropriate samples (**None** or **All file types**). - ![Image of configuration settings](images/1b9f85316170cfe24b46330afa8517d5.png) + ![Image of configuration settings](images/configmgr-config-settings.png) 12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**. - ![Image of configuration settings](images/13201b477bc9a9ae0020814915fe80cc.png) + ![Image of configuration settings](images/configmgr-telemetry.png) 14. Verify the configuration, then click **Next**. - ![Image of configuration settings](images/adc17988b0984ca2aa3ff8f41ddacaf9.png) + ![Image of configuration settings](images/configmgr-verify-configuration.png) 15. Click **Close** when the Wizard completes. 16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**. - ![Image of configuration settings](images/4a37f3687e6ff53a593d3670b1dad3aa.png) + ![Image of configuration settings](images/configmgr-deploy.png) 17. On the right panel, select the previously created collection and click **OK**. - ![Image of configuration settings](images/26efa2711bca78f6b6d73712f86b5bd9.png) + ![Image of configuration settings](images/configmgr-select-collection.png) ### Previous versions of Windows Client (Windows 7 and Windows 8.1) @@ -175,10 +173,10 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W 2. Under operating system choose **Windows 7 SP1 and 8.1**. - ![Image of onboarding](images/91b738e4b97c4272fd6d438d8c2d5269.png) - 3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process. + ![Image of onboarding](images/91b738e4b97c4272fd6d438d8c2d5269.png) + 4. Install the Microsoft Monitoring Agent (MMA).
MMA is currently (as of January 2019) supported on the following Windows Operating Systems: @@ -261,7 +259,7 @@ needs on how Antivirus is configured. 4. Target the new antimalware policy to your Windows 10 collection and click **OK**. - ![Image of next generation protection pane](images/26efa2711bca78f6b6d73712f86b5bd9.png) + ![Image of next generation protection pane](images/configmgr-select-collection.png) After completing this task, you now have successfully configured Windows Defender Antivirus. @@ -315,13 +313,11 @@ endpoints. (This may take few minutes) 2. Select **Configuration management** from left side menu. - ![A screenshot of a cell phone Description automatically generated](images/653db482c7ccaf31d06f29fb2aa24b7a.png) - 3. Click **Go to attack surface management** in the Attack surface management panel. - ![Image of attack surface management](images/3a01c7970ce3ec977a35883c0a01f0a2.png) + ![Image of attack surface management](images/security-center-attack-surface-mgnt-tile.png) -4. Click **Configuration** tab in Attack Surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices. +4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices. ![A screenshot of attack surface reduction rules reports](images/f91f406e6e0aae197a947d3b0e8b2d0d.png) @@ -336,7 +332,7 @@ detections](https://docs.microsoft.com/windows/security/threat-protection/micros ### To set Network Protection rules in Audit mode: 1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. - ![A screenshot System Center Confirugatiom Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png) + ![A screenshot System Center Configuration Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png) 2. Select **Network protection**. @@ -391,5 +387,5 @@ Protection in audit mode. ![A screenshot of Microsoft Endpoint Configuration Manager ](images/0ccfe3e803be4b56c668b220b51da7f7.png) -After completing this task, you now have successfully configured Controlled folder access in audit mode. +You have now successfully configured Controlled folder access in audit mode. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index e949cd7986..820cf2766f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -38,7 +38,7 @@ Article | Description [Application control](../windows-defender-application-control/windows-defender-application-control.md) | Use application control so that your applications must earn trust in order to run. [Exploit protection](./exploit-protection.md) | Help protect operating systems and apps your organization uses from being exploited. Exploit protection also works with third-party antivirus solutions. [Network protection](./network-protection.md) | Extend protection to your network traffic and connectivity on your organization's devices. (Requires Microsoft Defender Antivirus) -[Web protection](./web-protection-overview.md) | Secure your machines against web threats and help you regulate unwanted content. +[Web protection](./web-protection-overview.md) | Secure your devices against web threats and help you regulate unwanted content. [Controlled folder access](./controlled-folders.md) | Help prevent malicious or suspicious apps (including file-encrypting ransomware malware) from making changes to files in your key system folders (Requires Microsoft Defender Antivirus) [Network firewall](../windows-firewall/windows-firewall-with-advanced-security.md) | Prevent unauthorized traffic from flowing to or from your organization's devices with two-way network traffic filtering. [Attack surface reduction FAQ](./attack-surface-reduction-faq.md) | Frequently asked questions about Attack surface reduction rules, licensing, and more. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 470e593502..c98c0a6c38 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -23,13 +23,13 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured machines. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions. +With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. This is made possible by customizable detection rules that automatically trigger alerts as well as response actions. Custom detections work with [Advanced hunting](advanced-hunting-overview.md), which provides a powerful, flexible query language that covers a broad set of event and system information from your network. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. Custom detections provide: - Alerts for rule-based detections built from advanced hunting queries -- Automatic response actions that apply to files and machines +- Automatic response actions that apply to files and devices >[!NOTE] >To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md index 0d13fe8b36..ed39a6eb0e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md @@ -39,5 +39,5 @@ The response capabilities give you the power to promptly remediate threats by ac - [Security operations dashboard](security-operations-dashboard.md) - [Incidents queue](view-incidents-queue.md) - [Alerts queue](alerts-queue.md) -- [Machines list](machines-view-overview.md) +- [Devices list](machines-view-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md index 8dea2272e6..ee58dab8f6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md @@ -38,7 +38,7 @@ Microsoft Defender ATP supports SIEM integration through a variety of methods - Ticketing solution integration helps to implement manual and automatic response processes. Microsoft Defender ATP can help to create tickets automatically when an alert is generated and resolve the alerts when tickets are closed using the alerts API. ## Security orchestration and automation response (SOAR) integration -Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger machine isolation, block/allow, resolve alert and others. +Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others. ## External alert correlation and Automated investigation and remediation Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale. diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md index f9914b49c5..188a26d5b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md @@ -42,7 +42,7 @@ Microsoft Defender ATP adds support for this scenario in the following forms: - Once an alert is generated, the signal is shared across all Microsoft Defender ATP protected endpoints in the enterprise. Microsoft Defender ATP takes immediate automated or operator-assisted response to address the alert. ## Scenario 2: Security orchestration and automation response (SOAR) integration -Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs exposes to orchestrate responses, such as query for device data, trigger machine isolation, block/allow, resolve alert and others. +Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs exposes to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others. ## Scenario 3: Indicators matching Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action. diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index 96e8c08aa9..aae2efc200 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender Advanced Threat Protection portal overview description: Microsoft Defender Security Center can monitor your enterprise network and assist in responding to potential advanced persistent threats (APT) or data breaches. -keywords: Microsoft Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks +keywords: Microsoft Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, devices list, settings, device management, advanced attacks search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -42,27 +42,27 @@ When you open the portal, you'll see: ![Microsoft Defender Advanced Threat Protection portal](images/mdatp-portal-overview.png) > [!NOTE] -> Malware related detections will only appear if your machines are using Microsoft Defender Antivirus as the default real-time protection antimalware product. +> Malware related detections will only appear if your devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product. You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. Area | Description :---|:--- -**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Machines list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it. -**Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, machines at risk, users at risk, machines with sensor issues, service health, detection sources, and daily machines reporting dashboards. +**(1) Navigation pane** | Use the navigation pane to move between **Dashboards**, **Incidents**, **Devices list**, **Alerts queue**, **Automated investigations**, **Advanced hunting**, **Reports**, **Partners & APIs**, **Threat & Vulnerability Management**, **Evaluation and tutorials**, **Service health**, **Configuration management**, and **Settings**. Select the horizontal lines at the top of the navigation pane to show or hide it. +**Dashboards** | Access the active automated investigations, active alerts, automated investigations statistics, devices at risk, users at risk, devices with sensor issues, service health, detection sources, and daily devices reporting dashboards. **Incidents** | View alerts that have been aggregated as incidents. -**Machines list** | Displays the list of machines that are onboarded to Microsoft Defender ATP, some information about them, and their exposure and risk levels. -**Alerts queue** | View alerts generated from machines in your organizations. +**Devices list** | Displays the list of devices that are onboarded to Microsoft Defender ATP, some information about them, and their exposure and risk levels. +**Alerts queue** | View alerts generated from devices in your organizations. **Automated investigations** | Displays automated investigations that have been conducted in the network, triggering alert, the status of each investigation and other details such as when the investigation started and the duration of the investigation. **Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool. -**Reports** | View graphs detailing threat protection, machine health and compliance, web protection, and vulnerability. +**Reports** | View graphs detailing threat protection, device health and compliance, web protection, and vulnerability. **Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings. -**Threat & Vulnerability management** | View your configuration score, exposure score, exposed machines, vulnerable software, and take action on top security recommendations. -**Evaluation and tutorials** | Manage test machines, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment. +**Threat & Vulnerability management** | View your configuration score, exposure score, exposed devices, vulnerable software, and take action on top security recommendations. +**Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment. **Service health** | Provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. -**Configuration management** | Displays on-boarded machines, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your machines. -**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, machine management, IT service management, and network assessments. -**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by machine, file, user, URL, IP, vulnerability, software, and recommendation.

**Community center** - Access the Community center to learn, collaborate, and share experiences about the product.

**Localization** - Set time zones.

**Help and support** - Access the Microsoft Defender ATP guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Microsoft Defender ATP evaluation lab, consult a threat expert.

**Feedback** - Provide comments about what you like or what we can do better. +**Configuration management** | Displays on-boarded devices, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your devices. +**Settings** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set other configuration settings such as permissions, APIs, rules, device management, IT service management, and network assessments. +**(2) Search, Community center, Localization, Help and support, Feedback** | **Search** - search by device, file, user, URL, IP, vulnerability, software, and recommendation.

**Community center** - Access the Community center to learn, collaborate, and share experiences about the product.

**Localization** - Set time zones.

**Help and support** - Access the Microsoft Defender ATP guide, Microsoft and Microsoft Premier support, license information, simulations & tutorials, Microsoft Defender ATP evaluation lab, consult a threat expert.

