deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 21:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into symantec-mdatp

Browse Source
This commit is contained in:
Denise Vangel-MSFT
2020-06-24 11:02:22 -07:00
parent 99133459b5 b850b04c42
commit 9db8371298
567 changed files with 3030 additions and 2311 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
windows/client-management/mdm/certificate-renewal-windows-mdm.md
View File

@ -17,16 +17,13 @@ ms.date: 06/26/2017
# Certificate Renewal
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
> **Note**  Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
 
> [!Note]
> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
## In this topic
- [Automatic certificate renewal request](#automatic-certificate-renewal-request)
- [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration)
- [Certificate renewal response](#certificate-renewal-response)
@ -35,12 +32,10 @@ The enrolled client certificate expires after a period of use. The expiration da
<a href="" id="automatic-certificate-renewal"></a>
## Automatic certificate renewal request
In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal.
> **Note**  Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
 
> [!Note]
> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate.
@ -54,7 +49,7 @@ During the automatic certificate renew process, the device will deny HTTP redire
The following example shows the details of an automatic renewal request.
```
``` xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
@ -106,7 +101,6 @@ The following example shows the details of an automatic renewal request.
</s:Envelope>
```
<a href="" id="certificate-renewal-schedule"></a>
## Certificate renewal schedule configuration
@ -116,11 +110,10 @@ For more information about the parameters, see the CertificateStore configuratio
Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week.
> **Note**  For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
> [!Note]
> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
> For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design.
 
## Certificate renewal response
When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
@ -133,12 +126,12 @@ When RequestType is set to Renew, the web service verifies the following (in add
After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
> [!Note]
> The HTTP server response must not be chunked; it must be sent as one message.
The following example shows the details of an certificate renewal response.
```
``` xml
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<!-- Root certificate provision is only needed here if it is not in the device already --> <characteristic type="Root">
@ -163,25 +156,15 @@ The following example shows the details of an certificate renewal response.
</wap-provisioningdoc>
```
> **Note**  The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
 
> [!Note]
The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
<a href="" id="csp-support-during-enrollment-and-renewal"></a>
## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
- CertificateStore
- w7 APPLICATION
- DMClient
- EnterpriseAppManagement
 

49
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -14,17 +14,15 @@ ms.date: 02/28/2020
# ClientCertificateInstall CSP
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
> **Note**  
Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
> [!Note]
> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The following image shows the ClientCertificateInstall configuration service provider in tree format.
![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png)
@ -63,7 +61,6 @@ The data type is an integer corresponding to one of the following values:
| 3 | Install to software. |
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
@ -107,9 +104,9 @@ Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
> **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
> [!Note]
> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The data type bool.
Supported operations are Get, Add, and Replace.
@ -138,21 +135,20 @@ Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep"></a>**ClientCertificateInstall/SCEP**
Node for SCEP.
> **Note**  An alert is sent after the SCEP certificate is installed.
> [!Note]
> An alert is sent after the SCEP certificate is installed.
<a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/**<strong>*UniqueID*</strong>
A unique ID to differentiate different certificate installation requests.
<a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install**
A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
Supported operations are Get, Add, Replace, and Delete.
> **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
> [!Note]
> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
@ -191,9 +187,9 @@ Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyprotection"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
Optional. Specifies where to keep the private key.
> **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN.
> [!Note]
> Even if the private key is protected by TPM, it is not protected with a TPM PIN.
The data type is an integer corresponding to one of the following values:
| Value | Description |
@ -203,7 +199,6 @@ The data type is an integer corresponding to one of the following values:
| 3 | (Default) Private key saved in software KSP. |
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. |
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
@ -238,9 +233,9 @@ Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
Optional. OID of certificate template name.
> **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesnt need to provide it.
> [!Note]
> This name is typically ignored by the SCEP server; therefore the MDM server typically doesnt need to provide it.
Data type is string.
Supported operations are Add, Get, Delete, and Replace.
@ -294,7 +289,6 @@ Valid values are:
> **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
@ -302,9 +296,9 @@ Optional. Specifies the desired number of units used in the validity period. Thi
Data type is string.
>**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
> [!Note]
> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-containername"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
@ -358,7 +352,6 @@ The only supported operation is Get.
| 16 | Action failed |
| 32 | Unknown |
<a href="" id="clientcertificateinstall-scep-uniqueid-errorcode"></a>**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
Optional. An integer value that indicates the HRESULT of the last enrollment error code.
@ -373,7 +366,6 @@ The only supported operation is Get.
## Example
Enroll a client certificate through SCEP.
```xml
@ -669,15 +661,4 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

29
windows/client-management/mdm/defender-csp.md
View File

@ -120,8 +120,6 @@ The following table describes the supported values:
| 50 | Ransomware |
| 51 | ASR Rule |
Supported operation is Get.
<a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**
@ -179,9 +177,9 @@ An interior node to group information about Windows Defender health status.
Supported operation is Get.
<a href="" id="health-productstatus"></a>**Health/ProductStatus**
Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list.
Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list.
Data type is integer. Supported operation is Get.
Data type is integer. Supported operation is Get.
Supported product status values:
- No status = 0
@ -248,60 +246,60 @@ Supported operation is Get.
<a href="" id="health-defenderenabled"></a>**Health/DefenderEnabled**
Indicates whether the Windows Defender service is running.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-rtpenabled"></a>**Health/RtpEnabled**
Indicates whether real-time protection is running.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-nisenabled"></a>**Health/NisEnabled**
Indicates whether network protection is running.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-quickscanoverdue"></a>**Health/QuickScanOverdue**
Indicates whether a Windows Defender quick scan is overdue for the device.
A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default)
A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default).
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-fullscanoverdue"></a>**Health/FullScanOverdue**
Indicates whether a Windows Defender full scan is overdue for the device.
A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default)
A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default).
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-signatureoutofdate"></a>**Health/SignatureOutOfDate**
Indicates whether the Windows Defender signature is outdated.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-rebootrequired"></a>**Health/RebootRequired**
Indicates whether a device reboot is needed.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
<a href="" id="health-fullscanrequired"></a>**Health/FullScanRequired**
Indicates whether a Windows Defender full scan is required.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
@ -357,7 +355,7 @@ Supported operation is Get.
<a href="" id="health-tamperprotectionenabled"></a>**Health/TamperProtectionEnabled**
Indicates whether the Windows Defender tamper protection feature is enabled.
The data type is a boolean.
The data type is a Boolean.
Supported operation is Get.
@ -422,5 +420,4 @@ Supported operations are Get and Execute.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

22
windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md
View File

@ -23,7 +23,6 @@ User Experience Virtualization (UE-V) supports Microsoft Application Virtualizat
## UE-V settings synchronization for App-V applications
UE-V monitors when an application opens by the program name and, optionally, by file version numbers and product version numbers, whether the application is installed locally or virtually by using App-V. When the application starts, UE-V monitors the App-V process, applies any settings that are stored in the user's settings storage path, and then enables the application to start normally. UE-V monitors App-V applications and automatically translates the relevant file and registry paths to the virtualized location as opposed to the physical location outside the App-V computing environment.
**To implement settings synchronization for a virtualized application**
@ -34,28 +33,11 @@ UE-V monitors when an application opens by the program name and, optionally, by
3. Publish the template to the location of your settings template catalog or manually install the template by using the `Register-UEVTemplate` Windows PowerShell cmdlet.
**Note**  
If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**.
> [!NOTE]
> If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**.
4. Start the App-V package.
## Related topics
[Administering UE-V](uev-administering-uev.md)

31
windows/deployment/update/windows-update-resources.md
View File

@ -30,55 +30,52 @@ The following resources provide additional information about using Windows Updat
[Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/)
## How do I reset Windows Update components?
[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.
[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update.
[Reset Windows Update Client settings script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.
[Reset Windows Update Agent script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update.
## Reset Windows Update components manually
1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER:
```console
``` console
cmd
```
2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
```console
``` console
net stop bits
net stop wuauserv
```
3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER:
```console
``` console
Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
```
4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above.
1. Rename the following folders to *.BAK:
```console
``` console
%systemroot%\SoftwareDistribution\DataStore
%systemroot%\SoftwareDistribution\Download
%systemroot%\system32\catroot2
```
To do this, type the following commands at a command prompt. Press ENTER after you type each command.
```console
``` console
Ren %systemroot%\SoftwareDistribution\DataStore *.bak
Ren %systemroot%\SoftwareDistribution\Download *.bak
Ren %systemroot%\system32\catroot2 *.bak
```
2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
```console
``` console
sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
```
5. Type the following command at a command prompt, and then press ENTER:
```console
``` console
cd /d %windir%\system32
```
6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
```console
``` console
regsvr32.exe atl.dll
regsvr32.exe urlmon.dll
regsvr32.exe mshtml.dll
@ -118,20 +115,20 @@ The following resources provide additional information about using Windows Updat
```
7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER:
```console
``` console
netsh winsock reset
```
8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER:
```console
``` console
proxycfg.exe -d
```
9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
```console
``` console
net start bits
net start wuauserv
```
10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER:
```console
``` console
bitsadmin.exe /reset /allusers
```

14
windows/deployment/usmt/usmt-determine-what-to-migrate.md
View File

@ -16,7 +16,6 @@ ms.topic: article
# Determine What to Migrate
By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration.
However, when considering what settings to migrate, you should also consider what settings you would like the user to be able to configure, if any, and what settings you would like to standardize. Many organizations use their migration as an opportunity to create and begin enforcing a better-managed environment. Some of the settings that users can configure on unmanaged computers prior to the migration can be locked on the new, managed computers. For example, standard wallpaper, Internet Explorer security settings, and desktop configuration are some of the items you can choose to standardize.
@ -25,7 +24,6 @@ To reduce complexity and increase standardization, your organization should cons
## In This Section
<table>
<colgroup>
<col width="50%" />
@ -51,18 +49,6 @@ To reduce complexity and increase standardization, your organization should cons
</tbody>
</table>
## Related topics
[What Does USMT Migrate?](usmt-what-does-usmt-migrate.md)

4
windows/deployment/volume-activation/vamt-known-issues.md
View File

@ -48,13 +48,13 @@ On the KMS host computer, perform the following steps:
1. To extract the contents of the update, run the following command:
```cmd
```console
expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\
```
1. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command:
```cmd
```console
expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168
```

841
windows/deployment/windows-autopilot/autopilot-mbr.md
View File

@ -1,420 +1,421 @@
---
title: Windows Autopilot motherboard replacement
ms.reviewer:
manager: laurawi
description: Windows Autopilot deployment MBR scenarios
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot motherboard replacement scenario guidance
**Applies to**
- Windows 10
This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios.
Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEMs require strict uniqueness across motherboards, MAC addresses, etc., while Windows Autopilot requires strict uniqueness at the Hardware ID level for each device to enable successful registration. The Hardware ID does not always accommodate all the OEM hardware component requirements, thus these requirements are sometimes at odds, causing issues with some repair scenarios.
**Motherboard Replacement (MBR)**
If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended:
1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot
2. [Replace the motherboard](#replace-the-motherboard)
3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device)
4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot
5. [Reset the device](#reset-the-device)
6. [Return the device](#return-the-repaired-device-to-the-customer)
Each of these steps is described below.
## Deregister the Autopilot device from the Autopilot program
Before the device arrives at the repair facility, it must be deregistered by the entity that registered it. Only the entity that registered the device can deregister it. This might be the customer IT Admin, the OEM, or the CSP partner. If the IT Admin registered the device, they likely did so via Intune (or possibly the Microsoft Store for Business). In that case, they should deregister the device from Intune (or MSfB). This is necessary because devices registered in Intune will not show up in MPC. However, if the OEM or CSP partner registered the device, they likely did so via the Microsoft Partner Center (MPC). In that case, they should deregister the device from MPC, which will also remove it from the customer IT Admins Intune account. Below, we describe the steps an IT Admin would go through to deregister a device from Intune, and the steps an OEM or CSP would go through to deregister a device from MPC.
**NOTE**: When possible, an OEM or CSP should register Autopilot devices, rather than having the customer do it. This will avoid problems where OEMs or CSPs may not be able to deregister a device if, for example, a customer leasing a device goes out of business before deregistering it themselves.
**EXCEPTION**: If a customer grants an OEM permission to register devices on their behalf via the automated consent process, then an OEM can use the API to deregister devices they didnt register themselves (instead, the customer registered the devices). But keep in mind that this would only remove those devices from the Autopilot program, it would not disenroll them from Intune or disjoin them from AAD. The customer must do those steps, if desired, through Intune.
### Deregister from Intune
To deregister an Autopilot device from Intune, an IT Admin would:
1. Sign in to their Intune account
2. Navigate to Intune > Groups > All groups
3. Remove the desired device from its group
4. Navigate to Intune > Devices > All devices
5. Select the checkbox next to the device you want to delete, then click the Delete button on the top menu
6. Navigate to Intune > Devices > Azure AD devices
7. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu
8. Navigate to Intune > Device enrollment > Windows enrollment > Devices
9. Select the checkbox next to the device you want to deregister
10. Click the extended menu icon (“…”) on the far right end of the line containing the device you want to deregister in order to expose an additional menu with the option to “unassign user”
11. Click “Unassign user” if the device was previously assigned to a user; if not, this option will be grayed-out and can be ignored
12. With the unassigned device still selected, click the Delete button along the top menu to remove this device
**NOTE**: These steps deregister the device from Autopilot, but also unenroll the device from Intune, and disjoin the device from AAD. While it may appear that only deregistering the device from Autopilot is needed, there are certain barriers in place within Intune that necessitate all the steps above be done, which is best practice anyway in case the device gets lost or becomes unrecoverable, to eliminate the possibility of orphaned devices existing in the Autopilot database, or Intune, or AAD. If a device gets into an unrecoverable state, you can contact the appropriate [Microsoft support alias](autopilot-support.md) for assistance.
The deregistration process will take about 15 minutes. You can accelerate the process by clicking the “Sync” button, then “Refresh” the display until the device is no longer present.
More details on deregistering devices from Intune can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group).
### Deregister from MPC
To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would:
1. Log into MPC
2. Navigate to Customer > Devices
3. Select the device to be deregistered and click the “Delete device” button
![devices](images/devices.png)
**NOTE**: Deregistering a device from Autopilot in MPC does only that; it does not also unenroll the device from the MDM (Intune), nor does it disjoin the device from AAD. Therefore, if possible, the OEM/CSP ideally should work with the customer IT Admin to have the device fully removed per the Intune steps in the previous section.
Alternatively, an OEM partner that has integrated the OEM Direct APIs can deregister a device by calling the AutopilotDeviceRegistration API with the TenantID and TenantDomain fields left blank in the request call.
Because the repair facility will not have access to the users login credentials, the repair facility will have to reimage the device as part of the repair process. This means that the customer should do three things before sending the device off for repair:
1. Copy all important data off the device.
2. Let the repair facility know which version of Windows they should reinstall after the repair.
3. If applicable, let the repair facility know which version of Office they should reinstall after the repair.
## Replace the motherboard
Technicians replace the motherboard (or other hardware) on the broken device. A replacement DPK is injected.
Repair and key replacement processes vary between facilities. Sometimes repair facilities receive motherboard spare parts from OEMs that have replacement DPKs already injected, but sometimes not. Sometimes repair facilities receive fully-functional BIOS tools from OEMs, but sometimes not. This means that the quality of the data in the BIOS after a MBR varies. To ensure the repaired device will still be Autopilot-capable following its repair, the new (post-repair) BIOS should be able to successfully gather and populate the following information at a minimum:
- DiskSerialNumber
- SmbiosSystemSerialNumber
- SmbiosSystemManufacturer
- SmbiosSystemProductName
- SmbiosUuid
- TPM EKPub
- MacAddress
- ProductKeyID
- OSType
**NOTE**: For simplicity, and because processes vary between repair facilities, we have excluded many of the additional steps often used in a MBR, such as:
- Verify that the device is still functional
- Disable BitLocker*
- Repair the Boot Configuration Data (BCD)
- Repair and verify the network driver operation
*BitLocker can be suspended rather than disbled if the technician has the ability to resume it after the repair.
## Capture a new Autopilot device ID (4K HH) from the device
Repair technicians must sign in to the repaired device to capture the new device ID. Assuming the repair technician does NOT have access to the customers login credentials, they will have to reimage the device in order to gain access, per the following steps:
1. The repair technician creates a [WinPE bootable USB drive](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#create-a-bootable-windows-pe-winpe-partition).
2. The repair technician boots the device to WinPE.
3. The repair technician [applies a new Windows image to the device](https://docs.microsoft.com/windows-hardware/manufacture/desktop/work-with-windows-images).
**NOTE**: Ideally, the same version of Windows should be reimaged onto the device that was originally on the device, so some coordination will be required between the repair facility and customer to capture this information at the time the device arrives for repair. This might include the customer sending the repair facility a customized image (.ppk file) via a USB stick, for example.
4. The repair technician boots the device into the new Windows image.
5. Once on the desktop, the repair technician captures the new device ID (4K HH) off the device using either the OA3 Tool or the PowerShell script, as described below.
Those repair facilities with access to the OA3 Tool (which is part of the ADK) can use the tool to capture the 4K Hardware Hash (4K HH).
Alternatively, the [WindowsAutoPilotInfo Powershell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) can be used to capture the 4K HH by following these steps:
1. Install the script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) or from the command line (command line installation is shown below).
2. Navigate to the script directory and run it on the device when the device is either in Full OS or Audit Mode. See the following example.
```powershell
md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
```
>If you are prompted to install the NuGet package, choose **Yes**.<br>
>If, after installing the script you get an error that Get-WindowsAutopilotInfo.ps1 is not found, verify that C:\Program Files\WindowsPowerShell\Scripts is present in your PATH variable.<br>
>If the Install-Script cmdlet fails, verify that you have the default PowerShell repository registered (**Get-PSRepository**) or register the default repository with **Register-PSRepository -Default -Verbose**.
The script creates a .csv file that contains the device information, including the complete 4K HH. Save this file so that you can access it later. The service facility will use this 4K HH to reregister device as described below. Be sure to use the -OutputFile parameter when saving the file, which ensures that file formatting is correct. Do not attempt to pipe the command output to a file manually.
**NOTE**: If the repair facility does not have the ability to run the OA3 tool or PowerShell script to capture the new 4K HH, then the CSP (or OEM) partners must do this for them. Without some entity capturing the new 4K HH, there is no way to reregister this device as an Autopilot device.
## Reregister the repaired device using the new device ID
If an OEM is not able to reregister the device, then the repair facility or CSP should reregister the device using MPC, or the customer IT Admin should be advised to reregister the device via Intune (or MSfB). Both ways of reregistering a device are shown below.
### Reregister from Intune
To reregister an Autopilot device from Intune, an IT Admin would:
1. Sign in to Intune.
2. Navigate to Device enrollment > Windows enrollment > Devices > Import.
3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered (the device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document).
The following video provides a good overview of how to (re)register devices via MSfB.<br>
> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0]
### Reregister from MPC
To reregister an Autopilot device from MPC, an OEM or CSP would:
1. Sign in to MPC.
2. Navigate to the Customer > Devices page and click the **Add devices** button to upload the csv file.
![device](images/device2.png)<br>
![device](images/device3.png)
In the case of reregistering a repaired device through MPC, the uploaded csv file must contain the 4K HH for the device, and not just the PKID or Tuple (SerialNumber + OEMName + ModelName). If only the PKID or Tuple were used, the Autopilot service would be unable to find a match in the Autopilot database, since no 4K HH info was ever previously submitted for this essentially “new” device, and the upload will fail, likely returning a ZtdDeviceNotFound error. So, again, only upload the 4K HH, not the Tuple or PKID.
**NOTE**: When including the 4K HH in the csv file, you do NOT also need to include the PKID or Tuple. Those columns may be left blank, as shown below:
![hash](images/hh.png)
## Reset the device
Since the device was required to be in Full OS or Audit Mode to capture the 4K HH, the repair facility must reset the image back to a pre-OOBE state before returning it to the customer. One way this can be accomplished is by using the built-in reset feature in Windows, as follows:
On the device, go to Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Finally, click on Reset.
![reset](images/reset.png)
However, its likely the repair facility wont have access to Windows because they lack the user credentials to login, in which case they need to use other means to reimage the device, such as the [Deployment Image Servicing and Management tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#use-a-deployment-script-to-apply-your-image).
## Return the repaired device to the customer
After completing the previous steps, the repaired device can now be returned to the customer, and will be auto-enrolled into the Autopilot program on first boot-up during OOBE.
**NOTE**: If the repair facility did NOT reimage the device, they could be sending it back in a potentially broken state (e.g., theres no way to log into the device because its been dissociated from the only known user account), in which case they should tell the organization that they need to fix the registration and OS themselves.
**IMPORTANT**: A device can be “registered” for Autopilot prior to being powered-on, but the device isnt actually “deployed” to Autopilot (i.e., enabled as an Autopilot device) until it goes through OOBE, which is why resetting the device back to a pre-OOBE state is a required step.
## Specific repair scenarios
This section covers the most common repair scenarios, and their impact on Autopilot enablement.
NOTES ON TEST RESULTS:
- Scenarios below were tested using Intune only (no other MDMs were tested).
- In most test scenarios below, the repaired and reregistered device needed to go through OOBE again for Autopilot to be enabled.
- Motherboard replacement scenarios often result in lost data, so repair centers or customers should be reminded to backup data (if possible) prior to repair.
- In the cases where a repair facility does not have the ability to write device info into the BIOS of the repaired device, new processes need to be created to successfully enable Autopilot.
- Repaired device should have the Product Key (DPK) preinjected in the BIOS before capturing the new 4K HH (device ID)
In the following table:<br>
- Supported = **Yes**: the device can be reenabled for Autopilot
- Supported = **No**: the device cannot be reenabled for Autopilot
<table border="1">
<th>Scenario<th>Supported<th>Microsoft Recommendation
<tr><td>Motherboard Replacement (MBR) in general<td>Yes<td>The recommended course of action for MBR scenarios is:
1. Autopilot device is deregistered from the Autopilot program
2. The motherboard is replace
3. The device is reimaged (with BIOS info and DPK reinjected)*
4. A new Autopilot device ID (4K HH) is captured off the device
5. The repaired device is reregistered for the Autopilot program using the new device ID
6. The repaired device is reset to boot to OOBE
7. The repaired device is shipped back to the customer
*Its not necessary to reimage the device if the repair technician has access to the customers login credentials. Its technically possible to do a successful MBR and Autopilot re-enablement without keys or certain BIOS info (e.g., serial #, model name, etc.), but doing so is only recommended for testing/educational purposes.
<tr><td>MBR when motherboard has a TPM chip (enabled) and only one onboard network card (that also gets replaced)<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard
3. Reimage device (to gain access), unless have access to customers login credentials
4. Write device info into BIOS
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR when motherboard has a TPM chip (enabled) and a second network card (or network interface) that is not replaced along with the motherboard<td>No<td>This scenario is not recommended, as it breaks the Autopilot experience, because the resulting Device ID will not be stable until after TPM attestation has completed, and even then registration may give incorrect results because of ambiguity with MAC Address resolution.
<tr><td>MBR where the NIC card, HDD, and WLAN all remain the same after the repair<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Reimage device (to gain access), unless have access to customers login credentials
4. Write old device info into BIOS (same s/n, model, etc.)*
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
*Note that for this and subsequent scenarios, rewriting old device info would not include the TPM 2.0 endorsement key, as the associated private key is locked to the TPM device
<tr><td>MBR where the NIC card remains the same, but the HDD and WLAN are replaced<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Insert new HDD and WLAN
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR where the NIC card and WLAN remains the same, but the HDD is replaced<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Insert new HDD
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that had NOT been Autopilot-enabled before.<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Reimage device (to gain access), unless have access to customers login credentials
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that HAD been Autopilot-enabled before.<td>Yes<td>
1. Deregister old device from which MB will be taken
2. Deregister damaged device (that you want to repair)
3. Replace motherboard in repair device with MB from other Autopilot device (with new RDPK preinjected in BIOS)
4. Reimage device (to gain access), unless have access to customers login credentials
5. Write old device info into BIOS (same s/n, model, etc.)
6. Capture new 4K HH
7. Reregister repaired device
8. Reset device back to OOBE
9. Go through Autopilot OOBE (customer)
10. Autopilot successfully enabled
<b>NOTE</b>: The repaired device can also be used successfully as a normal, non-Autopilot device.