**Feedback** - Provide comments about what you like or what we can do better. > [!NOTE] > For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions. @@ -77,10 +77,10 @@ Icon | Description ![Alert icon](images/alert-icon.png)| Alert – Indication of an activity correlated with advanced attacks. ![Detection icon](images/detection-icon.png)| Detection – Indication of a malware threat detection. ![Active threat icon](images/active-threat-icon.png)| Active threat – Threats actively executing at the time of detection. -![Remediated icon](images/remediated-icon.png)| Remediated – Threat removed from the machine. -![Not remediated icon](images/not-remediated-icon.png)| Not remediated – Threat not removed from the machine. +![Remediated icon](images/remediated-icon.png)| Remediated – Threat removed from the device. +![Not remediated icon](images/not-remediated-icon.png)| Not remediated – Threat not removed from the device. ![Thunderbolt icon](images/atp-thunderbolt-icon.png)| Indicates events that triggered an alert in the **Alert process tree**. -![Machine icon](images/atp-machine-icon.png)| Machine icon +![Device icon](images/atp-machine-icon.png)| Device icon ![Microsoft Defender AV events icon](images/atp-windows-defender-av-events-icon.png)| Microsoft Defender Antivirus events ![Application Guard events icon](images/atp-Application-Guard-events-icon.png)| Windows Defender Application Guard events ![Device Guard events icon](images/atp-Device-Guard-events-icon.png)| Windows Defender Device Guard events diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md index 2119a0e8da..dd83d08373 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md @@ -30,7 +30,7 @@ ms.topic: article > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-powerbireports-abovefoldlink) -Understand the security status of your organization, including the status of machines, alerts, and investigations using the Microsoft Defender ATP reporting feature that integrates with Power BI. +Understand the security status of your organization, including the status of devices, alerts, and investigations using the Microsoft Defender ATP reporting feature that integrates with Power BI. Microsoft Defender ATP supports the use of Power BI data connectors to enable you to connect and access Microsoft Defender ATP data using Microsoft Graph. @@ -74,7 +74,7 @@ Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing ![Image of importing data](images/atp-powerbi-importing.png) >[!NOTE] - >Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load. + >Depending on the number of onboarded devices, loading your data in the Power BI service can take several minutes. A larger number of devices might take longer to load. When importing data is completed and the dataset is ready, you’ll the following notification: @@ -117,7 +117,7 @@ For more information, see [Create a Power BI dashboard from a report](https://po ![Image of importing data](images/atp-powerbi-importing.png) >[!NOTE] - >Depending on the number of onboarded machines, loading your data in the Power BI service can take several minutes. A larger number of machines might take longer to load. + >Depending on the number of onboarded devices, loading your data in the Power BI service can take several minutes. A larger number of devices might take longer to load. When importing data is completed and the dataset is ready, you’ll the following notification: @@ -197,11 +197,11 @@ You can use Power BI Desktop to analyze data from Microsoft Defender ATP and mas ## Using the Power BI reports There are a couple of tabs on the report that's generated: -- Machine and alerts +- Device and alerts - Investigation results and action center - Secure Score -In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level mitigations are configured correctly on the machines and prioritize those that might need attention. +In general, if you know of a specific threat name, CVE, or KB, you can identify devices with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether device-level mitigations are configured correctly on the devices and prioritize those that might need attention. ## Related topic diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md index 2eede71088..586639ebc5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md @@ -31,7 +31,7 @@ Use the **Settings** menu to modify general settings, advanced features, enable Topic | Description :---|:--- General settings | Modify your general settings that were previously defined as part of the onboarding process. -Permissions | Manage portal access using RBAC as well as machine groups. +Permissions | Manage portal access using RBAC as well as device groups. APIs | Enable the threat intel and SIEM integration. Rules | Configure suppressions rules and automation settings. -Machine management | Onboard and offboard machines. +Device management | Onboard and offboard devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md index 343d68bc0f..e1d07ae2e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md @@ -135,7 +135,7 @@ Microsoft Defender ATP supports two ways to manage permissions: - **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user - groups access to machine groups. For more information. see [Manage portal access using role-based access control](rbac.md). + groups access to device groups. For more information. see [Manage portal access using role-based access control](rbac.md). Microsoft recommends leveraging RBAC to ensure that only users that have a business justification can access Microsoft Defender ATP. @@ -150,7 +150,7 @@ structure required for your environment. | Tier | Description | Permission Required | |--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------| | Tier 1 | **Local security operations team / IT team**
This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. | | -| Tier 2 | **Regional security operations team**
This team can see all the machines for their region and perform remediation actions. | View data | +| Tier 2 | **Regional security operations team**
This team can see all the devices for their region and perform remediation actions. | View data | | Tier 3 | **Global security operations team**
This team consists of security experts and are authorized to see and perform all actions from the portal. | View data
Alerts investigation Active remediation actions
Alerts investigation Active remediation actions
Manage portal system settings
Manage security settings | @@ -171,7 +171,7 @@ how the endpoint security suite should be enabled. | Component | Description | Adoption Order Rank | |-----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------| | Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 | -|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable machine vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
[Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 | +|Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
- Invaluable device vulnerability context during incident investigations
- Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
[Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 | | Next Generation Protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
-Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.
- Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
[Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 | | Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 | | Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
[Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable | diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 06b2eb8dec..e5b9d33761 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -36,7 +36,7 @@ For more information on new capabilities that are generally available, see [What ## Turn on preview features -You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available. +You'll have access to upcoming features that you can provide feedback on to help improve the overall experience before features are generally available. Turn on the preview experience setting to be among the first to try upcoming features. @@ -47,6 +47,7 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: +- [Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
Microsoft Defender ATP now adds support for Android. Learn how to install, configure, and use Microsoft Defender ATP for Android. - [Create indicators for certificates](manage-indicators.md)
Create indicators to allow or block certificates. @@ -54,11 +55,11 @@ The following features are included in the preview release: - [Threat & Vulnerability supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.

Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019. -- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
You can now see a comprehensive set of details on the vulnerabilities found in your machine to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories. +- [Threat & Vulnerability Management granular exploit details](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses)
You can now see a comprehensive set of details on the vulnerabilities found in your device to give you informed decision on your next steps. The threat insights icon now shows more granular details, such as if the exploit is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has associated zero-day exploitation news, disclosures, or related security advisories. - [Threat & Vulnerability Management Report inaccuracy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy)
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation#report-inaccuracy), [software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory#report-inaccuracy), and [discovered vulnerabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses#report-inaccuracy). -- [Machine health and compliance report](machine-reports.md)
The machine health and compliance report provides high-level information about the devices in your organization. +- [Device health and compliance report](machine-reports.md)
The device health and compliance report provides high-level information about the devices in your organization. - [Information protection](information-protection-in-windows-overview.md)
Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. Microsoft Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. @@ -66,12 +67,12 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr >[!NOTE] >Partially available from Windows 10, version 1809. -- [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md)
Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored machines. +- [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md)
Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored devices. >[!NOTE] >Available from Windows 10, version 1809 or later. -- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices. - [Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index ebad60bf6b..9a043a2958 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -57,7 +57,7 @@ In this deployment scenario, you'll be guided through the steps on: >[!NOTE] ->For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md). +>For the purpose of guiding you through a typical deployment, this scenario will only cover the use of Microsoft Endpoint Configuration Manager. Microsoft Defender ATP supports the use of other onboarding tools but will not cover those scenarios in the deployment guide. For more information, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md). ## Check license state @@ -88,7 +88,7 @@ To gain access into which licenses are provisioned to your company, and to check ## Tenant Configuration -When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a set up wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine. +When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a set up wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client device. 1. From a web browser, navigate to . @@ -214,20 +214,20 @@ Use netsh to configure a system-wide static proxy. For example: netsh winhttp set proxy 10.0.0.6:8080 -### Proxy Configuration for down-level machines +### Proxy Configuration for down-level devices -Down-Level machines include Windows 7 SP1 and Windows 8.1 workstations as well +Down-Level devices include Windows 7 SP1 and Windows 8.1 workstations as well as Windows Server 2008 R2, Windows Sever 2012, Windows Server 2012 R2, and versions of Windows Server 2016 prior to Windows Server CB 1803. These operating systems will have the proxy configured as part of the Microsoft Management Agent to handle communication from the endpoint to Azure. Refer to the Microsoft Management Agent Fast Deployment Guide for information on how a proxy -is configured on these machines. +is configured on these devices. ### Proxy Service URLs URLs that include v20 in them are only needed if you have Windows 10, version -1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only -needed if the machine is on Windows 10, version 1803 or later. +1803 or later devices. For example, ```us-v20.events.data.microsoft.com``` is only +needed if the device is on Windows 10, version 1803 or later. Service location | Microsoft.com DNS record -|- diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index c55c6e231f..fce90c63c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -28,7 +28,7 @@ ms.topic: article >[!Note] >- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details. +>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. >-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). Microsoft Defender ATP supports the OAuth 2.0 protocol to pull detections from the API. @@ -114,9 +114,9 @@ sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved.
The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

**NOTE**: When not specified, the default value will be the current time. ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

Value should be set according to **ISO 8601** duration format
E.g. `ago=PT10M` will pull alerts received in the last 10 minutes. limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.

**NOTE**: When not specified, all alerts available in the time range will be retrieved. -machinegroups | string | Specifies machine groups to pull alerts from.

**NOTE**: When not specified, alerts from all machine groups will be retrieved.

Example:

```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` -DeviceCreatedMachineTags | string | Single machine tag from the registry. -CloudCreatedMachineTags | string | Machine tags that were created in Microsoft Defender Security Center. +machinegroups | string | Specifies device groups to pull alerts from.

**NOTE**: When not specified, alerts from all device groups will be retrieved.

Example:

```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` +DeviceCreatedMachineTags | string | Single device tag from the registry. +CloudCreatedMachineTags | string | Device tags that were created in Microsoft Defender Security Center. ### Request example The following example demonstrates how to retrieve all the detections in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md index 9bc6ebcb3f..82d8d9e9f6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -63,7 +63,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w - Each event hub message in Azure Event Hubs contains list of records. - Each record contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "**properties**". - For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md). -- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information. +- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information. ## Data types mapping: diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index 682cc7e7d9..7ce30e67ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -64,7 +64,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w - Each blob contains multiple rows. - Each row contains the event name, the time Microsoft Defender ATP received the event, the tenant it belongs (you will only get events from your tenant), and the event in JSON format in a property called "properties". - For more information about the schema of Microsoft Defender ATP events, see [Advanced Hunting overview](advanced-hunting-overview.md). -- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the machine. Here every event will be decorated with this column as well. See [Machine Groups](machine-groups.md) for more information. +- In Advanced Hunting, the **DeviceInfo** table has a column named **MachineGroup** which contains the group of the device. Here every event will be decorated with this column as well. See [Device Groups](machine-groups.md) for more information. ## Data types mapping: @@ -80,7 +80,7 @@ In order to get the data types for our events properties do the following: ``` -- Here is an example for Machine Info event: +- Here is an example for Device Info event: ![Image of event hub resource ID](images/machine-info-datatype-example.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md index 3bf1ca9d9d..ed0050fd05 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md @@ -35,16 +35,16 @@ Large geo-distributed security operations teams typically adopt a tier-based mod Tier | Description :---|:--- Tier 1 | **Local security operations team / IT team**
This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. -Tier 2 | **Regional security operations team**
This team can see all the machines for their region and perform remediation actions. +Tier 2 | **Regional security operations team**
This team can see all the devices for their region and perform remediation actions. Tier 3 | **Global security operations team**
This team consists of security experts and are authorized to see and perform all actions from the portal. -Microsoft Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, machines they can access, and actions they can take. The RBAC framework is centered around the following controls: +Microsoft Defender ATP RBAC is designed to support your tier- or role-based model of choice and gives you granular control over what roles can see, devices they can access, and actions they can take. The RBAC framework is centered around the following controls: - **Control who can take specific action** - Create custom roles and control what Microsoft Defender ATP capabilities they can access with granularity. -- **Control who can see information on specific machine group or groups** - - [Create machine groups](machine-groups.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group. +- **Control who can see information on specific device group or groups** + - [Create device groups](machine-groups.md) by specific criteria such as names, tags, domains, and others, then grant role access to them using a specific Azure Active Directory (Azure AD) user group. To implement role-based access, you'll need to define admin roles, assign corresponding permissions, and assign Azure AD user groups assigned to the roles. @@ -58,7 +58,7 @@ Before using RBAC, it's important that you understand the roles that can grant p When you first log in to Microsoft Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD. -Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments +Someone with a Microsoft Defender ATP Global administrator role has unrestricted access to all devices, regardless of their device group association and the Azure AD user groups assignments > [!WARNING] > Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Microsoft Defender Security Center, therefore, having the right groups ready in Azure AD is important. @@ -72,4 +72,4 @@ Someone with a Microsoft Defender ATP Global administrator role has unrestricted ## Related topic -- [Create and manage machine groups in Microsoft Defender ATP](machine-groups.md) \ No newline at end of file +- [Create and manage device groups in Microsoft Defender ATP](machine-groups.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md index 221645d516..479263bdf5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md @@ -30,7 +30,7 @@ Method |Return Type |Description [List all recommendations](get-all-recommendations.md) | Recommendation collection | Retrieves a list of all security recommendations affecting the organization [Get recommendation by Id](get-recommendation-by-id.md) | Recommendation | Retrieves a security recommendation by its ID [Get recommendation software](get-recommendation-software.md)| [Software](software.md) | Retrieves a security recommendation related to a specific software -[Get recommendation machines](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of machines associated with the security recommendation +[Get recommendation devices](get-recommendation-machines.md)|MachineRef collection | Retrieves a list of devices associated with the security recommendation [Get recommendation vulnerabilities](get-recommendation-vulnerabilities.md) | [Vulnerability](vulnerability.md) collection | Retrieves a list of vulnerabilities associated with the security recommendation @@ -53,7 +53,7 @@ remediationType | String | Remediation type. Possible values are: “Configurati Status | Enum | Recommendation exception status. Possible values are: “Active” and “Exception” configScoreImpact | Double | Configuration score impact exposureImpacte | Double | Exposure score impact -totalMachineCount | Long | Number of installed machines -exposedMachinesCount | Long | Number of installed machines that are exposed to vulnerabilities -nonProductivityImpactedAssets | Long | Number of machines which are not affected +totalMachineCount | Long | Number of installed devices +exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities +nonProductivityImpactedAssets | Long | Number of devices which are not affected relatedComponent | String | Related software component diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 408df1d9a1..9f59dc9622 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -60,13 +60,13 @@ You can contain an attack in your organization by stopping the malicious process >[!IMPORTANT] >You can only take this action if: > -> - The machine you're taking the action on is running Windows 10, version 1703 or later +> - The device you're taking the action on is running Windows 10, version 1703 or later > - The file does not belong to trusted third-party publishers or not signed by Microsoft > - Microsoft Defender Antivirus must at least be running on Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistent data, such as any registry keys. -This action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days. +This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days. >[!NOTE] >You’ll be able to restore the file from quarantine at any time. @@ -80,7 +80,7 @@ This action takes effect on machines with Windows 10, version 1703 or later, whe >[!NOTE] - >The stop and quarantine file action is limited to a maximum of 1000 machines. To stop a file on a larger number of machines, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file). + >The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file). 2. Go to the top bar and select **Stop and Quarantine File**. @@ -94,26 +94,26 @@ This action takes effect on machines with Windows 10, version 1703 or later, whe ![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png) - **Submission time** - Shows when the action was submitted. - - **Success** - Shows the number of machines where the file has been stopped and quarantined. - - **Failed** - Shows the number of machines where the action failed and details about the failure. - - **Pending** - Shows the number of machines where the file is yet to be stopped and quarantined from. This can take time for cases when the machine is offline or not connected to the network. + - **Success** - Shows the number of devices where the file has been stopped and quarantined. + - **Failed** - Shows the number of devices where the action failed and details about the failure. + - **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network. 4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed. -**Notification on machine user**:
-When the file is being removed from a machine, the following notification is shown: +**Notification on device user**:
+When the file is being removed from a device, the following notification is shown: -![Image of notification on machine user](images/atp-notification-file.png) +![Image of notification on device user](images/atp-notification-file.png) -In the machine timeline, a new event is added for each machine where a file was stopped and quarantined. +In the device timeline, a new event is added for each device where a file was stopped and quarantined. For files that widely used throughout an organization, a warning is shown before an action is implemented, to validate that the operation is intended. ## Restore file from quarantine -You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each machine where the file was quarantined. +You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each device where the file was quarantined. -1. Open an elevated command–line prompt on the machine: +1. Open an elevated command–line prompt on the device: a. Go to **Start** and type _cmd_. @@ -128,11 +128,11 @@ You can roll back and remove a file from quarantine if you’ve determined that > [!NOTE] > In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl. > -> Microsoft Defender ATP will restore all custom blocked files that were quarantined on this machine in the last 30 days. +> Microsoft Defender ATP will restore all custom blocked files that were quarantined on this device in the last 30 days. ## Add indicator to block or allow a file -You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. +You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization. >[!IMPORTANT] > @@ -140,11 +140,11 @@ You can prevent further propagation of an attack in your organization by banning > >- The Antimalware client version must be 4.18.1901.x or later. >- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. ->- This response action is available for machines on Windows 10, version 1703 or later. +>- This response action is available for devices on Windows 10, version 1703 or later. >- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action. >[!NOTE] -> The PE file needs to be in the machine timeline for you to be able to take this action. +> The PE file needs to be in the device timeline for you to be able to take this action. > > There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked. @@ -154,7 +154,7 @@ To start blocking files, you first need to [turn the **Block or allow** feature ### Allow or block file -When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it. +When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it. Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue. @@ -172,24 +172,24 @@ Selecting **Download file** from the response actions allows you to download a l When you select this action, a fly-out will appear. From the fly-out, you can record a reason as to why you are downloading the file. You can also set a password to open the file. -![Image of download file fly-out](images/atp-download-file.png) +![Image of download file fly-out](images/atp-download-file-reason.png) If a file is not already stored by Microsoft Defender ATP, you cannot download it. Instead, you will see a **Collect file** button in the same location. If a file has not been seen in the organization in the past 30 days, **Collect file** will be disabled. ## Consult a threat expert -You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard. +You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard. See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details. ## Check activity details in Action center -The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details: +The **Action center** provides information on actions that were taken on a device or file. You’ll be able to view the following details: - Investigation package collection - Antivirus scan - App restriction -- Machine isolation +- Device isolation All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed. @@ -213,24 +213,24 @@ Use the deep analysis feature to investigate the details of any file, usually du >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] -**Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 machine that supports submitting to deep analysis. +**Submit for deep analysis** is enabled when the file is available in the Microsoft Defender ATP backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis. > [!NOTE] > Only files from Windows 10 can be automatically collected. -You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available. +You can also manually submit a sample through the [Microsoft Security Center Portal](https://www.microsoft.com/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 device, and wait for **Submit for deep analysis** button to become available. > [!NOTE] > Due to backend processing flows in the Microsoft Security Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Microsoft Defender ATP. -When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications. +When the sample is collected, Microsoft Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications. **Submit files for deep analysis:** 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: - Alerts - click the file links from the **Description** or **Details** in the Artifact timeline - - **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section + - **Devices list** - click the file links from the **Description** or **Details** in the **Device in organization** section - Search box - select **File** from the drop–down menu and enter the file name 2. In the **Deep analysis** tab of the file view, click **Submit**. @@ -242,7 +242,7 @@ When the sample is collected, Microsoft Defender ATP runs the file in is a secur A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done. > [!NOTE] -> Depending on machine availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re–submit files for deep analysis to get fresh data on the file. +> Depending on device availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can re–submit files for deep analysis to get fresh data on the file. **View deep analysis reports** @@ -283,5 +283,5 @@ If you encounter a problem when trying to submit a file, try each of the followi ## Related topics -- [Take response actions on a machine](respond-machine-alerts.md) +- [Take response actions on a device](respond-machine-alerts.md) - [Investigate files](investigate-files.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index 7d64a9e1f9..6d56a12fd2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -1,7 +1,7 @@ --- -title: Take response actions on a machine in Microsoft Defender ATP -description: Take response actions on a machine such as isolating machines, collecting an investigation package, managing tags, running av scan, and restricting app execution. -keywords: respond, isolate, isolate machine, collect investigation package, action center, restrict, manage tags, av scan, restrict app +title: Take response actions on a device in Microsoft Defender ATP +description: Take response actions on a device such as isolating devices, collecting an investigation package, managing tags, running av scan, and restricting app execution. +keywords: respond, isolate, isolate device, collect investigation package, action center, restrict, manage tags, av scan, restrict app search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,16 +17,16 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Take response actions on a machine +# Take response actions on a device **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) -Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. +Quickly respond to detected attacks by isolating devices or collecting an investigation package. After taking action on devices, you can check activity details on the Action center. -Response actions run along the top of a specific machine page and include: +Response actions run along the top of a specific device page and include: - Manage tags - Initiate Automated Investigation @@ -34,56 +34,56 @@ Response actions run along the top of a specific machine page and include: - Collect investigation package - Run antivirus scan - Restrict app execution -- Isolate machine +- Isolate device - Consult a threat expert - Action center ![Image of response actions](images/response-actions.png) - You can find machine pages from any of the following views: + You can find device pages from any of the following views: -- **Security operations dashboard** - Select a machine name from the Machines at risk card. -- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue. -- **Machines list** - Select the heading of the machine name from the machines list. -- **Search box** - Select Machine from the drop-down menu and enter the machine name. +- **Security operations dashboard** - Select a device name from the Devices at risk card. +- **Alerts queue** - Select the device name beside the device icon from the alerts queue. +- **Devices list** - Select the heading of the device name from the devices list. +- **Search box** - Select Device from the drop-down menu and enter the device name. >[!IMPORTANT] -> - These response actions are only available for machines on Windows 10, version 1703 or later. -> - For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party capabilities. +> - These response actions are only available for devices on Windows 10, version 1703 or later. +> - For non-Windows platforms, response capabilities (such as Device isolation) are dependent on the third-party capabilities. ## Manage tags -Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. +Add or manage tags to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident. -For more information on machine tagging, see [Create and manage machine tags](machine-tags.md). +For more information on device tagging, see [Create and manage device tags](machine-tags.md). ## Initiate Automated Investigation -You can start a new general purpose automated investigation on the machine if needed. While an investigation is running, any other alert generated from the machine will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation. +You can start a new general purpose automated investigation on the device if needed. While an investigation is running, any other alert generated from the device will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md). ## Initiate Live Response Session -Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. +Live response is a capability that gives you instantaneous access to a device using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats – real-time. Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats. -For more information on live response, see [Investigate entities on machines using live response](live-response.md) +For more information on live response, see [Investigate entities on devices using live response](live-response.md) -## Collect investigation package from machines +## Collect investigation package from devices -As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. +As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker. -To download the package (Zip file) and investigate the events that occurred on a machine +To download the package (Zip file) and investigate the events that occurred on a device -1. Select **Collect investigation package** from the row of response actions at the top of the machine page. +1. Select **Collect investigation package** from the row of response actions at the top of the device page. 2. Specify in the text box why you want to perform this action. Select **Confirm**. 3. The zip file will download Alternate way: -1. Select **Action center** from the response actions section of the machine page. +1. Select **Action center** from the response actions section of the device page. ![Image of action center button](images/action-center-package-collection.png) @@ -95,12 +95,12 @@ The package contains the following folders: | Folder | Description | |:---|:---------| -|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine.

NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” | -|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). | +|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the device.

NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” | +|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). | |Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

- ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

- Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

- DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

- IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

- FirewallExecutionLog.txt and pfirewall.log | | Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.

- Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.

- PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. | -| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. | -| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. | +| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state. | +| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen device to look for suspicious code which was set to run automatically. | | Security event log| Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy.

NOTE: Open the event log file using Event viewer. | | Services| Contains a .CSV file which lists services and their states. | | Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement.

Contains files for SMBInboundSessions and SMBOutboundSession.