<tr><td>BIOS info excluded from MBR device<td>No<td>Repair facility does not have BIOS tool to write device info into BIOS after MBR.
1. Deregister damaged device
2. Replace motherboard (BIOS does NOT contain device info)
3. Reimage and write DPK into image
4. Capture new 4K HH
5. Reregister repaired device
6. Create Autopilot profile for device
7. Go through Autopilot OOBE (customer)
8. Autopilot FAILS to recognize repaired device
<tr><td>MBR when there is no TPM chip<td>Yes<td>Though we do not recommend enabling an Autopilot devices without a TPM chip (which is recommended for BitLocker encryption), it is possible to enable an Autopilot devices in “standard user” mode (but NOT Self-deploying mode) that does not have a TPM chip. In this case, you would:
1. Deregister damaged device
2. Replace motherboard
3. Reimage device (to gain access), unless have access to customers login credentials
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>New DPK written into image on repaired Autopilot device with a new MB<td>Yes<td>Repair facility replaces normal MB on damaged device. MB does not contain any DPK in the BIOS. Repair facility writes DPK into image after MBR.
1. Deregister damaged device
2. Replace motherboard BIOS does NOT contain DPK info
3. Reimage device (to gain access), unless have access to customers login credentials
4. Write device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reset or reimage device to pre-OOBE and write DPK into image
7. Reregister repaired device
8. Go through Autopilot OOBE
9. Autopilot successfully enabled
<tr><td>New Repair Product Key (RDPK)<td>Yes<td>Using a MB with a new RDPK preinjected results in a successful Autopilot refurbishment scenario.
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Reimage or rest image to pre-OOBE
4. Write device info into BIOS
5. Capture new 4K HH
6. Reregister repaired device
7. Reimage or reset image to pre-OOBE
8. Go through Autopilot OOBE
9. Autopilot successfully enabled
<tr><td>No Repair Product Key (RDPK) injected<td>No<td>This scenario violates Microsoft policy and breaks the Windows Autopilot experience.
<tr><td>Reimage damaged Autopilot device that was not deregistered prior to repair<td>Yes, but the device will still be associated with previous tenant ID, so should only be returned to same customer<td>
1. Reimage damaged device
2. Write DPK into image
3. Go through Autopilot OOBE
4. Autopilot successfully enabled (to previous tenant ID)
<tr><td>Disk replacement from a non-Autopilot device to an Autopilot device<td>Yes<td>
1. Do not deregister damaged device prior to repair
2. Replace HDD on damaged device
3. Reimage or reset image back to OOBE
4. Go through Autopilot OOBE (customer)
5. Autopilot successfully enabled (repaired device recognized as its previous self)
<tr><td>Disk replacement from one Autopilot device to another Autopilot device<td>Maybe<td>If the device from which the HDD is taken was itself previously deregistered from Autopilot, then that HDD can be used in a repair device. But if the HDD was never previously deregistered from Autopilot before being used in a repaired device, the newly repaired device will not have the proper Autopilot experience.
Assuming the used HDD was previously deregistered (before being used in this repair):
1. Deregister damaged device
2. Replace HDD on damaged device using a HDD from another deregistered Autopilot device
3. Reimage or rest the repaired device back to a pre-OOBE state
4. Go through Autopilot OOBE (customer)
5. Autopilot successfully enabled
<tr><td>Third party network card replacement <td>No<td>Whether from a non-Autopilot device to an Autopilot device, from one Autopilot device to another Autopilot device, or from an Autopilot device to a non-Autopilot device, any scenario where a 3rd party (not onboard) Network card is replaced will break the Autopilot experience, and is not recommended.
<tr><td>A device repaired more than 3 times<td>No<td>Autopilot is not supported when a device is repeatedly repaired, so that whatever parts NOT replaced become associated with too many parts that have been replaced, which would make it difficult to uniquely identify that device in the future.
<tr><td>Memory replacement<td>Yes<td>Replacing the memory on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the memory.
<tr><td>GPU replacement<td>Yes<td>Replacing the GPU(s) on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the GPU.
</table>
>When scavenging parts from another Autopilot device, we recommend unregistering the scavenged device from Autopilot, scavenging it, and then NEVER REGISTERING THE SCAVENGED DEVICE (AGAIN) FOR AUTOPILOT, because reusing parts this way may cause two active devices to end up with the same ID, with no possibility of distinguishing between the two.
**NOTE**: The following parts may be replaced without compromising Autopilot enablement or requiring special additional repair steps:
- Memory (RAM or ROM)
- Power Supply
- Video Card
- Card Reader
- Sound card
- Expansion card
- Microphone
- Webcam
- Fan
- Heat sink
- CMOS battery
Other repair scenarios not yet tested and verified include:
- Daughterboard replacement
- CPU replacement
- Wifi replacement
- Ethernet replacement
## FAQ
| Question | Answer |
| --- | --- |
| If we have a tool that programs product information into the BIOS after the MBR, do we still need to submit a CBR report for the device to be Autopilot-capable? | No. Not if the in-house tool writes the minimum necessary information into the BIOS that the Autopilot program looks for to identify the device, as described earlier in this document. |
| What if only some components are replaced rather than the full motherboard? | While its true that some limited repairs do not prevent the Autopilot algorithm from successfully matching the post-repair device with the pre-repair device, it is best to ensure 100% success by going through the MBR steps above even for devices that only needed limited repairs. |
| How does a repair technician gain access to a broken device if they dont have the customers login credentials? | The technician will have to reimage the device and use their own credentials during the repair process. |
## Related topics
---
title: Windows Autopilot motherboard replacement
ms.reviewer:
manager: laurawi
description: Windows Autopilot deployment MBR scenarios
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: deploy
audience: itpro
author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
# Windows Autopilot motherboard replacement scenario guidance
**Applies to**
- Windows 10
This document offers guidance for Windows Autopilot device repair scenarios that Microsoft partners can use in Motherboard Replacement (MBR) situations, and other servicing scenarios.
Repairing Autopilot enrolled devices is complex, as it tries to balance OEM requirements with Windows Autopilot requirements. Specifically, OEMs require strict uniqueness across motherboards, MAC addresses, etc., while Windows Autopilot requires strict uniqueness at the Hardware ID level for each device to enable successful registration. The Hardware ID does not always accommodate all the OEM hardware component requirements, thus these requirements are sometimes at odds, causing issues with some repair scenarios.
**Motherboard Replacement (MBR)**
If a motherboard replacement is needed on a Windows Autopilot device, the following process is recommended:
1. [Deregister the device](#deregister-the-autopilot-device-from-the-autopilot-program) from Windows Autopilot
2. [Replace the motherboard](#replace-the-motherboard)
3. [Capture a new device ID (4K HH)](#capture-a-new-autopilot-device-id-4k-hh-from-the-device)
4. [Reregister the device](#reregister-the-repaired-device-using-the-new-device-id) with Windows Autopilot
5. [Reset the device](#reset-the-device)
6. [Return the device](#return-the-repaired-device-to-the-customer)
Each of these steps is described below.
## Deregister the Autopilot device from the Autopilot program
Before the device arrives at the repair facility, it must be deregistered by the entity that registered it. Only the entity that registered the device can deregister it. This might be the customer IT Admin, the OEM, or the CSP partner. If the IT Admin registered the device, they likely did so via Intune (or possibly the Microsoft Store for Business). In that case, they should deregister the device from Intune (or MSfB). This is necessary because devices registered in Intune will not show up in MPC. However, if the OEM or CSP partner registered the device, they likely did so via the Microsoft Partner Center (MPC). In that case, they should deregister the device from MPC, which will also remove it from the customer IT Admins Intune account. Below, we describe the steps an IT Admin would go through to deregister a device from Intune, and the steps an OEM or CSP would go through to deregister a device from MPC.
**NOTE**: When possible, an OEM or CSP should register Autopilot devices, rather than having the customer do it. This will avoid problems where OEMs or CSPs may not be able to deregister a device if, for example, a customer leasing a device goes out of business before deregistering it themselves.
**EXCEPTION**: If a customer grants an OEM permission to register devices on their behalf via the automated consent process, then an OEM can use the API to deregister devices they didnt register themselves (instead, the customer registered the devices). But keep in mind that this would only remove those devices from the Autopilot program, it would not disenroll them from Intune or disjoin them from AAD. The customer must do those steps, if desired, through Intune.
### Deregister from Intune
To deregister an Autopilot device from Intune, an IT Admin would:
1. Sign in to their Intune account
2. Navigate to Intune > Groups > All groups
3. Remove the desired device from its group
4. Navigate to Intune > Devices > All devices
5. Select the checkbox next to the device you want to delete, then click the Delete button on the top menu
6. Navigate to Intune > Devices > Azure AD devices
7. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu
8. Navigate to Intune > Device enrollment > Windows enrollment > Devices
9. Select the checkbox next to the device you want to deregister
10. Click the extended menu icon (“…”) on the far right end of the line containing the device you want to deregister in order to expose an additional menu with the option to “unassign user”
11. Click “Unassign user” if the device was previously assigned to a user; if not, this option will be grayed-out and can be ignored
12. With the unassigned device still selected, click the Delete button along the top menu to remove this device
**NOTE**: These steps deregister the device from Autopilot, but also unenroll the device from Intune, and disjoin the device from AAD. While it may appear that only deregistering the device from Autopilot is needed, there are certain barriers in place within Intune that necessitate all the steps above be done, which is best practice anyway in case the device gets lost or becomes unrecoverable, to eliminate the possibility of orphaned devices existing in the Autopilot database, or Intune, or AAD. If a device gets into an unrecoverable state, you can contact the appropriate [Microsoft support alias](autopilot-support.md) for assistance.
The deregistration process will take about 15 minutes. You can accelerate the process by clicking the “Sync” button, then “Refresh” the display until the device is no longer present.
More details on deregistering devices from Intune can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group).
### Deregister from MPC
To deregister an Autopilot device from the Microsoft Partner Center (MPC), a CSP would:
1. Log into MPC
2. Navigate to Customer > Devices
3. Select the device to be deregistered and click the “Delete device” button
![devices](images/devices.png)
**NOTE**: Deregistering a device from Autopilot in MPC does only that; it does not also unenroll the device from the MDM (Intune), nor does it disjoin the device from AAD. Therefore, if possible, the OEM/CSP ideally should work with the customer IT Admin to have the device fully removed per the Intune steps in the previous section.
Alternatively, an OEM partner that has integrated the OEM Direct APIs can deregister a device by calling the AutopilotDeviceRegistration API with the TenantID and TenantDomain fields left blank in the request call.
Because the repair facility will not have access to the users login credentials, the repair facility will have to reimage the device as part of the repair process. This means that the customer should do three things before sending the device off for repair:
1. Copy all important data off the device.
2. Let the repair facility know which version of Windows they should reinstall after the repair.
3. If applicable, let the repair facility know which version of Office they should reinstall after the repair.
## Replace the motherboard
Technicians replace the motherboard (or other hardware) on the broken device. A replacement DPK is injected.
Repair and key replacement processes vary between facilities. Sometimes repair facilities receive motherboard spare parts from OEMs that have replacement DPKs already injected, but sometimes not. Sometimes repair facilities receive fully-functional BIOS tools from OEMs, but sometimes not. This means that the quality of the data in the BIOS after an MBR varies. To ensure the repaired device will still be Autopilot-capable following its repair, the new (post-repair) BIOS should be able to successfully gather and populate the following information at a minimum:
- DiskSerialNumber
- SmbiosSystemSerialNumber
- SmbiosSystemManufacturer
- SmbiosSystemProductName
- SmbiosUuid
- TPM EKPub
- MacAddress
- ProductKeyID
- OSType
**NOTE**: For simplicity, and because processes vary between repair facilities, we have excluded many of the additional steps often used in an MBR, such as:
- Verify that the device is still functional
- Disable BitLocker*
- Repair the Boot Configuration Data (BCD)
- Repair and verify the network driver operation
*BitLocker can be suspended rather than disabled if the technician has the ability to resume it after the repair.
## Capture a new Autopilot device ID (4K HH) from the device
Repair technicians must sign in to the repaired device to capture the new device ID. Assuming the repair technician does NOT have access to the customers login credentials, they will have to reimage the device in order to gain access, per the following steps:
1. The repair technician creates a [WinPE bootable USB drive](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#create-a-bootable-windows-pe-winpe-partition).
2. The repair technician boots the device to WinPE.
3. The repair technician [applies a new Windows image to the device](https://docs.microsoft.com/windows-hardware/manufacture/desktop/work-with-windows-images).
**NOTE**: Ideally, the same version of Windows should be reimaged onto the device that was originally on the device, so some coordination will be required between the repair facility and customer to capture this information at the time the device arrives for repair. This might include the customer sending the repair facility a customized image (.ppk file) via a USB stick, for example.
4. The repair technician boots the device into the new Windows image.
5. Once on the desktop, the repair technician captures the new device ID (4K HH) off the device using either the OA3 Tool or the PowerShell script, as described below.
Those repair facilities with access to the OA3 Tool (which is part of the ADK) can use the tool to capture the 4K Hardware Hash (4K HH).
Alternatively, the [WindowsAutoPilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) can be used to capture the 4K HH by following these steps:
1. Install the script from the [PowerShell Gallery](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo) or from the command line (command line installation is shown below).
2. Navigate to the script directory and run it on the device when the device is either in Full OS or Audit Mode. See the following example.
```powershell
md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
```
>If you are prompted to install the NuGet package, choose **Yes**.<br>
>If, after installing the script you get an error that Get-WindowsAutopilotInfo.ps1 is not found, verify that C:\Program Files\WindowsPowerShell\Scripts is present in your PATH variable.<br>
>If the Install-Script cmdlet fails, verify that you have the default PowerShell repository registered (**Get-PSRepository**) or register the default repository with **Register-PSRepository -Default -Verbose**.
The script creates a .csv file that contains the device information, including the complete 4K HH. Save this file so that you can access it later. The service facility will use this 4K HH to reregister device as described below. Be sure to use the -OutputFile parameter when saving the file, which ensures that file formatting is correct. Do not attempt to pipe the command output to a file manually.
**NOTE**: If the repair facility does not have the ability to run the OA3 tool or PowerShell script to capture the new 4K HH, then the CSP (or OEM) partners must do this for them. Without some entity capturing the new 4K HH, there is no way to reregister this device as an Autopilot device.
## Reregister the repaired device using the new device ID
If an OEM is not able to reregister the device, then the repair facility or CSP should reregister the device using MPC, or the customer IT Admin should be advised to reregister the device via Intune (or MSfB). Both ways of reregistering a device are shown below.
### Reregister from Intune
To reregister an Autopilot device from Intune, an IT Admin would:
1. Sign in to Intune.
2. Navigate to Device enrollment > Windows enrollment > Devices > Import.
3. Click the **Import** button to upload a csv file containing the device ID of the device to be reregistered (the device ID was the 4K HH captured by the PowerShell script or OA3 tool described previously in this document).
The following video provides a good overview of how to (re)register devices via MSfB.<br>
> [!VIDEO https://www.youtube.com/embed/IpLIZU_j7Z0]
### Reregister from MPC
To reregister an Autopilot device from MPC, an OEM or CSP would:
1. Sign in to MPC.
2. Navigate to the Customer > Devices page and click the **Add devices** button to upload the csv file.
![device](images/device2.png)<br>
![device](images/device3.png)
In the case of reregistering a repaired device through MPC, the uploaded csv file must contain the 4K HH for the device, and not just the PKID or Tuple (SerialNumber + OEMName + ModelName). If only the PKID or Tuple was used, the Autopilot service would be unable to find a match in the Autopilot database, since no 4K HH info was ever previously submitted for this essentially “new” device, and the upload will fail, likely returning a ZtdDeviceNotFound error. So, again, only upload the 4K HH, not the Tuple or PKID.
**NOTE**: When including the 4K HH in the csv file, you do NOT also need to include the PKID or Tuple. Those columns may be left blank, as shown below:
![hash](images/hh.png)
## Reset the device
Since the device was required to be in Full OS or Audit Mode to capture the 4K HH, the repair facility must reset the image back to a pre-OOBE state before returning it to the customer. One way this can be accomplished is by using the built-in reset feature in Windows, as follows:
On the device, go to Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Finally, click on Reset.
![reset](images/reset.png)
However, its likely the repair facility wont have access to Windows because they lack the user credentials to sign in, in which case they need to use other means to reimage the device, such as the [Deployment Image Servicing and Management tool](https://docs.microsoft.com/windows-hardware/manufacture/desktop/oem-deployment-of-windows-10-for-desktop-editions#use-a-deployment-script-to-apply-your-image).
## Return the repaired device to the customer
After completing the previous steps, the repaired device can now be returned to the customer, and will be auto-enrolled into the Autopilot program on first boot-up during OOBE.
**NOTE**: If the repair facility did NOT reimage the device, they could be sending it back in a potentially broken state (e.g., theres no way to log into the device because its been dissociated from the only known user account), in which case they should tell the organization that they need to fix the registration and OS themselves.
**IMPORTANT**: A device can be “registered” for Autopilot prior to being powered-on, but the device isnt actually “deployed” to Autopilot (i.e., enabled as an Autopilot device) until it goes through OOBE, which is why resetting the device back to a pre-OOBE state is a required step.
## Specific repair scenarios
This section covers the most common repair scenarios, and their impact on Autopilot enablement.
NOTES ON TEST RESULTS:
- Scenarios below were tested using Intune only (no other MDMs were tested).
- In most test scenarios below, the repaired and reregistered device needed to go through OOBE again for Autopilot to be enabled.
- Motherboard replacement scenarios often result in lost data, so repair centers or customers should be reminded to back up data (if possible) prior to repair.
- In the cases where a repair facility does not have the ability to write device info into the BIOS of the repaired device, new processes need to be created to successfully enable Autopilot.
- Repaired device should have the Product Key (DPK) preinjected in the BIOS before capturing the new 4K HH (device ID)
In the following table:<br>
- Supported = **Yes**: the device can be reenabled for Autopilot
- Supported = **No**: the device cannot be reenabled for Autopilot
<table border="1">
<th>Scenario<th>Supported<th>Microsoft Recommendation
<tr><td>Motherboard Replacement (MBR) in general<td>Yes<td>The recommended course of action for MBR scenarios is:
1. Autopilot device is deregistered from the Autopilot program
2. The motherboard is replace
3. The device is reimaged (with BIOS info and DPK reinjected)*
4. A new Autopilot device ID (4K HH) is captured off the device
5. The repaired device is reregistered for the Autopilot program using the new device ID
6. The repaired device is reset to boot to OOBE
7. The repaired device is shipped back to the customer
*Its not necessary to reimage the device if the repair technician has access to the customers login credentials. Its technically possible to do a successful MBR and Autopilot re-enablement without keys or certain BIOS info (e.g., serial #, model name, etc.), but doing so is only recommended for testing/educational purposes.
<tr><td>MBR when motherboard has a TPM chip (enabled) and only one onboard network card (that also gets replaced)<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard
3. Reimage device (to gain access), unless you have access to customers login credentials
4. Write device info into BIOS
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR when motherboard has a TPM chip (enabled) and a second network card (or network interface) that is not replaced along with the motherboard<td>No<td>This scenario is not recommended, as it breaks the Autopilot experience, because the resulting Device ID will not be stable until after TPM attestation has completed, and even then registration may give incorrect results because of ambiguity with MAC Address resolution.
<tr><td>MBR where the NIC card, HDD, and WLAN all remain the same after the repair<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Reimage device (to gain access), unless you have access to customers login credentials
4. Write old device info into BIOS (same s/n, model, etc.)*
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
*Note that for this and subsequent scenarios, rewriting old device info would not include the TPM 2.0 endorsement key, as the associated private key is locked to the TPM device
<tr><td>MBR where the NIC card remains the same, but the HDD and WLAN are replaced<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Insert new HDD and WLAN
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR where the NIC card and WLAN remains the same, but the HDD is replaced<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Insert new HDD
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that had NOT been Autopilot-enabled before.<td>Yes<td>
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Reimage device (to gain access), unless you have access to customers login credentials
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>MBR where only the MB is replaced (all other parts remain same) but new MB was taken from a previously used device that HAD been Autopilot-enabled before.<td>Yes<td>
1. Deregister old device from which MB will be taken
2. Deregister damaged device (that you want to repair)
3. Replace motherboard in repair device with MB from other Autopilot device (with new RDPK preinjected in BIOS)
4. Reimage device (to gain access), unless you have access to customers login credentials
5. Write old device info into BIOS (same s/n, model, etc.)
6. Capture new 4K HH
7. Reregister repaired device
8. Reset device back to OOBE
9. Go through Autopilot OOBE (customer)
10. Autopilot successfully enabled
<b>NOTE</b>: The repaired device can also be used successfully as a normal, non-Autopilot device.
<tr><td>BIOS info excluded from MBR device<td>No<td>Repair facility does not have BIOS tool to write device info into BIOS after MBR.
1. Deregister damaged device
2. Replace motherboard (BIOS does NOT contain device info)
3. Reimage and write DPK into image
4. Capture new 4K HH
5. Reregister repaired device
6. Create Autopilot profile for device
7. Go through Autopilot OOBE (customer)
8. Autopilot FAILS to recognize repaired device
<tr><td>MBR when there is no TPM chip<td>Yes<td>Though we do not recommend enabling Autopilot devices without a TPM chip (which is recommended for BitLocker encryption), it is possible to enable an Autopilot device in “standard user” mode (but NOT Self-deploying mode) that does not have a TPM chip. In this case, you would:
1. Deregister damaged device
2. Replace motherboard
3. Reimage device (to gain access), unless you have access to customers login credentials
4. Write old device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reregister repaired device
7. Reset device back to OOBE
8. Go through Autopilot OOBE (customer)
9. Autopilot successfully enabled
<tr><td>New DPK written into image on repaired Autopilot device with a new MB<td>Yes<td>Repair facility replaces normal MB on damaged device. MB does not contain any DPK in the BIOS. Repair facility writes DPK into image after MBR.
1. Deregister damaged device
2. Replace motherboard BIOS does NOT contain DPK info
3. Reimage device (to gain access), unless you have access to customers login credentials
4. Write device info into BIOS (same s/n, model, etc.)
5. Capture new 4K HH
6. Reset or reimage device to pre-OOBE and write DPK into image
7. Reregister repaired device
8. Go through Autopilot OOBE
9. Autopilot successfully enabled
<tr><td>New Repair Product Key (RDPK)<td>Yes<td>Using a motherboard with a new RDPK preinjected results in a successful Autopilot refurbishment scenario.
1. Deregister damaged device
2. Replace motherboard (with new RDPK preinjected in BIOS)
3. Reimage or rest image to pre-OOBE
4. Write device info into BIOS
5. Capture new 4K HH
6. Reregister repaired device
7. Reimage or reset image to pre-OOBE
8. Go through Autopilot OOBE
9. Autopilot successfully enabled
<tr><td>No Repair Product Key (RDPK) injected<td>No<td>This scenario violates Microsoft policy and breaks the Windows Autopilot experience.
<tr><td>Reimage damaged Autopilot device that was not deregistered prior to repair<td>Yes, but the device will still be associated with previous tenant ID, so should only be returned to same customer<td>
1. Reimage damaged device
2. Write DPK into image
3. Go through Autopilot OOBE
4. Autopilot successfully enabled (to previous tenant ID)
<tr><td>Disk replacement from a non-Autopilot device to an Autopilot device<td>Yes<td>
1. Do not deregister damaged device prior to repair
2. Replace HDD on damaged device
3. Reimage or reset image back to OOBE
4. Go through Autopilot OOBE (customer)
5. Autopilot successfully enabled (repaired device recognized as its previous self)
<tr><td>Disk replacement from one Autopilot device to another Autopilot device<td>Maybe<td>If the device from which the HDD is taken was itself previously deregistered from Autopilot, then that HDD can be used in a repair device. But if the HDD was never previously deregistered from Autopilot before being used in a repaired device, the newly repaired device will not have the proper Autopilot experience.
Assuming the used HDD was previously deregistered (before being used in this repair):
1. Deregister damaged device
2. Replace HDD on damaged device using a HDD from another deregistered Autopilot device
3. Reimage or rest the repaired device back to a pre-OOBE state
4. Go through Autopilot OOBE (customer)
5. Autopilot successfully enabled
<tr><td>Non-Microsoft network card replacement <td>No<td>Whether from a non-Autopilot device to an Autopilot device, from one Autopilot device to another Autopilot device, or from an Autopilot device to a non-Autopilot device, any scenario where a 3rd party (not onboard) Network card is replaced will break the Autopilot experience, and is not recommended.
<tr><td>A device repaired more than 3 times<td>No<td>Autopilot is not supported when a device is repeatedly repaired, so that whatever parts NOT replaced become associated with too many parts that have been replaced, which would make it difficult to uniquely identify that device in the future.
<tr><td>Memory replacement<td>Yes<td>Replacing the memory on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the memory.
<tr><td>GPU replacement<td>Yes<td>Replacing the GPU(s) on a damaged device does not negatively affect the Autopilot experience on that device. No de/reregistration is needed. The repair technician simply needs to replace the GPU.
</table>