NOTE: If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found. | @@ -110,85 +110,85 @@ The package contains the following folders: |WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab | | CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. | -## Run Microsoft Defender Antivirus scan on machines +## Run Microsoft Defender Antivirus scan on devices -As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. +As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device. >[!IMPORTANT] ->- This action is available for machines on Windows 10, version 1709 or later. +>- This action is available for devices on Windows 10, version 1709 or later. >- A Microsoft Defender Antivirus (Microsoft Defender AV) scan can run alongside other antivirus solutions, whether Microsoft Defender AV is the active antivirus solution or not. Microsoft Defender AV can be in Passive mode. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). One you have selected **Run antivirus scan**, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan. ![Image of notification to select quick scan or full scan and add comment](images/run-antivirus.png) -The Action center will show the scan information and the machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Microsoft Defender AV alerts will reflect any detections that surfaced during the scan. +The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Microsoft Defender AV alerts will reflect any detections that surfaced during the scan. ## Restrict app execution In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. >[!IMPORTANT] -> - This action is available for machines on Windows 10, version 1709 or later. +> - This action is available for devices on Windows 10, version 1709 or later. > - This feature is available if your organization uses Microsoft Defender Antivirus. > - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). -To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. +To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised devices and performing further malicious activities. >[!NOTE] ->You’ll be able to reverse the restriction of applications from running at any time. The button on the machine page will change to say **Remove app restrictions**, and then you take the same steps as restricting app execution. +>You’ll be able to reverse the restriction of applications from running at any time. The button on the device page will change to say **Remove app restrictions**, and then you take the same steps as restricting app execution. -Once you have selected **Restrict app execution** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event. +Once you have selected **Restrict app execution** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event. ![Image of app restriction notification](images/restrict-app-execution.png) -**Notification on machine user**:
+**Notification on device user**:
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running: ![Image of app restriction](images/atp-app-restriction.png) -## Isolate machines from the network +## Isolate devices from the network -Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. +Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement. >[!IMPORTANT] ->- Full isolation is available for machines on Windows 10, version 1703. ->- Selective isolation is available for machines on Windows 10, version 1709 or later. +>- Full isolation is available for devices on Windows 10, version 1703. +>- Selective isolation is available for devices on Windows 10, version 1709 or later. -This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the machine. +This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the device. On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation'). >[!NOTE] ->You’ll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say **Release from isolation**, and then you take the same steps as isolating the machine. +>You’ll be able to reconnect the device back to the network at any time. The button on the device page will change to say **Release from isolation**, and then you take the same steps as isolating the device. -Once you have selected **Isolate machine** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event. +Once you have selected **Isolate device** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event. -![Image of isolate machine](images/isolate-machine.png) +![Image of isolate device](images/isolate-device.png) >[!NOTE] ->The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated. +>The device will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated. -**Notification on machine user**:
-When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network: +**Notification on device user**:
+When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network: ![Image of no network connection](images/atp-notification-isolate.png) ## Consult a threat expert -You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard. +You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard. See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details. ## Check activity details in Action center -The **Action center** provides information on actions that were taken on a machine or file. You’ll be able to view the following details: +The **Action center** provides information on actions that were taken on a device or file. You’ll be able to view the following details: - Investigation package collection - Antivirus scan - App restriction -- Machine isolation +- Device isolation All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed. diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index 6addf06827..c3c9a2b79a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -24,14 +24,14 @@ ms.topic: article ## API description -Restrict execution of all applications on the machine except a predefined set. +Restrict execution of all applications on the device except a predefined set. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -[!include[Machine actions note](../../includes/machineactionsnote.md)] +[!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` @@ -84,5 +84,5 @@ Content-type: application/json ``` -- To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution.md). +- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md index 4499b07fc0..4efc0b82c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md @@ -52,7 +52,7 @@ Other information available in the details pane when the alert opens includes MI Clicking on a device or a user card in the affected assets sections will switch to the details of the device or user in the details pane. -- **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the machine page to investigate from the device's point of view. +- **For devices** the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view. - **For users** the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can click *Open user page* to continue the investigation from that user's point of view. ![A snippet of the details pane when a device is selected](images/alert-device-details.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 19ccd7e62c..00040ec11f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -40,7 +40,7 @@ Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries' >[!Note] > When obtaining a token using user credentials: >- The user needs to have 'View Data' AD role ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index 3df06ec29a..cc7fc6a3ce 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -1,7 +1,7 @@ --- title: Run antivirus scan API -description: Use this API to create calls related to running an antivirus scan on a machine. -keywords: apis, graph api, supported apis, remove machine from isolation +description: Use this API to create calls related to running an antivirus scan on a device. +keywords: apis, graph api, supported apis, remove device from isolation search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -24,14 +24,14 @@ ms.topic: article ## API description -Initiate Microsoft Defender Antivirus scan on a machine. +Initiate Microsoft Defender Antivirus scan on a device. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -[!include[Machine actions note](../../includes/machineactionsnote.md)] +[!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.Scan | 'Scan machine' >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` @@ -68,8 +68,8 @@ ScanType| String | Defines the type of the Scan. **Required**. **ScanType** controls the type of scan to perform and can be one of the following: -- **Quick** – Perform quick scan on the machine -- **Full** – Perform full scan on the machine +- **Quick** – Perform quick scan on the device +- **Full** – Perform full scan on the device diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index b3955f8794..0d98b91181 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -1,7 +1,7 @@ --- -title: Run a detection test on a newly onboarded Microsoft Defender ATP machine -description: Run the detection script on a newly onboarded machine to verify that it is properly onboarded to the Microsoft Defender ATP service. -keywords: detection test, detection, powershell, script, verify, onboarding, windows defender advanced threat protection onboarding, clients, servers, test +title: Run a detection test on a newly onboarded Microsoft Defender ATP device +description: Run the detection script on a newly onboarded device to verify that it is properly onboarded to the Microsoft Defender ATP service. +keywords: detection test, detection, powershell, script, verify, onboarding, microsoft defender advanced threat protection onboarding, clients, servers, test search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Run a detection test on a newly onboarded Microsoft Defender ATP machine +# Run a detection test on a newly onboarded Microsoft Defender ATP device **Applies to:** - Supported Windows 10 versions @@ -28,10 +28,10 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Microsoft Defender ATP service. +Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Microsoft Defender ATP service. 1. Create a folder: 'C:\test-MDATP-test'. -2. Open an elevated command-line prompt on the machine and run the script: +2. Open an elevated command-line prompt on the device and run the script: 1. Go to **Start** and type **cmd**. @@ -45,8 +45,8 @@ Run the following PowerShell script on a newly onboarded machine to verify that powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-MDATP-test\\invoice.exe');Start-Process 'C:\\test-MDATP-test\\invoice.exe' ``` -The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes. +The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded device in approximately 10 minutes. ## Related topics -- [Onboard Windows 10 machines](configure-endpoints.md) +- [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard servers](configure-server-endpoints.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md index a0a67a5dd0..bc8b673887 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/score.md @@ -1,7 +1,7 @@ --- title: Score methods and properties -description: Retrieves your organization's exposure score, device secure score, and exposure score by machine group -keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by machine group +description: Retrieves your organization's exposure score, device secure score, and exposure score by device group +keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -29,7 +29,7 @@ Method |Return Type |Description :---|:---|:--- [Get exposure score](get-exposure-score.md) | [Score](score.md) | Get the organizational exposure score. [Get device secure score](get-device-secure-score.md) | [Score](score.md) | Get the organizational device secure score. -[List exposure score by machine group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by machine group. +[List exposure score by device group](get-machine-group-exposure-score.md)| [Score](score.md) | List scores by device group. ## Properties @@ -37,4 +37,4 @@ Property | Type | Description :---|:---|:--- Score | Double | The current score. Time | DateTime | The date and time in which the call for this API was made. -RbacGroupName | String | The machine group name. +RbacGroupName | String | The device group name. diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md index 00820b5fe4..db1b08907f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender Security Center Security operations dashboard -description: Use the dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts. -keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware +description: Use the dashboard to identify devices at risk, keep track of the status of the service, and see statistics and information about devices and alerts. +keywords: dashboard, alerts, new, in progress, resolved, risk, devices at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -29,10 +29,10 @@ The **Security operations dashboard** is where the endpoint detection and respon The dashboard displays a snapshot of: - Active alerts -- Machines at risk +- Devices at risk - Sensor health - Service health -- Daily machines reporting +- Daily devices reporting - Active automated investigations - Automated investigations statistics - Users at risk @@ -41,9 +41,9 @@ The dashboard displays a snapshot of: ![Image of Security operations dashboard](images/atp-sec-ops-dashboard.png) -You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in. +You can explore and investigate alerts and devices to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in. -From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a machine. You can also drill down into granular events and low-level indicators. +From the **Security operations dashboard** you will see aggregated events to facilitate the identification of significant events or behaviors on a device. You can also drill down into granular events and low-level indicators. It also has clickable tiles that give visual cues on the overall health state of your organization. Each tile opens a detailed view of the corresponding overview. @@ -59,27 +59,25 @@ For more information see, [Alerts overview](alerts-queue.md). Each row includes an alert severity category and a short description of the alert. You can click an alert to see its detailed view. For more information see, [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) and [Alerts overview](alerts-queue.md). +## Devices at risk +This tile shows you a list of devices with the highest number of active alerts. The total number of alerts for each device is shown in a circle next to the device name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). -## Machines at risk -This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). +![The Devices at risk tile shows a list of devices with the highest number of alerts, and a breakdown of the severity of the alerts](images/devices-at-risk-tile.png) -![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk-tile.png) +Click the name of the device to see details about that device. For more information see, [Investigate devices in the Microsoft Defender Advanced Threat Protection Devices list](investigate-machines.md). -Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Microsoft Defender Advanced Threat Protection Machines list](investigate-machines.md). +You can also click **Devices list** at the top of the tile to go directly to the **Devices list**, sorted by the number of active alerts. For more information see, [Investigate devices in the Microsoft Defender Advanced Threat Protection Devices list](investigate-machines.md). -You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Microsoft Defender Advanced Threat Protection Machines list](investigate-machines.md). +## Devices with sensor issues +The **Devices with sensor issues** tile provides information on the individual device’s ability to provide sensor data to the Microsoft Defender ATP service. It reports how many devices require attention and helps you identify problematic devices. -## Sensor health -The **Sensor health** tile provides information on the individual machine’s ability to provide sensor data to the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines. +![Devices with sensor issues tile](images/atp-tile-sensor-health.png) -![Sensor health tile](images/atp-tile-sensor-health.png) +There are two status indicators that provide information on the number of devices that are not reporting properly to the service: +- **Misconfigured** – These devices might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. +- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. -There are two status indicators that provide information on the number of machines that are not reporting properly to the service: -- **Misconfigured** – These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. -- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. - - -When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status.md) and [Investigate machines](investigate-machines.md). +When you click any of the groups, you’ll be directed to devices list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status.md) and [Investigate devices](investigate-machines.md). ## Service health The **Service health** tile informs you if the service is active or if there are issues. @@ -89,15 +87,14 @@ The **Service health** tile informs you if the service is active or if there are For more information on the service health, see [Check the Microsoft Defender ATP service health](service-status.md). -## Daily machines reporting -The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day. - -![Image of daily machines reporting tile](images/atp-daily-machines-reporting.png) +## Daily devices reporting +The **Daily devices reporting** tile shows a bar graph that represents the number of devices reporting daily in the last 30 days. Hover over individual bars on the graph to see the exact number of devices reporting in each day. +![Image of daily devices reporting tile](images/atp-daily-devices-reporting.png) ## Active automated investigations -You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Pending action**, **Waiting for machine**, and **Running**. +You can view the overall number of automated investigations from the last 30 days in your network from the **Active automated investigations** tile. Investigations are grouped into **Pending action**, **Waiting for device**, and **Running**. ![Inmage of active automated investigations](images/atp-active-investigations-tile.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md index 414a3a54fc..0853d1f0d8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/software.md @@ -31,7 +31,7 @@ Method |Return Type |Description [List software](get-software.md) | Software collection | List the organizational software inventory. [Get software by Id](get-software-by-id.md) | Software | Get a specific software by its software ID. [List software version distribution](get-software-ver-distribution.md)| Distribution collection | List software version distribution by software ID. -[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of machines that are associated with the software ID. +[List machines by software](get-machines-by-software.md)| MachineRef collection | Retrieve a list of devices that are associated with the software ID. [List vulnerabilities by software](get-vuln-by-software.md) | [Vulnerability](vulnerability.md) collection | Retrieve a list of vulnerabilities associated with the software ID. [Get missing KBs](get-missing-kbs-software.md) | KB collection | Get a list of missing KBs associated with the software ID @@ -45,5 +45,5 @@ Vendor | String | Software vendor name Weaknesses | Long | Number of discovered vulnerabilities publicExploit | Boolean | Public exploit exists for some of the vulnerabilities activeAlert | Boolean | Active alert is associated with this software -exposedMachines | Long | Number of exposed machines +exposedMachines | Long | Number of exposed devices impactScore | Double | Exposure score impact of this software diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index edfd07e6a7..2bdc3f389c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -24,14 +24,14 @@ ms.topic: article ## API description -Stop execution of a file on a machine and delete it. +Stop execution of a file on a device and delete it. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -[!include[Machine actions note](../../includes/machineactionsnote.md)] +[!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quara >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` @@ -64,7 +64,7 @@ In the request body, supply a JSON object with the following parameters: Parameter | Type | Description :---|:---|:--- Comment | String | Comment to associate with the action. **Required**. -Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**. +Sha1 | String | Sha1 of the file to stop and quarantine on the device. **Required**. ## Response If successful, this method returns 201 - Created response code and [Machine Action](machineaction.md) in the response body. diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md index 2dfdb89168..1858d780e2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md @@ -1,7 +1,7 @@ --- title: Supported Microsoft Defender Advanced Threat Protection response APIs description: Learn about the specific response related Microsoft Defender Advanced Threat Protection API calls. -keywords: response apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file +keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -30,14 +30,14 @@ Learn about the supported response related API calls you can run and details suc ## In this section Topic | Description :---|:--- -Collect investigation package | Run this to collect an investigation package from a machine. -Isolate machine | Run this to isolate a machine from the network. -Unisolate machine | Remove a machine from isolation. +Collect investigation package | Run this to collect an investigation package from a device. +Isolate device | Run this to isolate a device from the network. +Unisolate device | Remove a device from isolation. Restrict code execution | Run this to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. -Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised machine has been remediated. -Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. +Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated. +Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device. Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys. -Request sample | Run this call to request a sample of a file from a specific machine. The file will be collected from the machine and uploaded to a secure storage. +Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage. Block file | Run this to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus. Get package SAS URI | Run this to get a URI that allows downloading an investigation package. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index 2ade5dcf42..d9da84884b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -35,8 +35,8 @@ Watch this short video to quickly understand how threat analytics can help you t The threat analytics dashboard is a great jump off point for getting to the reports that are most relevant to your organization. It provides several overviews about the threats covered in the reports: -- **Latest threats** — lists the most recently published threat reports, along with the number of machines with resolved and unresolved alerts. -- **High-impact threats** — lists the threats that have had the highest impact on the organization in terms of the number of machines that have had related alerts, along with the number of machines with resolved and unresolved alerts. +- **Latest threats** — lists the most recently published threat reports, along with the number of devices with resolved and unresolved alerts. +- **High-impact threats** — lists the threats that have had the highest impact on the organization in terms of the number of devices that have had related alerts, along with the number of devices with resolved and unresolved alerts. - **Threat summary** — shows the number of threats among the threats reported in threat analytics with actual alerts. ![Image of a threat analytics dashboard](images/ta_dashboard.png) @@ -51,18 +51,18 @@ Each threat report generally provides an overview of the threat and an analysis ### Organizational impact Each report includes cards designed to provide information about the organizational impact of a threat: -- **Machines with alerts** — shows the current number of distinct machines in your organization that have been impacted by the threat. A machine is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the machine have been resolved. -- **Machines with alerts over time** — shows the number of distinct machines with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days. +- **Devices with alerts** — shows the current number of distinct devices in your organization that have been impacted by the threat. A device is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved. +- **Devices with alerts over time** — shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days. ### Organizational resilience Each report also includes cards that provide an overview of how resilient your organization can be against a given threat: -- **Mitigation status** — shows the number of machines that have and have not applied mitigations for the threat. Machines are considered mitigated if they have all the measurable mitigations in place. -- **Vulnerability patching status** — shows the number of machines that have applied security updates or patches that address vulnerabilities exploited by the threat. -- **Mitigation recommendations** — lists specific actionable recommendations to improve your visibility into the threat and increase your organizational resilience. This card lists only measurable mitigations along with the number of machines that don't have these mitigations in place. +- **Mitigation status** — shows the number of devices that have and have not applied mitigations for the threat. Devices are considered mitigated if they have all the measurable mitigations in place. +- **Vulnerability patching status** — shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat. +- **Mitigation recommendations** — lists specific actionable recommendations to improve your visibility into the threat and increase your organizational resilience. This card lists only measurable mitigations along with the number of devices that don't have these mitigations in place. >[!IMPORTANT] ->- Charts only reflect mitigations that are measurable, meaning an evaluation can be made on whether a machine has applied the mitigations or not. Check the report overview for additional mitigations that are not reflected in the charts. +>- Charts only reflect mitigations that are measurable, meaning an evaluation can be made on whether a device has applied the mitigations or not. Check the report overview for additional mitigations that are not reflected in the charts. >- Even if all mitigations were measurable, they don't guarantee complete resilience. They reflect the best possible actions needed to improve resiliency. >[!NOTE] ->Machines are counted as "unavailable" if they have been unable to transmit data to the service. +>Devices are counted as "unavailable" if they have been unable to transmit data to the service. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index d5491f5b3c..b099ac0a4c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -29,7 +29,7 @@ ms.topic: article ## APIs -Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). +Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). See the following topics for related APIs: - [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) @@ -39,7 +39,7 @@ See the following topics for related APIs: - [Software APIs](software.md) - [Vulnerability APIs](vulnerability.md) -## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit +## Use advanced hunting query to search for devices with High active alerts or critical CVE public exploit 1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center. @@ -85,15 +85,15 @@ To view a list of version that have reached end of support, or end or support so 1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected. - ![Screenshot of version distribution link](images/eos-upcoming-eos.png)