>When scavenging parts from another Autopilot device, we recommend unregistering the scavenged device from Autopilot, scavenging it, and then NEVER REGISTERING THE SCAVENGED DEVICE (AGAIN) FOR AUTOPILOT, because reusing parts this way may cause two active devices to end up with the same ID, with no possibility of distinguishing between the two.
**NOTE**: The following parts may be replaced without compromising Autopilot enablement or requiring special additional repair steps:
- Memory (RAM or ROM)
- Power Supply
- Video Card
- Card Reader
- Sound card
- Expansion card
- Microphone
- Webcam
- Fan
- Heat sink
- CMOS battery
Other repair scenarios not yet tested and verified include:
- Daughterboard replacement
- CPU replacement
- Wifi replacement
- Ethernet replacement
## FAQ
| Question | Answer |
| --- | --- |
| If we have a tool that programs product information into the BIOS after the MBR, do we still need to submit a CBR report for the device to be Autopilot-capable? | No. Not if the in-house tool writes the minimum necessary information into the BIOS that the Autopilot program looks for to identify the device, as described earlier in this document. |
| What if only some components are replaced rather than the full motherboard? | While its true that some limited repairs do not prevent the Autopilot algorithm from successfully matching the post-repair device with the pre-repair device, it is best to ensure 100% success by going through the MBR steps above even for devices that only needed limited repairs. |
| How does a repair technician gain access to a broken device if they dont have the customers login credentials? | The technician will have to reimage the device and use their own credentials during the repair process. |
## Related topics
[Device guidelines](autopilot-device-guidelines.md)<br>

10
windows/deployment/windows-autopilot/bitlocker.md
View File

@ -23,9 +23,9 @@ ms.topic: article
- Windows 10
With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encrytion algorithm is not applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins.
With Windows Autopilot, you can configure the BitLocker encryption settings to be applied before automatic encryption is started. This ensures that the default encryption algorithm isn't applied automatically when this is not the desired setting. Other BitLocker policies that must be applied prior to encryption can also be delivered before automatic BitLocker encryption begins.
The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use.
The BitLocker encryption algorithm is used when BitLocker is first enabled, and sets the strength to which full volume encryption should occur. Available encryption algorithms are: AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit, or XTS-AES 256-bit encryption. The default value is XTS-AES 128-bit encryption. See [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) for information about the recommended encryption algorithms to use.
To ensure the desired BitLocker encryption algorithm is set before automatic encryption occurs for Autopilot devices:
@ -39,11 +39,11 @@ An example of Microsoft Intune Windows Encryption settings is shown below.
![BitLocker encryption settings](images/bitlocker-encryption.png)
Note that a device which is encrypted automatically will need to be decrypted prior to changing the encryption algorithm.
**Note**: A device that is encrypted automatically will need to be decrypted prior to changing the encryption algorithm.
The settings are available under Device Configuration -> Profiles -> Create profile -> Platform = Windows 10 and later, Profile type = Endpoint protection -> Configure -> Windows Encryption -> BitLocker base settings, Configure encryption methods = Enable.
Note: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**.
**Note**: It is also recommended to set Windows Encryption -> Windows Settings -> Encrypt = **Require**.
## Requirements
@ -51,4 +51,4 @@ Windows 10, version 1809 or later.
## See also
[Bitlocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)
[BitLocker overview](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview)

12
windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
View File

@ -28,7 +28,7 @@ To get started with Windows Autopilot, you should try it out with a virtual mach
In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V.
> [!NOTE]
> Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
> Although there are [multiple platforms](add-devices.md#registering-devices) available to enable Autopilot, this lab primarily uses Intune.
> Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
@ -43,7 +43,7 @@ The following video provides an overview of the process:
These are the things you'll need to complete this lab:
<table><tr><td>Windows 10 installation media</td><td>Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you do not already have an ISO to use, a link is provided to download an <a href="https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise" data-raw-source="[evaluation version of Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise)">evaluation version of Windows 10 Enterprise</a>.</td></tr>
<tr><td>Internet access</td><td>If you are behind a firewall, see the detailed <a href="windows-autopilot-requirements-network.md" data-raw-source="[networking requirements](windows-autopilot-requirements-network.md)">networking requirements</a>. Otherwise, just ensure that you have a connection to the Internet.</td></tr>
<tr><td>Internet access</td><td>If you are behind a firewall, see the detailed <a href="windows-autopilot-requirements.md#networking-requirements" data-raw-source="[networking requirements](windows-autopilot-requirements.md#networking-requirements)">networking requirements</a>. Otherwise, just ensure that you have a connection to the Internet.</td></tr>
<tr><td>Hyper-V or a physical device running Windows 10</td><td>The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.</td></tr>
<tr><td>A Premium Intune account</td><td>This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.</td></tr></table>
@ -110,9 +110,9 @@ When you are prompted to restart the computer, choose **Yes**. The computer migh
> Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
![hyper-v feature](../images/hyper-v-feature.png)
![Hyper-V feature](images/hyper-v-feature.png)
![hyper-v](../images/svr_mgr2.png)
![Hyper-V](images/svr_mgr2.png)
<P>If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under <strong>Role Administration Tools\Hyper-V Management Tools</strong>.
@ -401,7 +401,7 @@ Optional: see the following video for an overview of the process.
First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one.
Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page.
Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** on the upper-right-corner of the main page.
Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
@ -469,7 +469,7 @@ Click on **OK** and then click on **Create**.
Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**:
To create a Group, open the Azure portal and select **Azure Active Directory** > **Groups** > **All groups**:
![All groups](images/all-groups.png)

18
windows/deployment/windows-autopilot/existing-devices.md
View File

@ -59,7 +59,7 @@ See the following examples.
>[!TIP]
>To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/download/details.aspx?id=54616).
1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window
1. On an Internet connected Windows PC or server, open an elevated Windows PowerShell command window
2. Enter the following lines to install the necessary modules
#### Install required modules
@ -118,7 +118,7 @@ See the following examples.
|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. |
| CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. |
| CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. |
| CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, for example: tenant.onmicrosoft.com. |
| CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 |
| CloudAssignedDomainJoinMethod (number, required) | This property specifies whether the device should join Azure Active Directory or Active Directory (Hybrid Azure AD Join). Values include: Active AD Join = 0, Hybrid Azure AD Join = 1 |
| CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment. <br>0 = not required, 1 = required. |
@ -175,7 +175,7 @@ See the following examples.
4. Click **Next**, then enter the following **Membership Rules** details:
- Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection.
- For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples.
- For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next**, and then choose **PC-01** under **Resources**. See the following examples.
![Named resource1](images/pc-01a.png)
![Named resource2](images/pc-01b.png)
@ -198,7 +198,7 @@ See the following examples.
- <u>Boot Image</u>: Click **Browse** and select a Windows 10 boot image (1803 or later)
- Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later.
- Select the **Partition and format the target computer before installing the operating system** checkbox.
- Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional.
- Select or clear **Configure task sequence for use with BitLocker** checkbox. This is optional.
- <u>Product Key</u> and <u>Server licensing mode</u>: Optionally enter a product key and server licensing mode.
- <u>Randomly generate the local administrator password and disable the account on all support platforms (recommended)</u>: Optional.
- <u>Enable the account and specify the local administrator password</u>: Optional.
@ -210,7 +210,7 @@ See the following examples.
>[!IMPORTANT]
> The System Preparation Tool (sysprep) will run with the /Generalize parameter which, on Windows 10 versions 1903 and 1909, will delete the Autopilot profile file and the machine will boot into OOBE phase instead of Autopilot phase. To fix this issue, please see [Windows Autopilot - known issues](https://docs.microsoft.com/windows/deployment/windows-autopilot/known-issues).
5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page.
5. Click **Next**, and then click **Next** again to accept the default settings on the Install Configuration Manager page.
6. On the State Migration page, enter the following details:
- Clear the **Capture user settings and files** checkbox.
- Clear the **Capture network settings** checkbox.
@ -222,7 +222,7 @@ See the following examples.
7. On the Include Updates page, choose one of the three available options. This selection is optional.
8. On the Install applications page, add applications if desired. This is optional.
9. Click **Next**, confirm settings, click **Next** and then click **Close**.
9. Click **Next**, confirm settings, click **Next**, and then click **Close**.
10. Right click on the Autopilot for existing devices task sequence and click **Edit**.
11. In the Task Sequence Editor under the **Install Operating System** group, click the **Apply Windows Settings** action.
12. Click **Add** then click **New Group**.
@ -245,7 +245,7 @@ See the following examples.
24. Add a second step by clicking **Add**, pointing to **Images**, and clicking **Prepare Windows for Capture**. Use the following settings in this step:
- <u>Automatically build mass storage driver list</u>: **Not selected**
- <u>Do not reset activation flag</u>: **Not selected**
- <u>Shutdown the computer after running this action</u>: **Optional**
- <u>Shut down the computer after running this action</u>: **Optional**
![Autopilot task sequence](images/ap-ts-1.png)
@ -259,9 +259,9 @@ See the following examples.
Next, ensure that all content required for the task sequence is deployed to distribution points.
1. Right click on the **Autopilot for existing devices** task sequence and click **Distribute Content**.
2. Click **Next**, **Review the content to distribute** and then click **Next**.
2. Click **Next**, **Review the content to distribute**, and then click **Next**.
3. On the Specify the content distribution page click **Add** to specify either a **Distribution Point** or **Distribution Point Group**.
4. On the a Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run.
4. On the Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run.
5. When you are finished specifying content distribution, click **Next** twice then click **Close**.
### Deploy the OS with Autopilot Task Sequence

BIN
windows/deployment/windows-autopilot/images/hyper-v-feature.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/deployment/windows-autopilot/images/svr_mgr2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

4
windows/deployment/windows-autopilot/policy-conflicts.md
View File

@ -29,11 +29,11 @@ There are a significant number of policy settings available for Windows 10, both
<th>Policy<th>More information
<tr><td width="50%">Device restriction / <a href="https://docs.microsoft.com/windows/client-management/mdm/devicelock-csp">Password Policy</a></td>
<td>When certain <a href="https://docs.microsoft.com/windows/client-management/mdm/policy-csp-devicelock">DeviceLock policies</a>, such as minimum password length and password complexity, or any similar group policy settings, including any that disable auto-logon, are applied to a device, and that device reboots during the device Enrollment Status Page (ESP), the out-of-box experience or user desktop auto-logon could fail unexpectantly. This is especially true for kiosk scenarios where passwords are automatically generated.</td>
<td>When certain <a href="https://docs.microsoft.com/windows/client-management/mdm/policy-csp-devicelock">DeviceLock policies</a>, such as minimum password length and password complexity, or any similar group policy settings (including any that disable autologon) are applied to a device, and that device reboots during the device Enrollment Status Page (ESP), the out-of-box experience (OOBE) or user desktop autologon can fail unexpectantly. This is especially true for kiosk scenarios where passwords are automatically generated.</td>
<tr><td width="50%">Windows 10 Security Baseline / <a href="https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions">Administrator elevation prompt behavior</a>
<br>Windows 10 Security Baseline / <a href="https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions">Require admin approval mode for administrators</a></td>
<td>When modifying user account control (UAC) settings during the out-of-box experience (OOBE) using device Enrollment Status Page (ESP), additional UAC prompts may result, especially if the device reboots after these policies are applied enabling them to take effect. To work around this issue, the policies can be targeted to users instead of devices so that they apply later in the process.</td>
<td>When modifying user account control (UAC) settings during the OOBE using the device Enrollment Status Page (ESP), additional UAC prompts may result, especially if the device reboots after these policies are applied, enabling them to take effect. To work around this issue, the policies can be targeted to users instead of devices so that they apply later in the process.</td>
</table>

68
windows/deployment/windows-autopilot/troubleshooting.md
View File

@ -25,34 +25,34 @@ Windows Autopilot is designed to simplify all parts of the Windows device lifecy
## Troubleshooting process
Regardless of whether performing user-driven or self-deploying device deployments, the troubleshooting process is the mostly the same. It is useful to understand the flow for a specific device:
Whether you are performing user-driven or self-deploying device deployments, the troubleshooting process is about the same. It is always useful to understand the flow for a specific device:
- Network connection established. This can be a wireless (Wi-fi) or wired (Ethernet) connection.
- Windows Autopilot profile downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place.
- User authentication. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated.
- Azure Active Directory join. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials.
- Automatic MDM enrollment. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (e.g. Microsoft Intune).
- A network connection is established. This can be a wireless (Wi-fi) or wired (Ethernet) connection.
- The Windows Autopilot profile is downloaded. Whether using a wired connection or manually establishing a wireless connection, the Windows Autopilot profile will be downloaded from the Autopilot deployment service as soon as the network connection is in place.
- User authentication occurs. When performing a user-driven deployment, the user will enter their Azure Active Directory credentials, which will be validated.
- Azure Active Directory join occurs. For user-driven deployments, the device will be joined to Azure AD using the specified user credentials. For self-deploying scenarios, the device will be joined without specifying any user credentials.
- Automatic MDM enrollment occurs. As part of the Azure AD join process, the device will enroll in the MDM service configured in Azure AD (for example, Microsoft Intune).
- Settings are applied. If the [enrollment status page](enrollment-status.md) is configured, most settings will be applied while the enrollment status page is displayed. If not configured or available, settings will be applied after the user is signed in.
For troubleshooting, key activities to perform are:
- Configuration. Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)?
- Network connectivity. Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)?
- Autopilot OOBE behavior. Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected?
- Azure AD join issues. Was the device able to join Azure Active Directory?
- MDM enrollment issues. Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)?
- Configuration: Has Azure Active Directory and Microsoft Intune (or an equivalent MDM service) been configured as specified in [Windows Autopilot configuration requirements](windows-autopilot-requirements.md)?
- Network connectivity: Can the device access the services described in [Windows Autopilot networking requirements](windows-autopilot-requirements.md)?
- Autopilot OOBE behavior: Were only the expected out-of-box experience screens displayed? Was the Azure AD credentials page customized with organization-specific details as expected?
- Azure AD join issues: Was the device able to join Azure Active Directory?
- MDM enrollment issues: Was the device able to enroll in Microsoft Intune (or an equivalent MDM service)?
## Troubleshooting Autopilot Device Import
### Clicking Import after selecting CSV does nothing, '400' error appears in network trace with error body **"Cannot convert the literal '[DEVICEHASH]' to the expected type 'Edm.Binary'"**
This error points to the device hash being incorrectly formatted. This could be caused by anything that corrupts the collected hash, but one possibility is that the hash itself, even if completely valid, fails to be decoded.
This error points to the device hash being incorrectly formatted. This could be caused by anything that corrupts the collected hash, but one possibility is that the hash itself (even if it is completely valid) fails to be decoded.
The device hash is Base64. At the device level, it's encoded as unpadded Base64, but Autopilot expects padded Base64. In most cases, it seems the payload lines up to not require padding, so the process works, but sometimes it doesn't line up cleanly and padding is necessary. This is when you get the error above. Powershell's Base64 decoder also expects padded Base64, so we can use that to validate that the hash is properly padded.
The device hash is Base64. At the device level, it's encoded as unpadded Base64, but Autopilot expects padded Base64. In most cases, it seems the payload lines up to not require padding, so the process works, but sometimes it doesn't line up cleanly and padding is necessary. This is when you get the error above. PowerShell's Base64 decoder also expects padded Base64, so we can use that to validate that the hash is properly padded.
The "A" characters at the end of the hash are effectively empty data - Each character in Base64 is 6 bits, A in Base64 is 6 bits equal to 0. Deleting or adding "A"s at the end doesn't change the actual payload data.
The "A" characters at the end of the hash are effectively empty data - Each character in Base64 is 6 bits, A in Base64 is 6 bits equal to 0. Deleting or adding **A**'s at the end doesn't change the actual payload data.
To fix this, we'll need to modify the hash, then test the new value, until powershell succeeds in decoding the hash. The result is mostly illegible, this is fine - we're just looking for it to not throw the error "Invalid length for a Base-64 char array or string".
To fix this, we'll need to modify the hash, then test the new value, until PowerShell succeeds in decoding the hash. The result is mostly illegible, this is fine - we're just looking for it to not throw the error "Invalid length for a Base-64 char array or string".
To test the base64, you can use the following:
```powershell
@ -88,35 +88,35 @@ If the expected Autopilot behavior does not occur during the out-of-box experien
### Windows 10 version 1803 and above
To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs > Microsoft > Windows > Provisioning-Diagnostics-Provider > AutoPilot** for versions before 1903, or **Application and Services Logs > Microsoft > Windows > ModernDeployment-Diagnostics-Provider > AutoPilot** for 1903 and above. The following events may be recorded, depending on the scenario and profile configuration.
To see details related to the Autopilot profile settings and OOBE flow, Windows 10 version 1803 and above adds event log entries. These can be viewed using Event Viewer, navigating to the log at **Application and Services Logs > Microsoft > Windows > Provisioning-Diagnostics-Provider > Autopilot** for versions before 1903, or **Application and Services Logs > Microsoft > Windows > ModernDeployment-Diagnostics-Provider > Autopilot** for 1903 and above. The following events may be recorded, depending on the scenario and profile configuration.
| Event ID | Type | Description |
|----------|------|-------------|
| 100 | Warning | “AutoPilot policy [name] not found.” This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. |
| 101 | Info | “AutoPilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].” This shows Autopilot retrieving and processing numeric OOBE settings. |
| 103 | Info | “AutoPilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. |
| 109 | Info | “AutoPilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This shows Autopilot retrieving and processing state-related OOBE settings. |
| 111 | Info | “AutoPilotRetrieveSettings succeeded.” This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. |
| 153 | Info | “AutoPilotManager reported the state changed from [original state] to [new state].” Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. |
| 160 | Info | “AutoPilotRetrieveSettings beginning acquisition.” This shows that Autopilot is getting ready to download the needed Autopilot profile settings. |
| 161 | Info | “AutoPilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded. |
| 163 | Info | “AutoPilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.” This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. |
| 164 | Info | “AutoPilotManager determined Internet is available to attempt policy download.” |
| 171 | Error | “AutoPilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. |
| 172 | Error | “AutoPilotManager failed to set AutoPilot profile as available. HRESULT=[error code].” This is typically related to event ID 171. |
| 100 | Warning | “Autopilot policy [name] not found.” This is typically a temporary problem, while the device is waiting for an Autopilot profile to be downloaded. |
| 101 | Info | “AutopilotGetPolicyDwordByName succeeded: policy name = [setting name]; policy value [value].” This shows Autopilot retrieving and processing numeric OOBE settings. |
| 103 | Info | “AutopilotGetPolicyStringByName succeeded: policy name = [name]; value = [value].” This shows Autopilot retrieving and processing OOBE setting strings such as the Azure AD tenant name. |
| 109 | Info | “AutopilotGetOobeSettingsOverride succeeded: OOBE setting [setting name]; state = [state].” This shows Autopilot retrieving and processing state-related OOBE settings. |
| 111 | Info | “AutopilotRetrieveSettings succeeded.” This means that the settings stored in the Autopilot profile that control the OOBE behavior have been retrieved successfully. |
| 153 | Info | “AutopilotManager reported the state changed from [original state] to [new state].” Typically this should say “ProfileState_Unknown” to “ProfileState_Available” to show that a profile was available for the device and downloaded, so the device is ready to be deployed using Autopilot. |
| 160 | Info | “AutopilotRetrieveSettings beginning acquisition.” This shows that Autopilot is getting ready to download the needed Autopilot profile settings. |
| 161 | Info | “AutopilotManager retrieve settings succeeded.” The Autopilot profile was successfully downloaded. |
| 163 | Info | “AutopilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.” This message indicates that an Autopilot profile is resident on the device; it typically would only be removed by the **Sysprep /Generalize** process. |
| 164 | Info | “AutopilotManager determined Internet is available to attempt policy download.” |
| 171 | Error | “AutopilotManager failed to set TPM identity confirmed. HRESULT=[error code].” This indicates an issue performing TPM attestation, needed to complete the self-deploying mode process. |
| 172 | Error | “AutopilotManager failed to set Autopilot profile as available. HRESULT=[error code].” This is typically related to event ID 171. |
In addition to the event log entries, the registry and ETW trace options described below also work with Windows 10 version 1803 and above.
### Windows 10 version 1709 and above
On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service. These can be found at **HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\AutoPilot**. Available registry entries include:
On Windows 10 version 1709 and above, information about the Autopilot profile settings are stored in the registry on the device after they are received from the Autopilot deployment service. These can be found at **HKLM\SOFTWARE\Microsoft\Provisioning\Diagnostics\Autopilot**. Available registry entries include:
| Value | Description |
|-------|-------------|
| AadTenantId | The GUID of the Azure AD tenant the user signed into. This should match the tenant that the device was registered with; if it does not match the user will receive an error. |
| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, e.g. “contosomn.onmicrosoft.com.” If the device is not registered with Autopilot, this value will be blank. |
| CloudAssignedTenantDomain | The Azure AD tenant the device has been registered with, for example, “contosomn.onmicrosoft.com.” If the device is not registered with Autopilot, this value will be blank. |
| CloudAssignedTenantId | The GUID of the Azure AD tenant the device has been registered with (the GUID corresponds to the tenant domain from the CloudAssignedTenantDomain registry value). If the device isnt registered with Autopilot, this value will be blank.|
| IsAutoPilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. |
| IsAutopilotDisabled | If set to 1, this indicates that the device is not registered with Autopilot. This could also indicate that the Autopilot profile could not be downloaded due to network connectivity or firewall issues, or network timeouts. |
| TenantMatched | This will be set to 1 if the tenant ID of the user matches the tenant ID that the device was registered with. If this is 0, the user would be shown an error and forced to start over. |
| CloudAssignedOobeConfig | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 |
@ -128,7 +128,7 @@ On devices running a [supported version](https://docs.microsoft.com/windows/rele
The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD.
An Azure AD device is created upon import - it's important that this object not be deleted. It acts as Autopilot's anchor in AAD for group membership and targeting (including the profile) and can lead to join errors if it's deleted. Once this object has been deleted, to fix the issue, deleting and reimporting this autopilot hash will be necessary so it can recreate the associated object.
An Azure AD device is created upon import - it's important that this object is not deleted. It acts as Autopilot's anchor in AAD for group membership and targeting (including the profile) and can lead to join errors if it's deleted. Once this object has been deleted, to fix the issue, deleting and reimporting this autopilot hash will be necessary so it can recreate the associated object.
Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed.
@ -138,13 +138,13 @@ See [this knowledge base article](https://support.microsoft.com/help/4089533/tro
Error code 80180018 will typically be reported on an error page titled "Something went wrong". This error means that the MDM enrollment failed.
If Autopilot Reset fails immediately with an error "Ran into trouble. Please sign in with an administrator account to see why and reset manually," see [Troubleshoot Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset#troubleshoot-autopilot-reset) for more help.
If Autopilot Reset fails immediately with an error **Ran into trouble. Please sign in with an administrator account to see why and reset manually**, see [Troubleshoot Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset#troubleshoot-autopilot-reset) for more help.
## Profile download
When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It is important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it is necessary to re-generalize the OS using **sysprep /generalize /oobe**, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC.
When a profile is downloaded depends on the version of Windows 10 that is running on the PC. See the following table.
When a profile is downloaded depends upon the version of Windows 10 that is running on the PC. See the following table.
| Windows 10 version | Profile download behavior |
| --- | --- |

63
windows/deployment/windows-autopilot/user-driven.md
View File

@ -47,6 +47,7 @@ For more information on the available join options, see the following sections:
- [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain.
- [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain.
- [Hybrid Azure Active Directory join with VPN support](#user-driven-mode-for-hybrid-azure-active-directory-join-with-vpn-support) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain, but are not connected to the corporate network and must use VPN connectivity.
## User-driven mode for Azure Active Directory join
@ -83,11 +84,65 @@ To perform a user-driven hybrid Azure AD joined deployment using Windows Autopil
- Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf.
- If using Proxy, WPAD Proxy settings option must be enabled and configured.
**Azure AD device join**: The hybrid Azure AD join process uses the system context to perform device Azure AD join, therefore it is not affected by user based Azure AD join permission settings. In addition, all users are enabled to join devices to Azure AD by default.
The hybrid Azure AD join process uses the system context to register the device to Azure AD, therefore it is not affected by user based Azure AD join permission settings.
### Step by step instructions
## User-driven mode for hybrid Azure Active Directory join with VPN support
Devices that are joined to Active Directory require connectivity to an Active Directory domain controller for a variety of activities, such as user sign-in (validating the user's credentials) and Group Policy application. As a result, the Windows Autopilot user-driven Hybrid Azure AD Join process would validate that the device is able to contact an Active Directory domain controller by pinging that domain controller.
With the additional of VPN support for this scenario, it is now possible for you to specify to skip that connectivity check during the Hybrid Azure AD Join. This does not eliminate the need for communicating with an Active Directory domain controller, but rather enables the device to be first prepared with a needed VPN configuration delivered via Intune prior to the user attempting to sign into Windows, allowing connectivity to the organization's network.
### Requirements
The following additional requirements apply for Hybrid Azure AD Join with VPN support:
- A supported version of Windows 10:
- Windows 10 1903 + December 10th Cumulative update (KB4530684, OS build 18362.535) or higher
- Windows 10 1909 + December 10th Cumulative update (KB4530684, OS build 18363.535) or higher
- Windows 10 2004 or later
- Enable the new “Skip domain connectivity check” toggle in the Hybrid Azure AD Join Autopilot profile.
- A VPN configuration that can be deployed via Intune that enables the user to manualy establish a VPN connection from the Windows logon screen, or one that automatically establishes a VPN connection as needed.
The specific VPN configuration required depends on the VPN software and authentication being used. For third-party (non-Microsoft) VPN solutions, this typically would involve deploying a Win32 app (containing the VPN client software itself as well as any specific connection information, e.g. VPN endpoint host names) via Intune Management Extensions. Consult your VPN provider's documentation for configuration details specific to that provider.
> [!NOTE]
> The VPN requirements are not specific to Windows Autopilot. For example, if you have already implemented a VPN configuration to enable remote password resets, where a user needs to log on to Windows with a new password when not on the organization's network, that same configuration can be used with Windows Autopilot. Once the user has signed in to cache their credentials, subsequent log-on attempts do not need connectivity since the cached credentials can be used.
In cases where certificate authentication is required by the VPN software, the needed machine certificate should also be deployed via Intune. This can be done using the Intune certificate enrollment capabilities, targeting the certificate profiles to the device.
Note that user certificates are not supported because these certificates cannot be deployed until the user logs in. Also, third-party UWP VPN plug-ins delivered from the Windows Store are also not supported because these are not installed until after the user signs in.
### Validation
Before attempting a hybrid Azure AD Join using VPN, it is important to first confirm that a user-driven Hybrid Azure AD Join process can be performed on the organization's network, before adding in the additional requirements described below. This simplifies troubleshooting by making sure the core process works fine before adding the additional VPN configuration required.
Next, validate that the VPN configuration (Win32 app, certs, and any other requirements) can be deployed via Intune to an existing device that has already been hybrid Azure AD joined. For example, some VPN clients create a per-machine VPN connection as part of the installation process, so you can validate the configuration using steps such as these:
- From PowerShell, verify that at least one per-machine VPN connection has been created using the "Get-VpnConnection -AllUserConnection" command.
- Attempt to manually start the VPN connection using the command: RASDIAL.EXE "ConnectionName"
- Log out and verify that the "VPN connection" icon can be seen on the Windows logon page.
- Move the device off the corporate network and attempt to establish the connection using the icon on the Windows logon page, signing into an account that does not have cached credentials.
For VPN configurations that automatically connect, the validation steps may be different.
> [!NOTE]
> Always On VPN can be used for this scenario. See the [Deploy Always On VPN](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment) documentation for more information. Note that Intune cannot yet deploy the needed per-machine VPN profile.
To validate the end-to-end process, ensure the needed Windows 10 cumulative update has been installed on Windows 10 1903 or Windows 10 1909. This can be done manually during OOBE by first downloading the latest cumulative from https://catalog.update.microsoft.com and then manually installing it:
- Press Shift-F10 to open a command prompt.
- Insert a USB key containing the donwloaded update.
- Install the update using the command (substituting the real file name): WUSA.EXE <filename>.msu /quiet
- Reboot the computer using the command: shutdown.exe /r /t 0
Alternatively, you can invoke Windows Update to install the latest updates through this process:
- Press Shift-F10 to open a command prompt.
- Run the command "start ms-settings:"
- Navigate to the "Update & Security" node and check for updates.
- Reboot after the updates are installed.
## Step by step instructions
See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).

18
windows/deployment/windows-autopilot/windows-autopilot-requirements.md
View File

@ -26,7 +26,8 @@ ms.custom:
Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met.
**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot).
> [!NOTE]
> For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot).
## Software requirements
@ -46,8 +47,8 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur
Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following:
- Ensure DNS name resolution for internet DNS names
- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP)
- Ensure DNS name resolution for internet DNS names.
- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP).
In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to allow access to the required services. For additional details about each of these services and their specific requirements, review the following details:
@ -84,7 +85,7 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti
<tr><td><b>Office 365<b><td>As part of the Intune device configuration, installation of Microsoft 365 Apps for enterprise may be required. For more information, see <a href="https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2">Office 365 URLs and IP address ranges</a> (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
<tr><td><b>Certificate revocation lists (CRLs)<b><td>Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at <a href="https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_crl">Office 365 URLs and IP address ranges</a> and <a href="https://aka.ms/o365chains">Office 365 Certificate Chains</a>.
<tr><td><b>Hybrid AAD join<b><td>The device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at <a href="https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven-hybrid">Windows Autopilot user-driven mode</a>
<tr><td><b>Autopilot Self-Deploying mode and Autopilot White Glove<b><td>Firmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See <a href="https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-recommendations">TPM recommendations</a> for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
<tr><td><b>Autopilot Self-Deploying mode and Autopilot White Glove<b><td>Firmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See <a href="https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-recommendations">TPM recommendations</a> for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
<br>Intel- https://ekop.intel.com/ekcertservice
<br>Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
@ -97,9 +98,9 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti
Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
- [Microsoft 365 Business Premium subscriptions](https://www.microsoft.com/microsoft-365/business)
- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/microsoft-365/enterprise/firstline)
- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx)
- [Microsoft 365 Business Premium subscriptions](https://www.microsoft.com/microsoft-365/business).
- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/microsoft-365/enterprise/firstline).
- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx).
- [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
- [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
- [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
@ -120,7 +121,7 @@ Before Windows Autopilot can be used, some configuration tasks are required to s
- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties).
- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise.
Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
@ -133,7 +134,6 @@ For a walkthrough for some of these and related steps, see this video:
<iframe width="560" height="315" src="https://www.youtube.com/embed/KYVptkpsOqs" frameborder="0" allow="accelerometer; autoplay; encrypted-media" gyroscope; picture-in-picture" allowfullscreen></iframe>
There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications).
## Related topics

6
windows/deployment/windows-autopilot/windows-autopilot-whats-new.md
View File

@ -29,6 +29,12 @@ The following [Windows Autopilot updates](autopilot-update.md) are available. **
No updates are available yet. Check back here later for more information.
## New in Windows 10, version 2004
With this release, you can configure Windows Autopilot [user-driven](user-driven.md) Hybrid Azure Active Directory join with VPN support. This support is also backported to Windows 10, version 1909 and 1903.
If you configure the language settings in the Autopilot profile and the device is connected to Ethernet, all scenarios will now skip the language, locale, and keyboard pages. In previous versions, this was only supported with self-deploying profiles.
## New in Windows 10, version 1903
[Windows Autopilot for white glove deployment](white-glove.md) is new in Windows 10, version 1903. See the following video:

2
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -31,7 +31,7 @@ For Windows Defender Credential Guard to provide protection, the computers you a
To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
- Support for Virtualization-based security (required)
- Secure boot (required)
- TPM 1.2 or 2.0 (preferred - provides binding to hardware), either discrete or firmware
- TPM (preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware
- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
The Virtualization-based security requires:

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -40,7 +40,9 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers.
If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business.
Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
> [!NOTE]
>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.

11
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -133,9 +133,14 @@ This table provides info about the most common problems you might encounter whil
</td>
</tr>
<tr>
<td>By design, OneNote only supports WIP protected notebooks stored on enterprise-managed SharePoint (OneDrive for Business). Onenote does not support local WIP protected notebooks.</td>
<td>OneNote might encounter an error such as "This notebook contains protected content from your organization, which can't be viewed or synced. Please change the file ownership to Personal, or contact your IT administrator." Supported notebooks (OneDrive for Business) should be shown in File Explorer as links and open with your associated browser. Unsupported notebooks would show as folders or .one files (with a OneNote icon)</td>
<td>If unsupported files won't open in the browser, then they are 'stuck' in the old local format - incompatible with WIP or viewing online. We recommend that you create a new notebook and copy the contents from the existing notebook into the new one. In OneNote desktop, File > New > OnedDive - company name notebook and create a new one. Then within OneNote, copy over the old 'local' sections into this new notebook to ensure they get upgraded to the modern format. Hold Ctrl + drag and drop the sections into the notebook. Holding Ctrl will copy sections rather than move them, preserving the old sections as backup copies. Wait for the new notebook to finish syncing to OneDrive for business.</td>
<td>OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.</td>
<td>OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.</td>
<td>"OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:
1. Close the notebook in OneNote.
2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop.
3. Copy the notebook folder and Paste it back into the OneDrive for Business folder.
Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.</td>
</tr>
<tr>
<td>Microsoft Office Outlook offline data files (PST and OST files) are not marked as <strong>Work</strong> files, and are therefore not protected.

84
windows/security/threat-protection/TOC.md
View File

@ -248,6 +248,18 @@
#### [Privacy](microsoft-defender-atp/linux-privacy.md)
#### [Resources](microsoft-defender-atp/linux-resources.md)
### [Microsoft Defender Advanced Threat Protection for Android]()
#### [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp/microsoft-defender-atp-android.md)
#### [Deploy]()
##### [Deploy Microsoft Defender ATP for Android with Microsoft Intune](microsoft-defender-atp/android-intune.md)
#### [Configure]()
##### [Configure Microsoft Defender ATP for Android features](microsoft-defender-atp/android-configure.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
## [Security operations]()
@ -267,26 +279,26 @@
##### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
##### [Investigate files](microsoft-defender-atp/investigate-files.md)
##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
##### [Investigate devices](microsoft-defender-atp/investigate-machines.md)
##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
#### [Machines list]()
##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
#### [Devices list]()
##### [View and organize the Devices list](microsoft-defender-atp/machines-view-overview.md)
##### [Manage device group and tags](microsoft-defender-atp/machine-tags.md)
#### [Take response actions]()
##### [Take response actions on a machine]()
###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
##### [Take response actions on a device]()
###### [Response actions on devices](microsoft-defender-atp/respond-machine-alerts.md)
###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-machines)
###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices)
###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-microsoft-defender-antivirus-scan-on-devices)
###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
###### [Isolate devices from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-devices-from-the-network)
###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
@ -307,7 +319,7 @@
##### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
#### [Investigate entities using Live response]()
##### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
##### [Investigate entities on devices](microsoft-defender-atp/live-response.md)
##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
@ -318,7 +330,7 @@
##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
#### [Device health and compliance reports](microsoft-defender-atp/machine-reports.md)
#### [Custom detections]()
@ -375,21 +387,21 @@
## [How-to]()
### [Onboard devices to the service]()
#### [Onboard machines to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md)
#### [Onboard devices to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md)
#### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md)
#### [Onboard Windows 10 machines]()
#### [Onboard Windows 10 devices]()
##### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md)
##### [Onboard machines using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
##### [Onboard machines using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
##### [Onboard machines using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
##### [Onboard machines using a local script](microsoft-defender-atp/configure-endpoints-script.md)
##### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](microsoft-defender-atp/configure-endpoints-vdi.md)
##### [Onboard devices using Group Policy](microsoft-defender-atp/configure-endpoints-gp.md)
##### [Onboard devices using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/configure-endpoints-sccm.md)
##### [Onboard devices using Mobile Device Management tools](microsoft-defender-atp/configure-endpoints-mdm.md)
##### [Onboard devices using a local script](microsoft-defender-atp/configure-endpoints-script.md)
##### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](microsoft-defender-atp/configure-endpoints-vdi.md)
#### [Onboard servers](microsoft-defender-atp/configure-server-endpoints.md)
#### [Onboard non-Windows machines](microsoft-defender-atp/configure-endpoints-non-windows.md)
#### [Onboard machines without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
#### [Run a detection test on a newly onboarded machine](microsoft-defender-atp/run-detection-test.md)
#### [Run simulated attacks on machines](microsoft-defender-atp/attack-simulations.md)
#### [Onboard non-Windows devices](microsoft-defender-atp/configure-endpoints-non-windows.md)
#### [Onboard devices without Internet access](microsoft-defender-atp/onboard-offline-machines.md)
#### [Run a detection test on a newly onboarded device](microsoft-defender-atp/run-detection-test.md)
#### [Run simulated attacks on devices](microsoft-defender-atp/attack-simulations.md)
#### [Configure proxy and Internet connectivity settings](microsoft-defender-atp/configure-proxy-internet.md)
#### [Create an onboarding or offboarding notification rule](microsoft-defender-atp/onboarding-notification.md)
@ -397,9 +409,9 @@
##### [Troubleshoot issues during onboarding](microsoft-defender-atp/troubleshoot-onboarding.md)
##### [Troubleshoot subscription and portal access issues](microsoft-defender-atp/troubleshoot-onboarding-error-messages.md)
### [Manage machine configuration]()
#### [Ensure your machines are configured properly](microsoft-defender-atp/configure-machines.md)
#### [Monitor and increase machine onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
### [Manage device configuration]()
#### [Ensure your devices are configured properly](microsoft-defender-atp/configure-machines.md)
#### [Monitor and increase device onboarding](microsoft-defender-atp/configure-machines-onboarding.md)
#### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
#### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
@ -416,8 +428,8 @@
##### [Use basic permissions to access the portal](microsoft-defender-atp/basic-permissions.md)
##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
###### [Create and manage roles](microsoft-defender-atp/user-roles.md)
###### [Create and manage machine groups](microsoft-defender-atp/machine-groups.md)
###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
###### [Create and manage device groups](microsoft-defender-atp/machine-groups.md)
###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
#### [Rules]()
@ -426,9 +438,9 @@
##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)
#### [Machine management]()
##### [Onboarding machines](microsoft-defender-atp/onboard-configure.md)
##### [Offboarding machines](microsoft-defender-atp/offboard-machines.md)
#### [Device management]()
##### [Onboarding devices](microsoft-defender-atp/onboard-configure.md)
##### [Offboarding devices](microsoft-defender-atp/offboard-machines.md)
#### [Configure Microsoft Defender Security Center time zone settings](microsoft-defender-atp/time-settings.md)
@ -464,7 +476,7 @@
####### [Get alert related domains information](microsoft-defender-atp/get-alert-related-domain-info.md)
####### [Get alert related file information](microsoft-defender-atp/get-alert-related-files-info.md)
####### [Get alert related IPs information](microsoft-defender-atp/get-alert-related-ip-info.md)
####### [Get alert related machine information](microsoft-defender-atp/get-alert-related-machine-info.md)
####### [Get alert related device information](microsoft-defender-atp/get-alert-related-machine-info.md)
####### [Get alert related user information](microsoft-defender-atp/get-alert-related-user-info.md)
###### [Machine]()
@ -587,9 +599,9 @@
#### [Role-based access control]()
##### [Manage portal access using RBAC](microsoft-defender-atp/rbac.md)
##### [Create and manage roles](microsoft-defender-atp/user-roles.md)
##### [Create and manage machine groups]()
###### [Using machine groups](microsoft-defender-atp/machine-groups.md)
###### [Create and manage machine tags](microsoft-defender-atp/machine-tags.md)
##### [Create and manage device groups]()
###### [Using device groups](microsoft-defender-atp/machine-groups.md)
###### [Create and manage device tags](microsoft-defender-atp/machine-tags.md)
#### [Configure managed security service provider (MSSP) integration](microsoft-defender-atp/configure-mssp-support.md)
@ -625,8 +637,8 @@
#### [Troubleshoot sensor state]()
##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md)
##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md)
##### [Inactive machines](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-machines)
##### [Misconfigured machines](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-machines)
##### [Inactive devices](microsoft-defender-atp/fix-unhealthy-sensors.md#inactive-devices)
##### [Misconfigured devices](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-devices)
##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md)
#### [Troubleshoot Microsoft Defender ATP service issues]()

2
windows/security/threat-protection/index.md
View File

@ -94,7 +94,7 @@ Endpoint detection and response capabilities are put in place to detect, investi
- [Alerts](microsoft-defender-atp/alerts-queue.md)
- [Historical endpoint data](microsoft-defender-atp/investigate-machines.md#timeline)
- [Response orchestration](microsoft-defender-atp/response-actions.md)
- [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
- [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices)
- [Threat intelligence](microsoft-defender-atp/threat-indicator-concepts.md)
- [Advanced detonation and analysis service](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
- [Advanced hunting](microsoft-defender-atp/advanced-hunting-overview.md)

2
windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
View File

@ -53,7 +53,7 @@ Because your protection is a cloud service, computers must have access to the in
| **Service**| **Description** |**URL** |
| :--: | :-- | :-- |
| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <br/> `*.wdcpalt.microsoft.com` <br/> `*.wd.microsoft.com`|
| Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`|
| Microsoft Update Service (MU) <br/> Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com` <br/> `*.delivery.mp.microsoft.com`<br/> `*.windowsupdate.com` <br/> for details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`|
| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net` <br/> `ussus1westprod.blob.core.windows.net` <br/> `usseu1northprod.blob.core.windows.net` <br/> `usseu1westprod.blob.core.windows.net` <br/> `ussuk1southprod.blob.core.windows.net` <br/> `ussuk1westprod.blob.core.windows.net` <br/> `ussas1eastprod.blob.core.windows.net` <br/> `ussas1southeastprod.blob.core.windows.net` <br/> `ussau1eastprod.blob.core.windows.net` <br/> `ussau1southeastprod.blob.core.windows.net` |
| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/` <br/> `https://www.microsoft.com/pkiops/certs` <br/> `https://crl.microsoft.com/pki/crl/products` <br/> `https://www.microsoft.com/pki/certs` |