+ ![Screenshot of version distribution link](images/eos-upcoming-eos.png) 2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. - ![Screenshot of version distribution link](images/software-drilldown-eos.png)

+ ![Screenshot of version distribution link](images/software-drilldown-eos.png) -3. Select one of the versions in the table to open. For example, version 3.5.2150.0. A flyout will appear with the end of support date. +3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date. -![Screenshot of version distribution link](images/version-eos-date.png)

+ ![Screenshot of version distribution link](images/version-eos-date.png) After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md index c003b67a2d..4f2f261f8a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md @@ -36,7 +36,7 @@ Before creating custom threat alerts, it's important to know the concepts behind Alert definitions are contextual attributes that can be used collectively to identify early clues on a possible cybersecurity attack. These indicators are typically a combination of activities, characteristics, and actions taken by an attacker to successfully achieve the objective of an attack. Monitoring these combinations of attributes is critical in gaining a vantage point against attacks and possibly interfering with the chain of events before an attacker's objective is reached. ## Indicators of compromise (IOC) -IOCs are individually-known malicious events that indicate that a network or machine has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks. +IOCs are individually-known malicious events that indicate that a network or device has already been breached. Unlike alert definitions, these indicators are considered as evidence of a breach. They are often seen after an attack has already been carried out and the objective has been reached, such as exfiltration. Keeping track of IOCs is also important during forensic investigations. Although it might not provide the ability to intervene with an attack chain, gathering these indicators can be useful in creating better defenses for possible future attacks. ## Relationship between alert definitions and IOCs In the context of Microsoft Defender ATP, alert definitions are containers for IOCs and defines the alert, including the metadata that is raised in case of a specific IOC match. Various metadata is provided as part of the alert definitions. Metadata such as alert definition name of attack, severity, and description is provided along with other options. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md index a5736ca3db..47a3571c4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md @@ -38,11 +38,11 @@ Microsoft Defender ATP provides a comprehensive server protection solution, incl Keep sensitive data secure while enabling productivity in the workplace through data discovery and data protection. ### Conditional Access -Microsoft Defender ATP's dynamic machine risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources. +Microsoft Defender ATP's dynamic device risk score is integrated into the Conditional Access evaluation, ensuring that only secure devices have access to resources. ### Microsoft Cloud App Security -Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored machines. +Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored devices. ### Office 365 Advanced Threat Protection (Office 365 ATP) [Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Microsoft Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md index 8d109610de..de32213341 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md @@ -85,4 +85,4 @@ For example, to show data about high-severity alerts only: 3. Select **Apply**. ## Related topic -- [Machine health and compliance report](machine-reports.md) \ No newline at end of file +- [Device health and compliance report](machine-reports.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md index 8342b664ed..9c418be987 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md @@ -50,7 +50,7 @@ severity | Enum | The severity of the indicator. possible values are: "Informati title | String | Indicator title. description | String | Description of the indicator. recommendedActions | String | Recommended actions for the indicator. -rbacGroupNames | List of strings | RBAC machine group names where the indicator is exposed and active. Empty list in case it exposed to all machines. +rbacGroupNames | List of strings | RBAC device group names where the indicator is exposed and active. Empty list in case it exposed to all devices. ## Json representation diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md index cce2177013..76487204a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md @@ -47,7 +47,7 @@ Setting the Microsoft Defender ATP time zone to UTC will display all system time ### Local time zone You can choose to have Microsoft Defender ATP use local time zone settings. All alerts and events will be displayed using your local time zone. -The local time zone is taken from your machine’s regional settings. If you change your regional settings, the Microsoft Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in Microsoft Defender ATP will be aligned to local time for all Microsoft Defender ATP users. Analysts located in different global locations will now see the Microsoft Defender ATP alerts according to their regional settings. +The local time zone is taken from your device’s regional settings. If you change your regional settings, the Microsoft Defender ATP time zone will also change. Choosing this setting means that the timestamps displayed in Microsoft Defender ATP will be aligned to local time for all Microsoft Defender ATP users. Analysts located in different global locations will now see the Microsoft Defender ATP alerts according to their regional settings. Choosing to use local time can be useful if the analysts are located in a single location. In this case it might be easier to correlate events to local time, for example – when a local user clicked on a suspicious email link. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md index d415db238d..b993541266 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md @@ -55,7 +55,7 @@ If while trying to take an action during a live response session, you encounter ## Slow live response sessions or delays during initial connections Live response leverages Microsoft Defender ATP sensor registration with WNS service in Windows. If you are having connectivity issues with live response, please confirm the following: -1. `notify.windows.com` is not blocked in your environment. For more information see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). +1. `notify.windows.com` is not blocked in your environment. For more information see, [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). 2. WpnService (Windows Push Notifications System Service) is not disabled. Please refer to the articles below to fully understand the WpnService service behavior and requirements: diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md index 965b186fad..9c1e48b7e4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md @@ -40,7 +40,7 @@ See the topic [Review events and errors using Event Viewer](event-error-codes.md ## Microsoft Defender ATP service fails to start after a reboot and shows error 577 -If onboarding machines successfully completes but Microsoft Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. +If onboarding devices successfully completes but Microsoft Defender ATP does not start after a reboot and shows error 577, check that Windows Defender is not disabled by a policy. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md index 17903652ed..11ac7f37c9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md @@ -1,7 +1,7 @@ --- title: Troubleshoot onboarding issues and error messages description: Troubleshoot onboarding issues and error message while completing setup of Microsoft Defender Advanced Threat Protection. -keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp +keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -50,10 +50,10 @@ For both cases you should contact Microsoft support at [General Microsoft Defend If while accessing Microsoft Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Microsoft Defender ATP subscription, like any other online service subscription, has an expiration date. -You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license. +You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the device offboarding package, should you choose to not renew the license. > [!NOTE] -> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. +> For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. ![Image of subscription expired](images/atp-subscription-expired.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index 04a9d022a7..393617182a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -1,6 +1,6 @@ --- title: Troubleshoot Microsoft Defender ATP onboarding issues -description: Troubleshoot issues that might arise during the onboarding of machines or to the Microsoft Defender ATP service. +description: Troubleshoot issues that might arise during the onboarding of devices or to the Microsoft Defender ATP service. keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -26,41 +26,41 @@ ms.topic: troubleshooting - Windows Server 2016 You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues. -This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines. +This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the devices. ## Troubleshoot issues with onboarding tools -If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem. +If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem. ### Troubleshoot onboarding when deploying with Group Policy -Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not. +Deployment with Group Policy is done by running the onboarding script on the devices. The Group Policy console does not indicate if the deployment has succeeded or not. -If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script). +If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, you can check the output of the script on the devices. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script). -If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. +If the script completes successfully, see [Troubleshoot onboarding issues on the devices](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur. ### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager -When onboarding machines using the following versions of Configuration Manager: +When onboarding devices using the following versions of Configuration Manager: - Microsoft Endpoint Configuration Manager - System Center 2012 Configuration Manager - System Center 2012 R2 Configuration Manager -Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console. +Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the devices. You can track the deployment in the Configuration Manager Console. -If the deployment fails, you can check the output of the script on the machines. +If the deployment fails, you can check the output of the script on the devices. -If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur. +If the onboarding completed successfully but the devices are not showing up in the **Devices list** after an hour, see [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur. ### Troubleshoot onboarding when deploying with a script -**Check the result of the script on the machine:** +**Check the result of the script on the device:** 1. Click **Start**, type **Event Viewer**, and press **Enter**. 2. Go to **Windows Logs** > **Application**. @@ -75,7 +75,7 @@ Event ID | Error Type | Resolution steps :---:|:---|:--- `5` | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically
`HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`. `10` | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
`HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`.
Verify that the script has been run as an administrator. -`15` | Failed to start SENSE service |Check the service health (`sc query sense` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. +`15` | Failed to start SENSE service |Check the service health (`sc query sense` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the device is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the device. If rebooting the device doesn't address the issue, upgrade to KB4015217 and try onboarding again. `15` | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred, you need to enable the Microsoft Defender Antivirus ELAM driver, see [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy) for instructions. `30` | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). `35` | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
`HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status`.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md). @@ -87,7 +87,7 @@ Event ID | Error Type | Resolution steps You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. -If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. +If you have configured policies in Intune and they are not propagated on devices, you might need to configure automatic MDM enrollment. Use the following tables to understand the possible causes of issues while onboarding: @@ -95,15 +95,15 @@ Use the following tables to understand the possible causes of issues while onboa - Known issues with non-compliance table - Mobile Device Management (MDM) event logs table -If none of the event logs and troubleshooting steps work, download the Local script from the **Machine management** section of the portal, and run it in an elevated command prompt. +If none of the event logs and troubleshooting steps work, download the Local script from the **Device management** section of the portal, and run it in an elevated command prompt. **Microsoft Intune error codes and OMA-URIs**: Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps :---:|:---|:---|:---|:--- -0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) section.

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10). +0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log) section.

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10). | | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Microsoft Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

**Troubleshooting steps:** Ensure that the following registry key exists: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`

If it doesn't exist, open an elevated command and add the key. - | | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine).

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10). + | | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device).

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://docs.microsoft.com/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10). | | | | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently supported platforms:
Enterprise, Education, and Professional.
Server is not supported. 0x87D101A9 | -2016345687 |SyncML(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently supported platforms:
Enterprise, Education, and Professional. @@ -114,9 +114,9 @@ The following table provides information on issues with non-compliance and how y Case | Symptoms | Possible cause and troubleshooting steps :---:|:---|:--- - `1` | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.

**Troubleshooting steps:** Wait for OOBE to complete. - `2` | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start.

**Troubleshooting steps:** The issue should automatically be fixed within 24 hours. - `3` | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time. + `1` | Device is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.

**Troubleshooting steps:** Wait for OOBE to complete. + `2` | Device is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the device as non-compliant by SenseIsRunning when DM session occurs on system start.

**Troubleshooting steps:** The issue should automatically be fixed within 24 hours. + `3` | Device is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same device at same time. **Mobile Device Management (MDM) event logs** @@ -132,17 +132,17 @@ ID | Severity | Event description | Troubleshooting steps 1819 | Error | Microsoft Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760). -## Troubleshoot onboarding issues on the machine +## Troubleshoot onboarding issues on the device -If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent: -- [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) +If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent: +- [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log) - [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled) - [Ensure the service is set to start](#ensure-the-service-is-set-to-start) -- [Ensure the machine has an Internet connection](#ensure-the-machine-has-an-internet-connection) +- [Ensure the device has an Internet connection](#ensure-the-device-has-an-internet-connection) - [Ensure that Microsoft Defender Antivirus is not disabled by a policy](#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy) -### View agent onboarding errors in the machine event log +### View agent onboarding errors in the device event log 1. Click **Start**, type **Event Viewer**, and press **Enter**. @@ -163,33 +163,33 @@ If the deployment tools used does not indicate an error in the onboarding proces Event ID | Message | Resolution steps :---:|:---|:--- - `5` | Microsoft Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). + `5` | Microsoft Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection). `6` | Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script.md). - `7` | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection), then run the entire onboarding process again. + `7` | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection), then run the entire onboarding process again. `9` | Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).

If the event happened during offboarding, contact support. `10` | Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md).

If the problem persists, contact support. -`15` | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection). +`15` | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection). `17` | Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script.md). If the problem persists, contact support. `25` | Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. `27` | Failed to enable Microsoft Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support. -`29` | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again. +`29` | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the device has Internet access, then run the entire offboarding process again. `30` | Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender Advanced Threat Protection. Failure code: %1 | Contact support. -`32` | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine. -`55` | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine. +`32` | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the device. +`55` | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the device. `63` | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type. `64` | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing. `68` | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type. `69` | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
-There are additional components on the machine that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. +There are additional components on the device that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. ### Ensure the diagnostic data service is enabled -If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes. +If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the device. The service might have been disabled by other programs or user configuration changes. First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't). @@ -198,7 +198,7 @@ First, you should check that the service is set to start automatically when Wind **Use the command line to check the Windows 10 diagnostic data service startup type**: -1. Open an elevated command-line prompt on the machine: +1. Open an elevated command-line prompt on the device: a. Click **Start**, type **cmd**, and press **Enter**. @@ -219,7 +219,7 @@ First, you should check that the service is set to start automatically when Wind **Use the command line to set the Windows 10 diagnostic data service to automatically start:** -1. Open an elevated command-line prompt on the machine: +1. Open an elevated command-line prompt on the device: a. Click **Start**, type **cmd**, and press **Enter**. @@ -245,7 +245,7 @@ First, you should check that the service is set to start automatically when Wind sc start diagtrack ``` -### Ensure the machine has an Internet connection +### Ensure the device has an Internet connection The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. @@ -262,7 +262,7 @@ If the verification fails and your environment is using a proxy to connect to th **Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service. -**Solution**: If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. +**Solution**: If your devices are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy. - Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared: @@ -305,17 +305,17 @@ You might also need to check the following: ![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png) -- Check to see that machines are reflected in the **Machines list** in the portal. +- Check to see that devices are reflected in the **Devices list** in the portal. -## Confirming onboarding of newly built machines +## Confirming onboarding of newly built devices -There may be instances when onboarding is deployed on a newly built machine but not completed. +There may be instances when onboarding is deployed on a newly built device but not completed. The steps below provide guidance for the following scenario: -- Onboarding package is deployed to newly built machines +- Onboarding package is deployed to newly built devices - Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed -- Machine is turned off or restarted before the end user performs a first logon +- Device is turned off or restarted before the end user performs a first logon - In this scenario, the SENSE service will not start automatically even though onboarding package was deployed > [!NOTE] @@ -443,6 +443,6 @@ The steps below provide guidance for the following scenario: ## Related topics - [Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md) -- [Onboard machines](onboard-configure.md) -- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md) +- [Onboard devices](onboard-configure.md) +- [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 05264dcf03..907fbf1634 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -27,18 +27,18 @@ ms.topic: conceptual Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including: - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities -- Invaluable machine vulnerability context during incident investigations +- Invaluable device vulnerability context during incident investigations - Built-in remediation processes through Microsoft Intune and Microsoft Endpoint Configuration Manager You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to: -- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines +- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices - Correlate EDR insights with endpoint vulnerabilities and process them - Select remediation options, triage and track the remediation tasks - Select exception options and track active exceptions > [!NOTE] -> Machines that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score. +> Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score. Watch this video for a quick overview of what is in the Threat & Vulnerability Management dashboard. @@ -62,24 +62,24 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- -**Dashboard** | Get a high-level view of the organization exposure score, organization configuration score, machine exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed machines data. -[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your machines are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. +**Dashboard** | Get a high-level view of the organization exposure score, organization configuration score, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed devices data. +[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP. [**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. -[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected machine, version distribution details, and missing KBs or security updates. -[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed machines there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details. +[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates. +[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details. ## Threat & Vulnerability Management dashboard Area | Description :---|:--- -**Selected machine groups (#/#)** | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by machine groups. What you select in the filter applies throughout the Threat & Vulnerability management pages. +**Selected device groups (#/#)** | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the Threat & Vulnerability management pages. [**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. [**Configuration score**](configuration-score.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the **Security recommendation** page. -**Machine exposure distribution** | See how many machines are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Machines list** page and view the affected machine names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags. +**Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags. **Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception. **Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page. **Top remediation activities** | Track the remediation activities generated from the security recommendations. You can select each item on the list to see the details in the **Remediation** page or select **Show more** to view the rest of the remediation activities, and active exceptions. -**Top exposed machines** | View exposed machine names and their exposure level. Select a machine name from the list to go to the machine page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed machines. Select **Show more** to see the rest of the exposed machines list. From the machines list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate machine. +**Top exposed devices** | View exposed device names and their exposure level. Select a device name from the list to go to the device page where you can view the alerts, risks, incidents, security recommendations, installed software, and discovered vulnerabilities associated with the exposed devices. Select **Show more** to see the rest of the exposed devices list. From the devices list, you can manage tags, initiate automated investigations, initiate a live response session, collect an investigation package, run antivirus scan, restrict app execution, and isolate device. See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-icons) for more information on the icons used throughout the portal. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 023e88ad09..3e920228a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -22,7 +22,7 @@ ms.topic: conceptual - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your machines are less vulnerable from exploitation. +Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation. The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further. @@ -30,7 +30,7 @@ The card gives you a high-level view of your exposure score trend over time. Any ## How it works -Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats. +Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your devices are to imminent threats. The exposure score is continuously calculated on each device in the organization and influenced by the following factors: diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 239b7afd31..bb9818de99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -52,7 +52,7 @@ View **Top remediation activities** in the [Threat & Vulnerability Management da When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune. Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. -![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and machine remediation progress.](images/remediation_flyouteolsw.png) +![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation progress.](images/remediation_flyouteolsw.png) ## Exceptions diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 16f53d738f..f32f8abb06 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -33,7 +33,7 @@ Each security recommendation includes an actionable remediation recommendation w ## How it works -Each machine in the organization is scored based on three important factors to help customers to focus on the right things at the right time. +Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time. - **Threat** - Characteristics of the vulnerabilities and exploits in your organizations' devices and breach history. Based on these factors, the security recommendations shows the corresponding links to active alerts, ongoing threat campaigns, and their corresponding threat analytic reports. @@ -51,7 +51,7 @@ Access the Security recommendations page a few different ways: View related security recommendations in the following places: - Software page -- Machine page +- Device page ### Navigation menu @@ -67,15 +67,18 @@ The top security recommendations lists the improvement opportunities prioritized ## Security recommendations overview -View recommendations, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags. +View recommendations, the number of weaknesses found, related components, threat insights, number of exposed devices, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags. -The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the number of exposed machines, the color of the graph will change into green. +The color of the **Exposed devices** graph changes as the trend changes. If the number of exposed devices is on the rise, the color changes into red. If there's a decrease in the number of exposed devices, the color of the graph will change into green. ![Example of the landing page for security recommendations.](images/tvmsecrec-updated.png) ### Icons -Useful icons also quickly calls your attention to:
  • ![arrow hitting a target](images/tvm_alert_icon.png) possible active alerts
  • ![red bug](images/tvm_bug_icon.png) associated public exploits
  • ![light bulb](images/tvm_insight_icon.png) recommendation insights