BIN
windows/security/threat-protection/microsoft-defender-antivirus/images/mdatp-2-downloadpackages.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 181 KiB

After

Width:  |  Height:  |  Size: 172 KiB

26
windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
View File

@ -35,7 +35,7 @@ Turn on this feature to take advantage of the automated investigation and remedi
## Live response
Turn on this feature so that users with the appropriate permissions can start a live response session on machines.
Turn on this feature so that users with the appropriate permissions can start a live response session on devices.
For more information about role assignments, see [Create and manage roles](user-roles.md).
@ -52,7 +52,7 @@ For tenants created on or after Windows 10, version 1809 the automated investiga
>[!NOTE]
>
>- The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.
>- The result of the auto-resolve action may influence the Device risk level calculation which is based on the active alerts found on a device.
>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
## Allow or block file
@ -62,7 +62,7 @@ Blocking is only available if your organization fulfills these requirements:
- Uses Microsoft Defender Antivirus as the active antimalware solution and,
- The cloud-based protection feature is enabled
This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization.
This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on devices in your organization.
To turn **Allow or block** files on:
@ -80,7 +80,7 @@ After turning on this feature, you can [block files](respond-file-alerts.md#allo
Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they will be allowed or blocked based on your custom indicator list.
To use this feature, machines must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834).
To use this feature, devices must be running Windows 10 version 1709 or later. They should also have network protection in block mode and version 4.18.1906.3 or later of the antimalware platform [see KB 4052623](https://go.microsoft.com/fwlink/?linkid=2099834).
For more information, see [Manage indicators](manage-indicators.md).
@ -93,7 +93,7 @@ Turn on this feature so that you can see user details stored in Azure Active Dir
- Security operations dashboard
- Alert queue
- Machine details page
- Device details page
For more information, see [Investigate a user account](investigate-user.md).
@ -102,11 +102,11 @@ For more information, see [Investigate a user account](investigate-user.md).
Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
>[!NOTE]
> When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode.
> When a device is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when devices are in isolation mode.
## Azure Advanced Threat Protection integration
The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.
The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the device-based investigation capability by pivoting across the network from an identify point of view.
>[!NOTE]
>You'll need to have the appropriate license to enable this feature.
@ -117,7 +117,7 @@ Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microso
### Enable the Microsoft Defender ATP integration from the Azure ATP portal
To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
1. Log in to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
@ -125,18 +125,18 @@ To receive contextual machine integration in Azure ATP, you'll also need to enab
3. Toggle the Integration setting to **On** and click **Save**.
After completing the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page.
After completing the integration steps on both portals, you'll be able to see relevant alerts in the device details or user details page.
## Office 365 Threat Intelligence connection
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows machines.
When you turn this feature on, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
>[!NOTE]
>You'll need to have the appropriate license to enable this feature.
To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
## Microsoft Threat Experts
@ -150,11 +150,11 @@ Out of the two Microsoft Threat Expert components, targeted attack notification
Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
>[!NOTE]
>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
>This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions.
## Azure Information Protection
Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
Turning on this setting allows signals to be forwarded to Azure Information Protection. It gives data owners and administrators visibility into protected data on onboarded devices and device risk ratings.
## Microsoft Intune connection

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -1,7 +1,7 @@
---
title: Query best practices for advanced hunting
description: Learn how to construct fast, efficient, and error-free threat hunting queries when using advanced hunting
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -40,7 +40,7 @@ Apply these recommendations to get results faster and avoid timeouts while runni
## Query tips and pitfalls
### Queries with process IDs
Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific machine, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the machine identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
Process IDs (PIDs) are recycled in Windows and reused for new processes. On their own, they can't serve as unique identifiers for specific processes. To get a unique identifier for a process on a specific device, use the process ID together with the process creation time. When you join or summarize data around processes, include columns for the device identifier (either `DeviceId` or `DeviceName`), the process ID (`ProcessId` or `InitiatingProcessId`), and the process creation time (`ProcessCreationTime` or `InitiatingProcessCreationTime`).
The following example query finds processes that access more than 10 IP addresses over port 445 (SMB), possibly scanning for file shares.

6
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
View File

@ -1,7 +1,7 @@
---
title: DeviceAlertEvents table in the advanced hunting schema
description: Learn about alert generation events in the DeviceAlertEvents table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -34,8 +34,8 @@ For information on other tables in the advanced hunting schema, see [the advance
|-------------|-----------|-------------|
| `AlertId` | string | Unique identifier for the alert |
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `Severity` | string | Indicates the potential impact (high, medium, or low) of the threat indicator or breach activity identified by the alert |
| `Category` | string | Type of threat indicator or breach activity identified by the alert |
| `Title` | string | Title of the alert |

14
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
View File

@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advance
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `ActionType` | string | Type of activity that triggered the event |
| `FileName` | string | Name of the file that the recorded action was applied to |
| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
@ -44,19 +44,19 @@ For information on other tables in the advanced hunting schema, see [the advance
| `AccountName` |string | User name of the account |
| `AccountSid` | string | Security Identifier (SID) of the account |
| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
| `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information |
| `ProcessId` | int | Process ID (PID) of the newly created process |
| `ProcessCommandLine` | string | Command line used to create the new process |
| `ProcessCreationTime` | datetime | Date and time the process was created |
| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
| `RegistryKey` | string | Registry key that the recorded action was applied to |
| `RegistryValueName` | string | Name of the registry value that the recorded action was applied to |
| `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
| `RemoteIP` | string | IP address that was being connected to |
| `RemotePort` | int | TCP port on the remote device that was being connected to |
| `LocalIP` | string | IP address assigned to the local machine used during communication |
| `LocalPort` | int | TCP port on the local machine used during communication |
| `LocalIP` | string | IP address assigned to the local device used during communication |
| `LocalPort` | int | TCP port on the local device used during communication |
| `FileOriginUrl` | string | URL where the file was downloaded from |
| `FileOriginIP` | string | IP address where the file was downloaded from |
| `AdditionalFields` | string | Additional information about the event in JSON array format |
@ -74,7 +74,7 @@ For information on other tables in the advanced hunting schema, see [the advance
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts |
| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |

6
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
View File

@ -1,7 +1,7 @@
---
title: DeviceFileCertificateInfo table in the advanced hunting schema
description: Learn about file signing information in the DeviceFileCertificateInfo table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -33,8 +33,8 @@ For information on other tables in the advanced hunting schema, see [the advance
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `SHA1` | string | SHA-1 of the file that the recorded action was applied to |
| `IsSigned` | boolean | Indicates whether the file is signed |
| `SignatureType` | string | Indicates whether signature information was read as embedded content in the file itself or read from an external catalog file |

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
View File

@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advanc
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `ActionType` | string | Type of activity that triggered the event |
| `FileName` | string | Name of the file that the recorded action was applied to |
| `FolderPath` | string | Folder containing the file that the recorded action was applied to |

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
View File

@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advance
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `ActionType` | string | Type of activity that triggered the event |
| `FileName` | string | Name of the file that the recorded action was applied to |
| `FolderPath` | string | Folder containing the file that the recorded action was applied to |

28
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
View File

@ -1,7 +1,7 @@
---
title: DeviceInfo table in the advanced hunting schema
description: Learn about OS, computer name, and other machine information in the DeviceInfo table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, machine, OS, platform, users, MachineInfo
description: Learn about OS, computer name, and other device information in the DeviceInfo table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -25,25 +25,25 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about machines in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about devices in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `ClientVersion` | string | Version of the endpoint agent or sensor running on the machine |
| `PublicIP` | string | Public IP address used by the onboarded machine to connect to the Microsoft Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy |
| `OSArchitecture` | string | Architecture of the operating system running on the machine |
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
| `OSBuild` | string | Build version of the operating system running on the machine |
| `IsAzureADJoined` | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
| `LoggedOnUsers` | string | List of all users that are logged on the machine at the time of the event in JSON array format |
| `RegistryDeviceTag` | string | Machine tag added through the registry |
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `ClientVersion` | string | Version of the endpoint agent or sensor running on the device |
| `PublicIP` | string | Public IP address used by the onboarded device to connect to the Microsoft Defender ATP service. This could be the IP address of the device itself, a NAT device, or a proxy |
| `OSArchitecture` | string | Architecture of the operating system running on the device |
| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 |
| `OSBuild` | string | Build version of the operating system running on the device |
| `IsAzureADJoined` | boolean | Boolean indicator of whether device is joined to the Azure Active Directory |
| `LoggedOnUsers` | string | List of all users that are logged on the device at the time of the event in JSON array format |
| `RegistryDeviceTag` | string | Device tag added through the registry |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
| `OSVersion` | string | Version of the operating system running on the machine |
| `OSVersion` | string | Version of the operating system running on the device |
| `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
## Related topics

12
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
View File

@ -32,15 +32,15 @@ For information on other tables in the advanced hunting schema, see [the advance
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `ActionType` | string |Type of activity that triggered the event |
| `AccountDomain` | string | Domain of the account |
| `AccountName` | string | User name of the account |
| `AccountSid` | string | Security Identifier (SID) of the account |
| `LogonType` | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
| `LogonType` | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the device using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the device remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the device is accessed using PsExec or when shared resources on the device, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
| `RemoteDeviceName` | string | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
| `RemoteIP` | string | IP address that was being connected to |
| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| `RemotePort` | int | TCP port on the remote device that was being connected to |
@ -63,7 +63,7 @@ For information on other tables in the advanced hunting schema, see [the advance
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the machine |
| `IsLocalAdmin` | boolean | Boolean indicator of whether the user is a local administrator on the device |
## Related topics
- [Advanced hunting overview](advanced-hunting-overview.md)

8
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
View File

@ -32,14 +32,14 @@ For information on other tables in the advanced hunting schema, see [the advance
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `ActionType` | string | Type of activity that triggered the event |
| `RemoteIP` | string | IP address that was being connected to |
| `RemotePort` | int | TCP port on the remote device that was being connected to |
| `RemoteUrl` | string | URL or fully qualified domain name (FQDN) that was being connected to |
| `LocalIP` | string | IP address assigned to the local machine used during communication |
| `LocalPort` | int | TCP port on the local machine used during communication |
| `LocalIP` | string | IP address assigned to the local device used during communication |
| `LocalPort` | int | TCP port on the local device used during communication |
| `Protocol` | string | IP protocol used, whether TCP or UDP |
| `LocalIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |

8
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
View File

@ -1,7 +1,7 @@
---
title: DeviceNetworkInfo table in the advanced hunting schema
description: Learn about network configuration information in the DeviceNetworkInfo table of the advanced hunting schema
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, machine, mac, ip, adapter, dns, dhcp, gateway, tunnel, MachineNetworkInfo
keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, device, mac, ip, adapter, dns, dhcp, gateway, tunnel, DeviceNetworkInfo
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -25,15 +25,15 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of machines, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of devices, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table.
For information on other tables in the advanced hunting schema, see [the advanced hunting schema reference](advanced-hunting-schema-reference.md).
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the `DeviceName` and `Timestamp` columns |
| `NetworkAdapterName` | string | Name of the network adapter |
| `MacAddress` | string | MAC address of the network adapter |

8
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
View File

@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advance
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `ActionType` | string | Type of activity that triggered the event |
| `FileName` | string | Name of the file that the recorded action was applied to |
| `FolderPath` | string | Folder containing the file that the recorded action was applied to |
@ -48,11 +48,11 @@ For information on other tables in the advanced hunting schema, see [the advance
| `AccountDomain` | string | Domain of the account |
| `AccountName` | string | User name of the account |
| `AccountSid` | string | Security Identifier (SID) of the account |
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts |
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same device only between restarts |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event |
| `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event |
| `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts. |
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources |
| `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
View File

@ -32,8 +32,8 @@ For information on other tables in the advanced hunting schema, see [the advance
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `Timestamp` | datetime | Date and time when the event was recorded |
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `ActionType` | string | Type of activity that triggered the event |
| `RegistryKey` | string | Registry key that the recorded action was applied to |
| `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
View File

@ -1,7 +1,7 @@
---
title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema
description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide machine information as well as security configuration details, impact, and compliance information.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -34,9 +34,9 @@ For information on other tables in the advanced hunting schema, see [the advance
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.|
| `Timestamp` | datetime |Date and time when the record was generated |
| `ConfigurationId` | string | Unique identifier for a specific configuration |
| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls |

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
View File

@ -1,7 +1,7 @@
---
title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema
description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10

12
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
View File

@ -1,7 +1,7 @@
---
title: DeviceTvmSoftwareInventoryVulnerabilities table in the advanced hunting schema
description: Learn about the inventory of software in your devices and their vulnerabilities in the DeviceTvmSoftwareInventoryVulnerabilities table of the advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -35,11 +35,11 @@ For information on other tables in the advanced hunting schema, see [the advance
| Column name | Data type | Description |
|-------------|-----------|-------------|
| `DeviceId` | string | Unique identifier for the machine in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the machine |
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
| `OSVersion` | string | Version of the operating system running on the machine |
| `OSArchitecture` | string | Architecture of the operating system running on the machine |
| `DeviceId` | string | Unique identifier for the device in the service |
| `DeviceName` | string | Fully qualified domain name (FQDN) of the device |
| `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
| `OSVersion` | string | Version of the operating system running on the device |
| `OSArchitecture` | string | Architecture of the operating system running on the device |
| `SoftwareVendor` | string | Name of the software vendor |
| `SoftwareName` | string | Name of the software product |
| `SoftwareVersion` | string | Version number of the software product |

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
View File

@ -1,7 +1,7 @@
---
title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema
description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10

4
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md
View File

@ -1,7 +1,7 @@
---
title: Overview of advanced hunting in Microsoft Defender ATP
description: Use threat hunting capabilities in Microsoft Defender ATP to build queries that find threats and weaknesses in your network
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -25,7 +25,7 @@ ms.topic: article
Advanced hunting is a query-based threat-hunting tool that lets you explore raw data for the last 30 days. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats.
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines.
You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured devices.
## Get started with advanced hunting
Watch this video for a quick overview of advanced hunting and a short tutorial that will get you started fast.

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
View File

@ -1,7 +1,7 @@
---
title: Learn the advanced hunting query language
description: Create your first threat hunting query and learn about common operators and other aspects of the advanced hunting query language
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10

10
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md
View File

@ -1,7 +1,7 @@
---
title: Work with advanced hunting query results in Microsoft Defender ATP
description: Make the most of the query results returned by advanced hunting in Microsoft Defender ATP
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -77,8 +77,8 @@ These results are best visualized using a stacked column chart:
![Image of advanced hunting query results displayed as a stacked chart](images/advanced-hunting-stacked-chart.jpg)
*Query results for alerts by OS and severity displayed as a stacked chart*
#### Top ten machine groups with alerts
If you're dealing with a list of values that isnt finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top ten machine groups with the most alerts, use the query below:
#### Top ten device groups with alerts
If you're dealing with a list of values that isnt finite, you can use the `Top` operator to chart only the values with the most instances. For example, to get the top ten device groups with the most alerts, use the query below:
```kusto
DeviceAlertEvents
@ -89,7 +89,7 @@ DeviceAlertEvents
Use the pie chart view to effectively show distribution across the top groups:
![Image of advanced hunting query results displayed as a pie chart](images/advanced-hunting-pie-chart.jpg)
*Pie chart showing distribution of alerts across machine groups*
*Pie chart showing distribution of alerts across device groups*
#### Malware detections over time
Using the `summarize` operator with the `bin()` function, you can check for events involving a particular indicator over time. The query below counts detections of an EICAR test file at 30 minute intervals to show spikes in detections of that file:
@ -113,7 +113,7 @@ After running a query, select **Export** to save the results to local file. Your
- **Any chart** — the query results are exported as a JPEG image of the rendered chart
## Drill down from query results
To view more information about entities, such as machines, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
To view more information about entities, such as devices, files, users, IP addresses, and URLs, in your query results, simply click the entity identifier. This opens a detailed profile page for the selected entity.
## Tweak your queries from the results
Right-click a value in the result set to quickly enhance your query. You can use the options to:

8
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md
View File

@ -1,7 +1,7 @@
---
title: Advanced hunting schema reference
description: Learn about the tables in the advanced hunting schema to understand the data you can run threat hunting queries on
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -27,7 +27,7 @@ ms.date: 01/14/2020
[!include[Prerelease information](../../includes/prerelease.md)]
The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about machines and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
The [advanced hunting](advanced-hunting-overview.md) schema is made up of multiple tables that provide either event information or information about devices and other entities. To effectively build queries that span multiple tables, you need to understand the tables and the columns in the advanced hunting schema.
## Schema tables
@ -38,8 +38,8 @@ Table and column names are also listed within the Microsoft Defender Security Ce
| Table name | Description |
|------------|-------------|
| **[DeviceAlertEvents](advanced-hunting-devicealertevents-table.md)** | Alerts on Microsoft Defender Security Center |
| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Machine information, including OS information |
| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains |
| **[DeviceInfo](advanced-hunting-deviceinfo-table.md)** | Device information, including OS information |
| **[DeviceNetworkInfo](advanced-hunting-devicenetworkinfo-table.md)** | Network properties of devices, including adapters, IP and MAC addresses, as well as connected networks and domains |
| **[DeviceProcessEvents](advanced-hunting-deviceprocessevents-table.md)** | Process creation and related events |
| **[DeviceNetworkEvents](advanced-hunting-devicenetworkevents-table.md)** | Network connection and related events |
| **[DeviceFileEvents](advanced-hunting-devicefileevents-table.md)** | File creation, modification, and other file system events |

2
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
View File

@ -1,7 +1,7 @@
---
title: Use shared queries in advanced hunting
description: Start threat hunting immediately with predefined and shared queries. Share your queries to the public or to your organization.
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, windows defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10

8
windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md
View File

@ -20,7 +20,7 @@ ms.date: 09/03/2018
---
# Alerts queue in Microsoft Defender Security Center
Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as machines, files, or user accounts.
Learn how you can view and manage the queue so that you can effectively investigate threats seen on entities such as devices, files, or user accounts.
## In this section
@ -30,9 +30,9 @@ Topic | Description
[Manage alerts](manage-alerts.md) | Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert.
[Investigate alerts](investigate-alerts.md)| Investigate alerts that are affecting your network, understand what they mean, and how to resolve them.
[Investigate files](investigate-files.md)| Investigate the details of a file associated with a specific alert, behaviour, or event.
[Investigate machines](investigate-machines.md)| Investigate the details of a machine associated with a specific alert, behaviour, or event.
[Investigate an IP address](investigate-ip.md) | Examine possible communication between machines in your network and external internet protocol (IP) addresses.
[Investigate a domain](investigate-domain.md) | Investigate a domain to see if machines and servers in your network have been communicating with a known malicious domain.
[Investigate devices](investigate-machines.md)| Investigate the details of a device associated with a specific alert, behaviour, or event.
[Investigate an IP address](investigate-ip.md) | Examine possible communication between devices in your network and external internet protocol (IP) addresses.
[Investigate a domain](investigate-domain.md) | Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain.
[Investigate a user account](investigate-user.md) | Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.

24
windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
View File

@ -26,10 +26,10 @@ ms.date: 03/27/2020
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink)
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first.
The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first.
>[!NOTE]
>The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
>The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
There are several options you can choose from to customize the alerts queue view.
@ -51,7 +51,7 @@ You can apply the following filters to limit the list of alerts and get a more f
Alert severity | Description
:---|:---
High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on machines. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
Medium </br>(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
Low </br>(Yellow) | Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
Informational </br>(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
@ -60,15 +60,15 @@ Informational </br>(Grey) | Alerts that might not be considered harmful to the n
Microsoft Defender Antivirus (Microsoft Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual machine, if infected.
The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual device, if infected.
The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization.
The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization.
So, for example:
- The severity of a Microsoft Defender ATP alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage.
- An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat.
- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
- The severity of a Microsoft Defender ATP alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage.
- An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat.
- An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High".
- Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
#### Understanding alert categories
@ -118,16 +118,16 @@ You can choose between showing alerts that are assigned to you or automation.
Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service.
>[!NOTE]
>The Microsoft Defender Antivirus filter will only appear if machines are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
>The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
### OS platform
Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
### Machine group
### Device group
If you have specific machine groups that you're interested in checking, you can select the groups to limit the alerts queue view.
If you have specific device groups that you're interested in checking, you can select the groups to limit the alerts queue view.
### Associated threat
@ -138,7 +138,7 @@ Use this filter to focus on alerts that are related to high profile threats. You
- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md)
- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md)
- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md)
- [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md)
- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md)
- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md)
- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md)
- [Investigate a user account in Microsoft Defender ATP](investigate-user.md)

4
windows/security/threat-protection/microsoft-defender-atp/alerts.md
View File

@ -45,8 +45,8 @@ id | String | Alert ID.
title | String | Alert title.
description | String | Alert description.
alertCreationTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was created.
lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine.
firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that machine.
lastEventTime | Nullable DateTimeOffset | The last occurrence of the event that triggered the alert on the same device.
firstEventTime | Nullable DateTimeOffset | The first occurrence of the event that triggered the alert on that device.
lastUpdateTime | Nullable DateTimeOffset | The date and time (in UTC) the alert was last updated.
resolvedTime | Nullable DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
incidentId | Nullable Long | The [Incident](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) ID of the Alert.

50
windows/security/threat-protection/microsoft-defender-atp/android-configure.md Normal file
View File

@ -0,0 +1,50 @@
---
title: Configure Microsoft Defender ATP for Android features
ms.reviewer:
description: Describes how to configure Microsoft Defender ATP for Android
keywords: microsoft, defender, atp, android, configuration
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configure Microsoft Defender ATP for Android features
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
## Conditional Access with Microsoft Defender ATP for Android
Microsoft Defender ATP for Android along with Microsoft Intune and Azure Active
Directory enables enforcing Device compliance and Conditional Access policies
based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense
(MTD) solution that you can deploy to leverage this capability via Intune.
For more infomation on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
## Configure custom indicators
>[!NOTE]
> Microsoft Defender ATP for Android only supports creating custom indicators for IP addresses and URLs/domains.
Microsoft Defender ATP for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md).
## Configure web protection
Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
## Related topics
- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
- [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md)

294
windows/security/threat-protection/microsoft-defender-atp/android-intune.md Normal file
View File

@ -0,0 +1,294 @@
---
title: Deploy Microsoft Defender ATP for Android with Microsoft Intune
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for Android with Microsoft Intune
keywords: microsoft, defender, atp, android, installation, deploy, uninstallation,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Deploy Microsoft Defender ATP for Android with Microsoft Intune
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
This topic describes deploying Microsoft Defender ATP for Android on Intune
Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your
device](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/aka.ms/enrollAndroid).
> [!NOTE]
> During public preview, instructions to deploy Microsoft Defender ATP for Android on Intune enrolled Android devices are different across Device Administrator and Android Enterprise entrollment modes. <br>
> **When Microsoft Defender ATP for Android reaches General Availability (GA), the app will be available on Google Play.**
## Deploy on Device Administrator enrolled devices
**Deploy Microsoft Defender ATP for Android on Intune Company Portal - Device
Administrator enrolled devices**
This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices. Upgrade from the Preview APK to the GA version on Google Play would be supported.
### Download the onboarding package
Download the onboarding package from Microsoft Defender Security Center.
1. In [Microsoft Defender Security
Center](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/securitycenter.microsoft.com), go to **Settings** \> **Machine Management** \> **Onboarding**.
2. In the first drop-down, select **Android** as the Operating system.
3. Select **Download Onboarding package** and save the downloaded .APK file.
![Image of onboarding package page](images/onboarding_package_1.png)
### Add as Line of Business (LOB) App
The downloaded Microsoft Defender ATP for Android onboarding package. It is a
.APK file can be deployed to user groups as a Line of Business app during the
preview from Microsoft Endpoint Manager Admin Center.
1. In [Microsoft Endpoint Manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
**Android Apps** \> **Add \> Line-of-business app** and click **Select**.
![Image of Microsoft Endpoint Manager Admin Center](images/eba67e1a3adfec2c77c35a34cb030fba.png)
2. On the **Add app** page and in the *App Information* section, click **Select
add package file** and then click the ![Icon](images/1a62eac0222a9ba3c2fd62744bece76e.png) icon and select the MDATP Universal APK file that was downloaded from the *Download Onboarding package* step.
![Image of Microsoft Endpoint Manager Admin Center](images/e78d36e06495c2f70eb14230de6f7429.png)
3. Select **OK**.
4. In the *App Information* section that comes up, enter the **Publisher** as
Microsoft. Other fields are optional and then select **Next**.
![Image of Microsoft Endpoint Manager Admin Center](images/190a979ec5b6a8f57c9067fe1304cda8.png)
5. In the *Assignments* section, go to the **Required** section and select **Add
group.** You can then choose the user group(s) that you would like to target
Microsoft Defender ATP for Android app. Click **Select** and then **Next**.
>[!NOTE]
>The selected user group should consist of Intune enrolled users.
![Image of Microsoft Endpoint Manager Admin Center](images/363bf30f7d69a94db578e8af0ddd044b.png)
6. In the **Review+Create** section, verify that all the information entered is
correct and then select **Create**.
In a few moments, the Microsoft Defender ATP app would be created successfully,
and a notification would show up at the top-right corner of the page.
![Image of Microsoft Endpoint Manager Admin Center](images/86cbe56f88bb6e93e9c63303397fc24f.png)
7. In the app information page that is displayed, in the **Monitor** section,
select **Device install status** to verify that the device installation has
completed successfully.
![Image of Microsoft Endpoint Manager Admin Center](images/513cf5d59eaaef5d2b5bc122715b5844.png)
During Public Preview, to **update** Microsoft Defender ATP for Android deployed
as a Line of Business app, download the latest APK. Following the steps in
*Download the onboarding package* section and follow instructions on how to [update
a Line of Business
App](https://docs.microsoft.com/mem/intune/apps/lob-apps-android#step-5-update-a-line-of-business-app).
### Complete onboarding and check status
1. Once Microsoft Defender ATP for Android has been installed on the device, you'll see the app icon.
![Icon on mobile device](images/7cf9311ad676ec5142002a4d0c2323ca.jpg)
2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions
to complete onboarding the app. The details include end-user acceptance of Android permissions required by Microsoft Defender ATP for Android.
3. Upon successful onboarding, the device will start showing up on the Devices
list in Microsoft Defender Security Center.
![Image of device in Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)
## Deploy on Android Enterprise enrolled devices
Microsoft Defender ATP for Android supports Android Enterprise enrolled devices.
For more information on the enrollment options supported by Intune, see
[Enrollment
Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
As Microsoft Defender ATP for Android is deployed via managed Google Play,
updates to the app are automatic via Google Play.
Currently only Work Profile, Fully Managed devices are supported for deployment.
>[!NOTE]
>During Public Preview, to access Microsoft Defender ATP in your managed Google Play, contact [atpm@microsoft.com](mailto:atpm@microsoft.com) with the organization ID of your managed Google Play for next steps. This can be found under the **Admin Settings** of [managed Google Play](https://play.google.com/work/).<br>
> At General Availability (GA), Microsoft Defender ATP for Android will be available as a public app. Upgrades from preview to GA version will be supported.
## Add Microsoft Defender ATP for Android as a managed Google Play app
After receiving a confirmation e-mail from Microsoft that your managed Google
Play organization ID has been approved, follow the steps below to add Microsoft
Defender ATP app into your managed Google Play.
1. In [Microsoft Endpoint Manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \>
**Android Apps** \> **Add** and select **managed Google Play app**.
![Image of Microsoft Endpoint Manager admin center](images/579ff59f31f599414cedf63051628b2e.png)
2. On your managed Google Play page that loads subsequently, go to the search
box and lookup **Microsoft Defender.** Your search should display the Microsoft
Defender ATP app in your Managed Google Play. Click on the Microsoft Defender
ATP app from the Apps search result.
![Image of Microsoft Endpoint Manager admin center](images/0f79cb37900b57c3e2bb0effad1c19cb.png)
3. In the App description page that comes up next, you should be able to see app
details on Microsoft Defender ATP. Review the information on the page and then
select **Approve**.
![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png)
4. You should now be presented with the permissions that Microsoft Defender ATP
obtains for it to work. Review them and then select **Approve**.
![A screenshot of Microsoft Defender ATP preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png)
5. You'll be presented with the Approval settings page. The page confirms
your preference to handle new app permissions that Microsoft Defender ATP for
Android might ask. Review the choices and select your preferred option. Select
**Done**.
By default, managed Google Play selects *Keep approved when app requests new
permissions*
![Image of notifications tab](images/ffecfdda1c4df14148f1526c22cc0236.png)
6. After the permissions handling selection is made, select **Sync** to sync
Microsoft Defender ATP to your apps list.
![Image of sync page](images/34e6b9a0dae125d085c84593140180ed.png)
7. The sync will complete in a few minutes.
![Image of Android app](images/9fc07ffc150171f169dc6e57fe6f1c74.png)
8. Select the **Refresh** button in the Android apps screen and Microsoft
Defender ATP should be visible in the apps list.
![Image of list of Android apps](images/fa4ac18a6333335db3775630b8e6b353.png)
9. Microsoft Defender ATP supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s).
a. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**.
![Image of Microsoft Endpoint Manager admin center](images/android-mem.png)
b. In the **Create app configuration policy** page, enter the following details:
- Name: Microsoft Defender ATP.
- Choose **Android Enterprise** as platform.
- Choose **Work Profile only** as Profile Type.
- Click **Select App**, choose **Microsoft Defender ATP**, select **OK** and then **Next**.
![Image of create app configuration policy page](images/android-create-app.png)
c. In the **Settings** page, go to the Permissions section click on Add to view the list of supported permissions. In the Add Permissions section, select the following permissions
- External storage (read)
- External storage (write)
Then select **OK**.
![Image of create app configuration policy](images/android-create-app-config.png)
d. You should now see both the permissions listed and now you can autogrant both by choosing autogrant in the **Permission state** drop-down and then select **Next**.
![Image of create app configuration policy](images/android-auto-grant.png)
e. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app.
![Image of create app configuration policy](images/android-select-group.png)
f. In the **Review + Create** page that comes up next, review all the information and then select **Create**. <br>
The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group.
![Image of create app configuration policy](images/android-review-create.png)
10. Select **Microsoft Defender ATP** app in the list \> **Properties** \>
**Assignments** \> **Edit**.
![Image of list of apps](images/9336bbd778cff5e666328bb3db7c76fd.png)
11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of
the device via Company Portal app. This assignment can be done by navigating to
the *Required* section \> **Add group,** selecting the user group and click
**Select**.
![Image of edit application page](images/ea06643280075f16265a596fb9a96042.png)
12. In the **Edit Application** page, review all the information that was entered
above. Then select **Review + Save** and then **Save** again to commence
assignment.
## Complete onboarding and check status
1. Confirm the installation status of Microsoft Defender ATP for Android by
clicking on the **Device Install Status**. Verif that the device is
displayed here.
![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png)
2. On the device, you can confirm the same by going to the **work profile** and
confirm that Microsoft Defender ATP is available.
![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png)
3. When the app is installed, open the app and accept the permissions
and then your onboarding should be successful.
![Image of mobile device with Microsoft Defender ATP app](images/23c125534852dcef09b8e37c98e82148.png)
4. At this stage the device is successfully onboarded onto Microsoft Defender
ATP for Android. You can verify this on the [Microsoft Defender Security
Center](https://microsoft.sharepoint.com/teams/WDATPIndia/Shared%20Documents/General/PM%20Docs/External%20Documentation/securitycenter.microsoft.com)
by navigating to the **Devices** page.
![Image of Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png)
## Related topics
- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)
- [Configure Microsoft Defender ATP for Android features](android-configure.md)

229
windows/security/threat-protection/microsoft-defender-atp/android-terms.md Normal file
View File

@ -0,0 +1,229 @@
---
title: Microsoft Defender ATP for Android Application license terms
ms.reviewer:
description: Describes the Microsoft Defender ATP for Android license terms
keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope,
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
hideEdit: true
---
# Microsoft Defender ATP for Android application license terms
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md)
## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP
These license terms ("Terms") are an agreement between Microsoft Corporation (or
based on where you live, one of its affiliates) and you. Please read them. They
apply to the application named above. These Terms also apply to any Microsoft
- updates,
- supplements,
- Internet-based services, and
- support services
for this application, unless other terms accompany those items. If so, those
terms apply.
**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM,
DO NOT USE THE APPLICATION.**
**If you comply with these Terms, you have the perpetual rights below.**
1. **INSTALLATION AND USE RIGHTS.**
1. **Installation and Use.** You may install and use any number of copies
of this application on Android enabled device or devices which you own
or control. You may use this application with your company's valid
subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or
an online service that includes MDATP functionalities.
2. **Updates.** Updates or upgrades to MDATP may be required for full
functionality. Some functionality may not be available in all countries.
3. **Third Party Programs.** The application may include third party
programs that Microsoft, not the third party, licenses to you under this
agreement. Notices, if any, for the third-party program are included for
your information only.
2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to
Internet access, data transfer and other services per the terms of the data
service plan and any other agreement you have with your network operator due
to use of the application. You are solely responsible for any network
operator charges.
3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with
the application. It may change or cancel them at any time.
1. Consent for Internet-Based or Wireless Services. The application may
connect to Internet-based wireless services. Your use of the application
operates as your consent to the transmission of standard device
information (including but not limited to technical information about
your device, system and application software, and peripherals) for
Internet-based or wireless services. If other terms are provided in
connection with your use of the services, those terms also apply.
- Data. Some online services require, or may be enhanced by, the
installation of local software like this one. At your, or your
admin's direction, this software may send data from a device to or
from an online service.
- Usage Data. Microsoft automatically collects usage and performance
data over the internet. This data will be used to provide and
improve Microsoft products and services and enhance your experience.
You may limit or control collection of some usage and performance
data through your device settings. Doing so may disrupt your use of
certain features of the application. For additional information on
Microsoft's data collection and use, see the [Online Services
Terms](https://go.microsoft.com/fwlink/?linkid=2106777).
2. Misuse of Internet-based Services. You may not use any Internet-based
service in any way that could harm it or impair anyone else's use of it
or the wireless network. You may not use the service to try to gain
unauthorized access to any service, data, account or network by any
means.
4. **FEEDBACK.** If you give feedback about the application to Microsoft, you
give to Microsoft, without charge, the right to use, share and commercialize
your feedback in any way and for any purpose. You also give to third
parties, without charge, any patent rights needed for their products,
technologies and services to use or interface with any specific parts of a
Microsoft software or service that includes the feedback. You will not give
feedback that is subject to a license that requires Microsoft to license its
software or documentation to third parties because we include your feedback
in them. These rights survive this agreement.
5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement
only gives you some rights to use the application. Microsoft reserves all
other rights. Unless applicable law gives you more rights despite this
limitation, you may use the application only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in
the application that only allow you to use it in certain ways. You may not
- work around any technical limitations in the application;
- reverse engineer, decompile or disassemble the application, except and
only to the extent that applicable law expressly permits, despite this
limitation;
- make more copies of the application than specified in this agreement or
allowed by applicable law, despite this limitation;
- publish the application for others to copy;
- rent, lease or lend the application; or
- transfer the application or this agreement to any third party.
6. **EXPORT RESTRICTIONS.** The application is subject to United States export
laws and regulations. You must comply with all domestic and international
export laws and regulations that apply to the application. These laws
include restrictions on destinations, end users and end use. For additional
information,
see<65>[www.microsoft.com/exporting](https://www.microsoft.com/exporting).
7. **SUPPORT SERVICES.** Because this application is "as is," we may not
provide support services for it. If you have any issues or questions about
your use of this application, including questions about your company's
privacy policy, please contact your company's admin. Do not contact the
application store, your network operator, device manufacturer, or Microsoft.
The application store provider has no obligation to furnish support or
maintenance with respect to the application.
8. **APPLICATION STORE.**
1. If you obtain the application through an application store (e.g., Google
Play), please review the applicable application store terms to ensure