+Useful icons also quickly calls your attention to: +- ![arrow hitting a target](images/tvm_alert_icon.png) possible active alerts +- ![red bug](images/tvm_bug_icon.png) associated public exploits +- ![light bulb](images/tvm_insight_icon.png) recommendation insights ### Investigate @@ -92,7 +95,7 @@ From the flyout, you can do any of the following: - **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet. >[!NOTE] ->When a change is made on a machine, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center. +>When a change is made on a device, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center. ## Request remediation @@ -108,7 +111,7 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT 1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**. -2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within Threat & Vulnerability Management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to machines. +2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within Threat & Vulnerability Management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices. 3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. @@ -117,7 +120,7 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. >[!NOTE] ->If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune. +>If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune. ## File for exception @@ -136,7 +139,7 @@ When an exception is created for a recommendation, the recommendation is no long The following list details the justifications behind the exception options: - - **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a machine, third party antivirus + - **Compensating/alternate control** - A 3rd party control that mitigates this recommendation exists, for example, if Network Firewall - - prevents access to a device, third party antivirus - **Productivity/business need** - Remediation will impact productivity or interrupt business-critical workflow - **Accept risk** - Poses low risk and/or implementing a compensating control is too expensive - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization @@ -154,7 +157,7 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 2. Select the three dots beside the security recommendation that you want to report, then select **Report inaccuracy**. -![Showing where the "Report inaccuracy" button is in a security recommendation flyout.](images/report-inaccuracy500.png) + ![Showing where the "Report inaccuracy" button is in a security recommendation flyout.](images/report-inaccuracy500.png) 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details regarding the inaccuracy. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index 7ac4761b32..381bdcdf15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -35,11 +35,11 @@ Since it is real-time, in a matter of minutes, you will see vulnerability inform You can access the Software inventory page by selecting **Software inventory** from the Threat & Vulnerability Management navigation menu in the [Microsoft Defender Security Center](portal-overview.md). -View software on specific machines in the individual machines pages from the [machines list](machines-view-overview.md). +View software on specific devices in the individual devices pages from the [devices list](machines-view-overview.md). ## Software inventory overview -The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed machines, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. +The **Software inventory** page opens with a list of software installed in your network, vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can also filter the software inventory list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. ![Example of the landing page for software inventory.](images/software_inventory_filter.png) Select the software that you want to investigate and a flyout panel opens up with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**. @@ -50,20 +50,20 @@ Select the software that you want to investigate and a flyout panel opens up wit Once you are in the Software inventory page and have opened the flyout panel by selecting a software to investigate, select **Open software page** (see image in the previous section). A full page will appear with all the details of a specific software and the following information: -- Side panel with vendor information, prevalence of the software in the organization (including number of machines it is installed on, and exposed machines that are not patched), whether and exploit is available, and impact to your exposure score -- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed machines -- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the machines that the software is installed on, and the specific versions of the software with the number of machines that have each version installed and number of vulnerabilities. +- Side panel with vendor information, prevalence of the software in the organization (including number of devices it is installed on, and exposed devices that are not patched), whether and exploit is available, and impact to your exposure score +- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed devices +- Tabs with lists of the corresponding security recommendations for the weaknesses and vulnerabilities identified, the named CVEs of discovered vulnerabilities, the names of the devices that the software is installed on, and the specific versions of the software with the number of devices that have each version installed and number of vulnerabilities. -![Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.](images/tvm-software-page-example.png) + ![Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.](images/tvm-software-page-example.png) ## Software evidence -We now show evidence of where we detected a specific software on a machine from the registry, disk or both. -You can find it on any machines found in the [machines list](machines-view-overview.md) in a section called "Software Evidence." +We now show evidence of where we detected a specific software on a device from the registry, disk or both. +You can find it on any devices found in the [devices list](machines-view-overview.md) in a section called "Software Evidence." -From the Microsoft Defender Security Center navigation panel, go to **Machines list** > select the name of a machine to open the machine page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence. +From the Microsoft Defender Security Center navigation panel, go to **Devices list** > select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence. -![Software evidence example of Windows 10 from the machines list, showing software evidence registry path.](images/tvm-software-evidence.png) +![Software evidence example of Windows 10 from the devices list, showing software evidence registry path.](images/tvm-software-evidence.png) ## Report inaccuracy diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index 4b7a5cb97e..86a8667ca9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -58,7 +58,7 @@ To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, the ## Weaknesses overview -If the **Exposed Machines** column shows 0, that means you are not at risk. If exposed machines exist, the next step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization. +If the **Exposed Devices** column shows 0, that means you are not at risk. If exposed devices exist, the next step is to remediate the vulnerabilities in those devices to reduce the risk to your assets and organization. ![tvm-breach-insights](images/tvm-weaknesses-overview.png) @@ -81,28 +81,34 @@ The threat insights icon is highlighted if there are associated exploits in the ### Top vulnerable software in the dashboard 1. Go to the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time. -![Top vulnerable software card with four columns: software, weaknesses, threats, exposed machines.](images/tvm-top-vulnerable-software500.png) + + ![Top vulnerable software card with four columns: software, weaknesses, threats, exposed devices.](images/tvm-top-vulnerable-software500.png) + 2. Select the software that you want to investigate to go a drill down page. 3. Select the **Discovered vulnerabilities** tab. 4. Select the vulnerability that you want to investigate. A flyout panel will appear with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates. -![Windows Server 2019 drill down overview.](images/windows-server-drilldown.png) + ![Windows Server 2019 drill down overview.](images/windows-server-drilldown.png) -### Discover vulnerabilities in the machine page +### Discover vulnerabilities in the device page -View related weaknesses information in the machine page. +View related weaknesses information in the device page. -1. Go to the Microsoft Defender Security Center navigation menu bar, then select the machine icon. The **Machines list** page opens. -2. In the **Machines list** page, select the machine name that you want to investigate. -
![Screenshot of machine list with selected machine to investigate](images/tvm_machinetoinvestigate.png)
-3. The machine page will open with details and response options for the machine you want to investigate. +1. Go to the Microsoft Defender Security Center navigation menu bar, then select the device icon. The **Devices list** page opens. +2. In the **Devices list** page, select the device name that you want to investigate. + + ![Screenshot of device list with selected device to investigate](images/tvm_machinetoinvestigate.png) + +3. The device page will open with details and response options for the device you want to investigate. 4. Select **Discovered vulnerabilities**. -
![Screenshot of the machine page with details and response options](images/tvm-discovered-vulnerabilities.png)
+ + [Screenshot of the device page with details and response options](images/tvm-discovered-vulnerabilities.png) + 5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic. #### CVE Detection logic -Similar to the software evidence, we now show the detection logic we applied on a machine in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the machine page) that shows the detection logic and source. +Similar to the software evidence, we now show the detection logic we applied on a device in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the device page) that shows the detection logic and source. ![Detection Logic example which lists the software detected on the device and the KBs.](images/cve-detection-logic.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index 40c5117a86..70c1aed086 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -1,7 +1,7 @@ --- -title: Release machine from isolation API -description: Use this API to create calls related to release a machine from isolation. -keywords: apis, graph api, supported apis, remove machine from isolation +title: Release device from isolation API +description: Use this API to create calls related to release a device from isolation. +keywords: apis, graph api, supported apis, remove device from isolation search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -17,7 +17,7 @@ ms.topic: article --- -# Release machine from isolation API +# Release device from isolation API **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) @@ -25,14 +25,14 @@ ms.topic: article ## API description -Undo isolation of a machine. +Undo isolation of a device. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -[!include[Machine actions note](../../includes/machineactionsnote.md)] +[!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -45,7 +45,7 @@ Delegated (work or school account) | Machine.Isolate | 'Isolate machine' >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` @@ -89,5 +89,5 @@ Content-type: application/json ``` -- To isolate a machine, see [Isolate machine](isolate-machine.md). +- To isolate a device, see [Isolate device](isolate-machine.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index 9687b34e41..3b560772a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -1,7 +1,7 @@ --- title: Remove app restriction API description: Use this API to create calls related to removing a restriction from applications from executing. -keywords: apis, graph api, supported apis, remove machine from isolation +keywords: apis, graph api, supported apis, remove device from isolation search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -24,14 +24,14 @@ ms.topic: article ## API description -Enable execution of any application on the machine. +Enable execution of any application on the device. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. -[!include[Machine actions note](../../includes/machineactionsnote.md)] +[!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) @@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` @@ -86,4 +86,4 @@ Content-type: application/json ``` -To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution.md). +To restrict code execution on a device, see [Restrict app execution](restrict-code-execution.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index d51346f8f2..38a2c6d170 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -45,7 +45,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information) ->- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information) +>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index 1b86e94b66..1b8ecb7f27 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -1,7 +1,7 @@ --- title: Overview of Microsoft Defender Security Center description: Learn about the features on Microsoft Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks. -keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa +keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate devices, submit files, deep analysis, high, medium, low, severity, ioc, ioa search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -27,9 +27,9 @@ ms.topic: conceptual Microsoft Defender Security Center is the portal where you can access Microsoft Defender Advanced Threat Protection capabilities. -Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network. +Use the **Security operations** dashboard to gain insight on the various alerts on devices and users in your network. -Use the **Threat & Vulnerability Management** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization. +Use the **Threat & Vulnerability Management** dashboard to expand your visibility on the overall security posture of your organization. You'll see devices that require attention and recommendations that can help you reduce the attack surface in your organization. Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown. @@ -38,6 +38,6 @@ Use the **Threat analytics** dashboard to continually assess and control risk ex Topic | Description :---|:--- [Portal overview](portal-overview.md) | Understand the portal layout and area descriptions. -[View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the machines on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines. -[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines. -[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify machines for the presence or absence of mitigations. \ No newline at end of file +[View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the devices on your network, investigate devices, files, and URLs, and see snapshots of threats seen on devices. +[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices. +[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify devices for the presence or absence of mitigations. \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index a2a976d975..18a1a896b3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -41,7 +41,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur >[!NOTE] >To view Threat & Vulnerability Management data, select **Threat and vulnerability management**. - - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. + - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage device tags, and export device timeline. - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions. - Security operations - Take response actions - Approve or dismiss pending remediation actions @@ -51,24 +51,24 @@ The following steps guide you on how to create roles in Microsoft Defender Secur >[!NOTE] >To enable your Security operation personnel to choose remediation options and file exceptions, select **Threat and vulnerability management - Remediation handling**, and **Threat and vulnerability management - Exception handling**. - - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups. + - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and device groups. > [!NOTE] > This setting is only available in the Microsoft Defender ATP administrator (default) role. - - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. + - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications. - **Live response capabilities** - Users can take basic or advanced live response commands. - Basic commands allow users to: - Start a live response session - - Run read only live response commands on a remote machine + - Run read only live response commands on a remote device - Advanced commands allow users to: - Run basic actions - - Download a file from the remote machine + - Download a file from the remote device - View a script from the files library - - Run a script on the remote machine from the files library take read and write commands. + - Run a script on the remote device from the files library take read and write commands. - For more information on the available commands, see [Investigate machines using Live response](live-response.md). + For more information on the available commands, see [Investigate devices using Live response](live-response.md). 4. Click **Next** to assign the role to an Azure AD Security group. @@ -80,7 +80,7 @@ The following steps guide you on how to create roles in Microsoft Defender Secur > [!IMPORTANT] -> After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created. +> After creating roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created. ## Edit roles @@ -102,4 +102,4 @@ The following steps guide you on how to create roles in Microsoft Defender Secur ## Related topic - [User basic permissions to access the portal](basic-permissions.md) -- [Create and manage machine groups](machine-groups.md) +- [Create and manage device groups](machine-groups.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/user.md b/windows/security/threat-protection/microsoft-defender-atp/user.md index bd76e783d9..e895a9b146 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user.md @@ -25,4 +25,4 @@ ms.topic: article Method|Return Type |Description :---|:---|:--- [List User related alerts](get-user-related-alerts.md) | [alert](alerts.md) collection | List all the alerts that are associated with a [user](user.md). -[List User related machines](get-user-related-machines.md) | [machine](machine.md) collection | List all the machines that were logged on by a [user](user.md). \ No newline at end of file +[List User related devices](get-user-related-machines.md) | [machine](machine.md) collection | List all the devices that were logged on by a [user](user.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md index 4bda743be9..f215fda3db 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md @@ -23,7 +23,7 @@ ms.topic: article - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. +The **Incidents queue** shows a collection of incidents that were flagged from devices in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first. @@ -46,7 +46,7 @@ You can apply the following filters to limit the list of incidents and get a mor Incident severity | Description :---|:--- -High
(Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on machines. +High
(Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on devices. Medium
(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages. Low
(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization. Informational
(Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of. diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md index 0ede996269..73aeb36a61 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md @@ -29,7 +29,7 @@ Method |Return Type |Description :---|:---|:--- [Get all vulnerabilities](get-all-vulnerabilities.md) | Vulnerability collection | Retrieves a list of all the vulnerabilities affecting the organization [Get vulnerability by Id](get-vulnerability-by-id.md) | Vulnerability | Retrieves vulnerability information by its ID -[List machines by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of machines that are associated with the vulnerability ID +[List devices by vulnerability](get-machines-by-vulnerability.md)| MachineRef collection | Retrieve a list of devices that are associated with the vulnerability ID ## Properties @@ -40,7 +40,7 @@ Name | String | Vulnerability title Description | String | Vulnerability description Severity | String | Vulnerability Severity. Possible values are: “Low”, “Medium”, “High”, “Critical” cvssV3 | Double | CVSS v3 score -exposedMachines | Long | Number of exposed machines +exposedMachines | Long | Number of exposed devices publishedOn | DateTime | Date when vulnerability was published updatedOn | DateTime | Date when vulnerability was updated publicExploit | Boolean | Public exploit exists diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index e64f5c502c..0a88bbdd1d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -26,14 +26,14 @@ ms.topic: article Web content filtering is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic due to compliance regulations, bandwidth usage, or other concerns. -You can configure policies across your machine groups to block certain categories, effectively preventing users within specified machine groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions. If an element on the page you’re viewing is making calls to a resource which is blocked, you will see a block notification. +You can configure policies across your device groups to block certain categories, effectively preventing users within specified device groups from accessing URLs within that category. If a category is not blocked, all your users will be able to access the URLs without disruption. However, web content filtering will continue to gather access statistics that you can use to understand web usage and inform future policy decisions. If an element on the page you’re viewing is making calls to a resource which is blocked, you will see a block notification. Web content filtering is available on most major web browsers, with blocks performed by SmartScreen (Edge) and Network Protection (Internet Explorer, Chrome, Firefox, and all other browsers). See the prerequisites section for more information about browser support. To summarize the benefits: - Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away -- You can conveniently deploy varied policies to various sets of users using the machine groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac) +- You can conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac) - You can access web reports in the same central location, with visibility over actual blocks and web usage ## User experience @@ -47,8 +47,8 @@ Before trying out this feature, make sure you have the following: - Windows 10 Enterprise E5 license - Access to Microsoft Defender Security Center portal -- Machines running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update (for Network Protection on Internet Explorer, Edge, Chrome, or Firefox) -- Machines running Windows 10 May 2019 Update (version 1903) or later (for a better user experience from SmartScreen on Edge). Note that if SmartScreen is not turned on, Network Protection will take over the blocking +- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update (for Network Protection on Internet Explorer, Edge, Chrome, or Firefox) +- Devices running Windows 10 May 2019 Update (version 1903) or later (for a better user experience from SmartScreen on Edge). Note that if SmartScreen is not turned on, Network Protection will take over the blocking - A valid license with a partner data provider ## Data handling @@ -99,9 +99,9 @@ From the left-hand navigation menu, select **Settings > General > Advanced Featu ### Configure web content filtering policies -Web content filtering policies specify which site categories are blocked on which machine groups. To manage the policies, go to **Settings > Rules > Web content filtering**. +Web content filtering policies specify which site categories are blocked on which device groups. To manage the policies, go to **Settings > Rules > Web content filtering**. -Use the filter to locate policies that contain certain blocked categories or are applied to specific machine groups. +Use the filter to locate policies that contain certain blocked categories or are applied to specific device groups. ### Create a policy @@ -110,11 +110,11 @@ To add a new policy: 1. Select **Add policy** on the **Web content filtering** page in **Settings**. 2. Specify a name. 3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories. -4. Specify the policy scope. Select the machine groups to specify where to apply the policy. Only machines in the selected machine groups will be prevented from accessing websites in the selected categories. -5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected machines. +4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories. +5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices. >[!NOTE] ->If you are removing a policy or changing machine groups at the same time, this might cause a delay in policy deployment. +>If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment. ## Web content filtering cards and details @@ -142,7 +142,7 @@ This card displays the total number of requests for web content in all URLs. ### View card details -You can access the **Report details** for each card by selecting a table row or colored bar from the chart in the card. The report details page for each card contains extensive statistical data about web content categories, website domains, and machine groups. +You can access the **Report details** for each card by selecting a table row or colored bar from the chart in the card. The report details page for each card contains extensive statistical data about web content categories, website domains, and device groups. ![Image of web protection report details](images/web-protection-report-details.png) @@ -150,7 +150,7 @@ You can access the **Report details** for each card by selecting a table row or - **Domains**: Lists the web domains that have been accessed or blocked in your organization. Select a specific domain to view detailed information about that domain. -- **Machine groups**: Lists all the machine groups that have generated web activity in your organization +- **Device groups**: Lists all the device groups that have generated web activity in your organization Use the time range filter at the top left of the page to select a time period. You can also filter the information or customize the columns. Select a row to open a flyout pane with even more information about the selected item. @@ -162,7 +162,7 @@ You need to be logged in to an AAD account with either App administrator or Glob ### Limitations and known issues in this preview -- Unassigned machines will have incorrect data shown within the report. In the Report details > Machine groups pivot, you may see a row with a blank Machine Group field. This group contains your unassigned machines in the interim before they get put into your specified group. The report for this row may not contain an accurate count of machines or access counts. +- Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices in the interim before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts. - The data in our reports may not be congruent with other data on the site. We currently do not support real-time data processing for this feature, so you may see inconsistencies between the data in our reports and the URL entity page. diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md index 36d58deb28..748fd7d9dc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md @@ -47,9 +47,9 @@ Select a specific web threat category in the **Web threat protection summary** c - **Blocks** — number of times requests were blocked - **Access trend** — change in number of access attempts - **Threat category** — type of web threat -- **Machines** — number of machines with access attempts +- **Devices** — number of devices with access attempts -Select a domain to view the list of machines that have attempted to access URLs in that domain as well as the list of URLs. +Select a domain to view the list of devices that have attempted to access URLs in that domain as well as the list of URLs. ## Related topics - [Web protection overview](web-protection-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md index 877203d476..bd1b95e08a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md @@ -21,7 +21,7 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -Web protection in Microsoft Defender ATP is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your machines against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**. +Web protection in Microsoft Defender ATP is a capability made up of [Web threat protection](web-threat-protection.md) and [Web content filtering](web-content-filtering.md). Web protection lets you secure your devices against web threats and helps you regulate unwanted content. You can find Web protection reports in the Microsoft Defender Security Center by going to **Reports > Web protection**. ![Image of all web protection cards](images/web-protection.png) @@ -31,7 +31,7 @@ The cards that make up web threat protection are **Web threat detections over ti Web threat protection includes: - Comprehensive visibility into web threats affecting your organization -- Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the machines that access these URLs +- Investigation capabilities over web-related threat activity through alerts and comprehensive profiles of URLs and the devices that access these URLs - A full set of security features that track general access trends to malicious and unwanted websites ## Web content filtering @@ -40,7 +40,7 @@ The cards that comprise web content filtering are **Web activity by category**, Web content filtering includes: - Users are prevented from accessing websites in blocked categories, whether they are browsing on-premises or away -- You can conveniently deploy varied policies to various sets of users using the machine groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac) +- You can conveniently deploy varied policies to various sets of users using the device groups defined in the [Microsoft Defender ATP role-based access control settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac) - You can access web reports in the same central location, with visibility over actual blocks and web usage ## In this section diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md index e9e6949f27..6faacb1439 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md @@ -29,7 +29,7 @@ Microsoft Defender ATP generates the following [alerts](manage-alerts.md) for ma - **Suspicious connection detected by network protection** — this alert is generated when an attempt to access a malicious website or a website in your custom indicator list is detected by network protection in *audit only* mode Each alert provides the following information: -- Machine that attempted to access the blocked website +- Device that attempted to access the blocked website - Application or program used to send the web request - Malicious URL or URL in the custom indicator list - Recommended actions for responders @@ -37,22 +37,22 @@ Each alert provides the following information: ![Image of an alert related to web threat protection](images/wtp-alert.png) >[!Note] ->To reduce the volume of alerts, Microsoft Defender ATP consolidates web threat detections for the same domain on the same machine each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md). +>To reduce the volume of alerts, Microsoft Defender ATP consolidates web threat detections for the same domain on the same device each day to a single alert. Only one alert is generated and counted into the [web protection report](web-protection-monitoring.md). ## Inspect website details You can dive deeper by selecting the URL or domain of the website in the alert. This opens a page about that particular URL or domain with various information, including: -- Machines that attempted to access website +- Devices that attempted to access website - Incidents and alerts related to the website - How frequent the website was seen in events in your organization -![Image of the domain or URL entity details page](images/wtp-website-details.png) + ![Image of the domain or URL entity details page](images/wtp-website-details.png) [Learn more about URL or domain entity pages](investigate-domain.md) -## Inspect the machine -You can also check the machine that attempted to access a blocked URL. Selecting the name of the machine on the alert page opens a page with comprehensive information about the machine. +## Inspect the device +You can also check the device that attempted to access a blocked URL. Selecting the name of the device on the alert page opens a page with comprehensive information about the device. -[Learn more about machine entity pages](investigate-machines.md) +[Learn more about device entity pages](investigate-machines.md) ## Web browser and Windows notifications for end users diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md index 66e0e293ed..4be0e00f08 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md @@ -21,15 +21,15 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -Web threat protection is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It uses [network protection](network-protection.md) to secure your machines against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect machines while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md). +Web threat protection is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md). >[!Note] ->It can take up to an hour for machines to receive new customer indicators. +>It can take up to an hour for devices to receive new customer indicators. ## Prerequisites Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers. -To turn on network protection on your machines: +To turn on network protection on your devices: - Edit the Microsoft Defender ATP security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-atp-security-baseline) - Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index e92f68d8a9..4d340065fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -42,7 +42,7 @@ For more information preview features, see [Preview features](https://docs.micro ## April 2020 -- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). +- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615). ## November-December 2019 @@ -70,9 +70,9 @@ For more information preview features, see [Preview features](https://docs.micro - [Tamper Protection settings using Intune](../microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md#turn-tamper-protection-on-or-off-for-your-organization-using-intune)
You can now turn Tamper Protection on (or off) for your organization in the Microsoft 365 Device Management Portal (Intune). -- [Live response](live-response.md)
Get instantaneous access to a machine using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time. +- [Live response](live-response.md)
Get instantaneous access to a device using a remote shell connection. Do in-depth investigative work and take immediate response actions to promptly contain identified threats - real-time. -- [Evaluation lab](evaluation-lab.md)
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can +- [Evaluation lab](evaluation-lab.md)
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. - [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016)
You can now onboard Windows Server 2008 R2 SP1. @@ -82,7 +82,7 @@ For more information preview features, see [Preview features](https://docs.micro - [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
A new built-in capability that uses a risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -- [Machine health and compliance report](machine-reports.md) The machine health and compliance report provides high-level information about the devices in your organization. +- [Device health and compliance report](machine-reports.md) The device health and compliance report provides high-level information about the devices in your organization. ## May 2019 @@ -107,7 +107,7 @@ For more information preview features, see [Preview features](https://docs.micro ## February 2019 - [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue)
Incident is a new entity in Microsoft Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats. -- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows machines so that they can send sensor data to the Microsoft Defender ATP sensor. +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
Onboard supported versions of Windows devices so that they can send sensor data to the Microsoft Defender ATP sensor. ## October 2018 @@ -164,7 +164,7 @@ Query data using advanced hunting in Microsoft Defender ATP. - [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard)
You can now block untrusted processes from writing to disk sectors using Controlled Folder Access. -- [Onboard non-Windows machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection)
+- [Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection)
Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. - [Role-based access control (RBAC)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection)
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md index 0740a2c4fd..99be4872aa 100644 --- a/windows/whats-new/whats-new-windows-10-version-2004.md +++ b/windows/whats-new/whats-new-windows-10-version-2004.md @@ -18,7 +18,9 @@ ms.topic: article **Applies to** - Windows 10, version 2004 -This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909. To download and install Windows 10, version 2004, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, see this [video](https://aka.ms/Windows-10-May-2020-Update). +This article lists new and updated features and content that are of interest to IT Pros for Windows 10, version 2004, also known as the Windows 10 May 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1909. + +To download and install Windows 10, version 2004, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, see this [video](https://aka.ms/Windows-10-May-2020-Update). > [!NOTE] > The month indicator for this release is 04 instead of 03 to avoid confusion with Windows releases in the year 2003. @@ -50,7 +52,9 @@ Note: [Application Guard for Office](https://support.office.com/article/applicat ### Windows Setup -Improvements in Windows Setup with this release include: +Windows Setup [answer files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language ](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/). + +Improvements in Windows Setup with this release also include: - Reduced offline time during feature updates - Improved controls for reserved storage - Improved controls and diagnostics @@ -86,7 +90,7 @@ For information about what's new in the ADK, see [What's new in the Windows ADK ### Microsoft Deployment Toolkit (MDT) -MDT version 8456 supports Windows 10, version 2004, but there is currently an issue that causes MDT to incorrectly detect that UEFI is present. This issue is currently under investigation. +MDT version 8456 supports Windows 10, version 2004, but there is currently an issue that causes MDT to incorrectly detect that UEFI is present. There is an [update available](https://support.microsoft.com/help/4564442/windows-10-deployments-fail-with-microsoft-deployment-toolkit) for MDT to address this issue. For the latest information about MDT, see the [MDT release notes](https://docs.microsoft.com/mem/configmgr/mdt/release-notes). @@ -118,6 +122,7 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include: - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. +- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). ## Virtualization