your download and use of the application complies with such terms.
Please note that these Terms are between you and Microsoft and not with
the application store.
2. The respective application store provider and its subsidiaries are third
party beneficiaries of these Terms, and upon your acceptance of these
Terms, the application store provider(s) will have the right to directly
enforce and rely upon any provision of these Terms that grants them a
benefit or rights.
9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and
Microsoft 365 are registered or common-law trademarks of Microsoft
Corporation in the United States and/or other countries.
10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates,
Internet-based services, and support services that you use are the entire
agreement for the application and support services.
11. **APPLICABLE LAW.**
1. **United States.** If you acquired the application in the United States,
Washington state law governs the interpretation of this agreement and
applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other
claims, including claims under state consumer protection laws, unfair
competition laws, and in tort.
2. **Outside the United States.** If you acquired the application in any
other country, the laws of that country apply.
12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may
have other rights under the laws of your country. You may also have rights
with respect to the party from whom you acquired the application. This
agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL
FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND
WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND
EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO
EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE
APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE
ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL
CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NON-INFRINGEMENT.**
**FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.**
14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT
PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO
ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER
DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR
INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.**
This limitation applies to:
- anything related to the application, services, content (including code) on
third party Internet sites, or third party programs; and
- claims for breach of contract, warranty, guarantee or condition; consumer
protection; deception; unfair competition; strict liability, negligence,
misrepresentation, omission, trespass or other tort; violation of statute or
regulation; or unjust enrichment; all to the extent permitted by applicable
law.
It also applies even if:
a. Repair, replacement or refund for the application does not fully compensate
you for any losses; or
b. Covered Parties knew or should have known about the possibility of the
damages.
The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages.

2
windows/security/threat-protection/microsoft-defender-atp/api-explorer.md
View File

@ -22,7 +22,7 @@ ms.topic: conceptual
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively.

4
windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md
View File

@ -48,7 +48,7 @@ Now you have a Flow that is triggered every time a new Alert occurs.
![Image of edit credentials](images/api-flow-3.png)
All you need to do now is choose your next steps.
For example, you can isolate the machine if the Severity of the Alert is High and send an email about it.
For example, you can isolate the device if the Severity of the Alert is High and send an email about it.
The Alert trigger provides only the Alert ID and the Machine ID. You can use the connector to expand these entities.
### Get the Alert entity using the connector
@ -61,7 +61,7 @@ The Alert trigger provides only the Alert ID and the Machine ID. You can use the
![Image of edit credentials](images/api-flow-4.png)
### Isolate the machine if the Alert's severity is High
### Isolate the device if the Alert's severity is High
1. Add **Condition** as a new step.

10
windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md
View File

@ -29,8 +29,8 @@ Understand what data fields are exposed as part of the detections API and how th
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
>- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Machine and its related **Alert** details.
>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
>- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details.
>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
## Detections API fields and portal mapping
The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
@ -63,10 +63,10 @@ Field numbers match the numbers in the images below.
> | 18 | AlertId | externalId | 636210704265059241_673569822 | Value available for every Detection. |
> | 19 | LinkToWDATP | flexString1 | `https://securitycenter.windows.com/alert/636210704265059241_673569822` | Value available for every Detection. |
> | 20 | AlertTime | deviceReceiptTime | 2017-05-07T01:56:59.3191352Z | The time the event occurred. Value available for every Detection. |
> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined machines. Value available for every Detection. |
> | 21 | MachineDomain | sourceDnsDomain | contoso.com | Domain name not relevant for AAD joined devices. Value available for every Detection. |
> | 22 | Actor | deviceCustomString4 | BORON | Available for alerts related to a known actor group. |
> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The machine fully qualified domain name. Value available for every Detection. |
> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For machines on Windows 10 version 1607, the domain information will not be available. |
> | 21+5 | ComputerDnsName | No mapping | liz-bean.contoso.com | The device fully qualified domain name. Value available for every Detection. |
> | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. |
> | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. |
> | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. |
> | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. |

2
windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md
View File

@ -125,6 +125,8 @@ The first example demonstrates how to connect Power BI to Advanced Hunting API a
## Power BI dashboard samples in GitHub
For more information see the [Power BI report templates](https://github.com/microsoft/MDATP-PowerBI-Templates).
## Sample reports
View the Microsoft Defender ATP Power BI report samples. For more information, see [Browse code samples](https://docs.microsoft.com/samples/browse/?products=mdatp).
## Related topic

2
windows/security/threat-protection/microsoft-defender-atp/apis-intro.md
View File

@ -2,7 +2,7 @@
title: Access the Microsoft Defender Advanced Threat Protection APIs
ms.reviewer:
description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities
keywords: apis, api, wdatp, open api, windows defender atp api, public api, supported apis, alerts, machine, user, domain, ip, file, advanced hunting, query
keywords: apis, api, wdatp, open api, microsoft defender atp api, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy

2
windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md
View File

@ -30,7 +30,7 @@ ms.date: 11/28/2018
Microsoft Defender ATP supports two ways to manage permissions:
- **Basic permissions management**: Set permissions to either full access or read-only.
- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to machine groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md).
- **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md).
> [!NOTE]
> If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:

18
windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md
View File

@ -1,7 +1,7 @@
---
title: Experience Microsoft Defender ATP through simulated attacks
description: Run the provided attack scenario simulations to experience how Microsoft Defender ATP can detect, investigate, and respond to breaches.
keywords: wdatp, test, scenario, attack, simulation, simulated, diy, windows defender advanced threat protection
keywords: wdatp, test, scenario, attack, simulation, simulated, diy, microsoft defender advanced threat protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -30,11 +30,11 @@ ms.date: 11/20/2018
>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/).
>- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/).
You might want to experience Microsoft Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response.
You might want to experience Microsoft Defender ATP before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response.
## Before you begin
To run any of the provided simulations, you need at least [one onboarded machine](onboard-configure.md).
To run any of the provided simulations, you need at least [one onboarded device](onboard-configure.md).
Read the walkthrough document provided with each attack scenario. Each document includes OS and application requirements as well as detailed instructions that are specific to an attack scenario.
@ -44,18 +44,18 @@ Read the walkthrough document provided with each attack scenario. Each document
- **Scenario 1: Document drops backdoor** - simulates delivery of a socially engineered lure document. The document launches a specially crafted backdoor that gives attackers control.
- **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and machine learning detection of malicious memory activity.
- **Scenario 2: PowerShell script in fileless attack** - simulates a fileless attack that relies on PowerShell, showcasing attack surface reduction and device learning detection of malicious memory activity.
- **Scenario 3: Automated incident response** - triggers automated investigation, which automatically hunts for and remediates breach artifacts to scale your incident response capacity.
2. Download and read the corresponding walkthrough document provided with your selected scenario.
3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test machine but it's not mandatory.
3. Download the simulation file or copy the simulation script by navigating to **Help** > **Simulations & tutorials**. You can choose to download the file or script on the test device but it's not mandatory.
4. Run the simulation file or script on the test machine as instructed in the walkthrough document.
4. Run the simulation file or script on the test device as instructed in the walkthrough document.
> [!NOTE]
> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test machine.
> Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device.
>
>
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink)
@ -63,5 +63,5 @@ Read the walkthrough document provided with each attack scenario. Each document
## Related topics
- [Onboard machines](onboard-configure.md)
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Onboard devices](onboard-configure.md)
- [Onboard Windows 10 devices](configure-endpoints.md)

4
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -1,6 +1,6 @@
---
title: Use attack surface reduction rules to prevent malware infection
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect machines with malware.
description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware.
keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -66,7 +66,7 @@ DeviceEvents
You can review the Windows event log to view events generated by attack surface reduction rules:
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer.

28
windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
View File

@ -23,7 +23,7 @@ During and after an automated investigation, certain remediation actions can be
If you're part of your organization's security operations team, you can view pending and completed [remediation actions](manage-auto-investigation.md#remediation-actions) in the **Action center** ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). You can also use the **Investigations** page ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) to view details about an investigation.
>[!NOTE]
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the machine or machine group will be able to view the entire investigation.
>If your organization has implemented role-based access to manage portal access, only authorized users or user groups who have permission to view the device or device group will be able to view the entire investigation.
## The Action center
@ -62,7 +62,7 @@ On the **Investigations** page, you can view details and use filters to focus on
|**Status** |(See [Automated investigation status](#automated-investigation-status)) |
|**Triggering alert** | The alert that initiated the automated investigation |
|**Detection source** |The source of the alert that initiated the automated investigation |
|**Entities** | Entities can include device or machines, and machine groups. You can filter the automated investigations list to zone in a specific machine to see other investigations related to the machine, or to see specific machine groups that were created. |
|**Entities** | Entities can include device or devices, and device groups. You can filter the automated investigations list to zone in a specific device to see other investigations related to the device, or to see specific device groups that were created. |
|**Threat** |The category of threat detected during the automated investigation |
|**Tags** |Filter using manually added tags that capture the context of an automated investigation|
|**Comments** |Select between filtering the list between automated investigations that have comments and those that don't|
@ -82,7 +82,7 @@ An automated investigation can have one of the following status values:
| Terminated by system | The investigation stopped. An investigation can stop for several reasons:<br/>- The investigation's pending actions expired. Pending actions can time out after awaiting approval for an extended period of time. <br/>- There are too many actions in the list.<br/>Visit the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) to view and approve any pending actions. |
| Failed | At least one investigation analyzer ran into a problem where it could not complete properly. <br/><br/>If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the investigation log ([https://securitycenter.windows.com/investigations](https://securitycenter.windows.com/investigations)) for detailed results. |
| Queued | An investigation is being held in a queue. When other investigations complete, queued investigations begin. |
| Waiting for machine | Investigation paused. The investigation will resume as soon as the machine is available. |
| Waiting for device | Investigation paused. The investigation will resume as soon as the device is available. |
| Terminated by user | A user stopped the investigation before it could complete. |
@ -90,7 +90,7 @@ An automated investigation can have one of the following status values:
![Image of investigation details window](images/atp-analyze-auto-ir.png)
You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the machine that was investigated, and other information.
You can view the details of an automated investigation to see information such as the investigation graph, alerts associated with the investigation, the device that was investigated, and other information.
In this view, you'll see the name of the investigation, when it started and ended.
@ -112,23 +112,23 @@ From this view, you can also view and add comments and tags about the investigat
### Alerts
The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the machine associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned.
The **Alerts** tab for an automated investigation shows details such as a short description of the alert that initiated the automated investigation, severity, category, the device associated with the alert, user, time in queue, status, investigation state, and to whom the investigation is assigned.
Additional alerts seen on a machine can be added to an automated investigation as long as the investigation is ongoing.
Additional alerts seen on a device can be added to an automated investigation as long as the investigation is ongoing.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related machine, logged-on users, and comments and history.
Selecting an alert using the check box brings up the alerts details pane where you have the option of opening the alert page, manage the alert by changing its status, see alert details, automated investigation details, related device, logged-on users, and comments and history.
Clicking on an alert title brings you the alert page.
### Machines
### Devices
The **Machines** tab Shows details the machine name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
The **Devices** tab Shows details the device name, IP address, group, users, operating system, remediation level, investigation count, and when it was last investigated.
Machines that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
Devices that show the same threat can be added to an ongoing investigation and will be displayed in this tab. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
Selecting a machine using the checkbox brings up the machine details pane where you can see more information such as machine details and logged-on users.
Selecting a device using the checkbox brings up the device details pane where you can see more information such as device details and logged-on users.
Clicking on a machine name brings you the machine page.
Clicking on a device name brings you the device page.
### Evidence
@ -140,11 +140,11 @@ The **Entities** tab shows details about entities such as files, process, servic
### Log
The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, machine name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
The **Log** tab gives a chronological detailed view of all the investigation actions taken on the alert. You'll see the action type, action, status, device name, description of the action, comments entered by analysts who may have worked on the investigation, execution start time, duration, pending duration.
As with other sections, you can customize columns, select the number of items to show per page, and filter the log.
Available filters include action type, action, status, machine name, and description.
Available filters include action type, action, status, device name, and description.
You can also click on an action to bring up the details pane where you'll see information such as the summary of the action and input data.

22
windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
View File

@ -1,7 +1,7 @@
---
title: Use automated investigations to investigate and remediate threats
description: Understand the automated investigation flow in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export
keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -21,7 +21,7 @@ ms.topic: conceptual
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh]
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple machines. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually.
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) offers a wide breadth of visibility on multiple devices. With this kind of optics, the service generates a multitude of alerts. The volume of alerts generated can be challenging for a typical security operations team to individually address. To address this challenge, Microsoft Defender ATP uses automated investigation and remediation capabilities to significantly reduce the volume of alerts that must be investigated individually.
The automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. The **Automated investigations** list shows all the investigations that were initiated automatically, and includes details, such as status, detection source, and when the investigation was initiated.
@ -30,7 +30,7 @@ The automated investigation feature leverages various inspection algorithms, and
## How the automated investigation starts
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a machine. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other machines in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
When an alert is triggered, a security playbook goes into effect. Depending on the security playbook, an automated investigation can start. For example, suppose a malicious file resides on a device. When that file is detected, an alert is triggered. The automated investigation process begins. Microsoft Defender ATP checks to see if the malicious file is present on any other devices in the organization. Details from the investigation, including verdicts (*Malicious*, *Suspicious*, and *No threats found*) are available during and after the automated investigation.
>[!NOTE]
>Currently, automated investigation only supports the following OS versions:
@ -41,12 +41,12 @@ When an alert is triggered, a security playbook goes into effect. Depending on t
## Details of an automated investigation
During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Machines**, **Evidence**, **Entities**, and **Log** tabs.
During and after an automated investigation, you can view details about the investigation. Selecting a triggering alert brings you to the investigation details view where you can pivot from the **Investigation graph**, **Alerts**, **Devices**, **Evidence**, **Entities**, and **Log** tabs.
|Tab |Description |
|--|--|
|**Alerts**| Shows the alert that started the investigation.|
|**Machines** |Shows where the alert was seen.|
|**Devices** |Shows where the alert was seen.|
|**Evidence** |Shows the entities that were found to be malicious during the investigation.|
|**Entities** |Provides details about each analyzed entity, including a determination for each entity type (*Malicious*, *Suspicious*, or *No threats found*). |
|**Log** |Shows the chronological detailed view of all the investigation actions taken on the alert.|
@ -57,28 +57,28 @@ During and after an automated investigation, you can view details about the inve
## How an automated investigation expands its scope
While an investigation is running, any other alerts generated from the machine are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.
While an investigation is running, any other alerts generated from the device are added to an ongoing automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
If an incriminated entity is seen in another machine, the automated investigation process will expand its scope to include that machine, and a general security playbook will start on that machine. If 10 or more machines are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
If an incriminated entity is seen in another device, the automated investigation process will expand its scope to include that device, and a general security playbook will start on that device. If 10 or more devices are found during this expansion process from the same entity, then that expansion action will require an approval and will be seen in the **Pending actions** view.
## How threats are remediated
Depending on how you set up the machine groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats.
Depending on how you set up the device groups and their level of automation, the automated investigation will either require user approval (default) or automatically remediate threats.
You can configure the following levels of automation:
|Automation level | Description|
|---|---|
|No automated response | Machines do not get any automated investigations run on them. |
|No automated response | Devices do not get any automated investigations run on them. |
|Semi - require approval for any remediation | This is the default automation level.<br><br> An approval is needed for any remediation action. |
|Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders. <br><br> Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.|
|Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder. <br><br> Files or executables in all other folders will automatically be remediated if needed.|
|Full - remediate threats automatically | All remediation actions will be performed automatically.|
> [!TIP]
> For more information on how to configure these automation levels, see [Create and manage machine groups](machine-groups.md).
> For more information on how to configure these automation levels, see [Create and manage device groups](machine-groups.md).
The default machine group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed.
The default device group is configured for semi-automatic remediation. This means that any malicious entity that calls for remediation requires an approval and the investigation is added to the **Pending actions** section. This can be changed to fully automatic so that no user approval is needed.
When a pending action is approved, the entity is then remediated and this new state is reflected in the **Entities** tab of the investigation.

8
windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md
View File

@ -26,7 +26,7 @@ ms.collection:
## Overview
Todays threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised machines. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and machine learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security).
Todays threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security).
Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Microsoft Defender ATP components and features work together in behavioral blocking and containment capabilities.
@ -80,15 +80,15 @@ Below are two real-life examples of behavioral blocking and containment in actio
As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the users device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server.
Behavior-based machine learning models in Microsoft Defender ATP caught and stopped the attackers techniques at two points in the attack chain:
- The first protection layer detected the exploit behavior. Machine learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack.
Behavior-based device learning models in Microsoft Defender ATP caught and stopped the attackers techniques at two points in the attack chain:
- The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack.
- The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot).
While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)):
:::image type="content" source="images/behavblockcontain-initialaccessalert.png" alt-text="Initial access alert in the Microsoft Defender Security Center":::
This example shows how behavior-based machine learning models in the cloud add new layers of protection against attacks, even after they have started running.
This example shows how behavior-based device learning models in the cloud add new layers of protection against attacks, even after they have started running.
### Example 2: NTML relay - Juicy Potato malware variant

40
windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md
View File

@ -1,6 +1,6 @@
---
title: Check the health state of the sensor in Microsoft Defender ATP
description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data.
description: Check the sensor health on devices to identify which ones are misconfigured, inactive, or are not reporting sensor data.
keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -25,33 +25,31 @@ ms.date: 04/24/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
The sensor health tile is found on the Security Operations dashboard. This tile provides information on the individual machines ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual devices ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues.
There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
- **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.
There are two status indicators on the tile that provide information on the number of devices that are not reporting properly to the service:
- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month.
Clicking any of the groups directs you to **Devices list**, filtered according to your choice.
Clicking any of the groups directs you to Machines list, filtered according to your choice.
![Screenshot of Devices with sensor issues tile](images/atp-devices-with-sensor-issues-tile.png)
You can also download the entire list in CSV format using the **Export to CSV** feature. For more information on filters, see [View and organize the Machines list](machines-view-overview.md).
On **Devices list**, you can filter the health state list by the following status:
- **Active** - Devices that are actively reporting to the Microsoft Defender ATP service.
- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues:
- **No sensor data** - Devices has stopped sending sensor data. Limited alerts can be triggered from the device.
- **Impaired communications** - Ability to communicate with device is impaired. Sending files for deep analysis, blocking files, isolating device from network and other actions that require communication with the device may not work.
- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service.
You can filter the health state list by the following status:
- **Active** - Machines that are actively reporting to the Microsoft Defender ATP service.
- **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service but have configuration errors that need to be corrected. Misconfigured machines can have either one or a combination of the following issues:
- **No sensor data** - Machines has stopped sending sensor data. Limited alerts can be triggered from the machine.
- **Impaired communications** - Ability to communicate with machine is impaired. Sending files for deep analysis, blocking files, isolating machine from network and other actions that require communication with the machine may not work.
- **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service.
You can view the machine details when you click on a misconfigured or inactive machine.
![Microsoft Defender ATP sensor filter](images/atp-machine-health-details.png)
In the **Machines list**, you can download a full list of all the machines in your organization in a CSV format.
You can also download the entire list in CSV format using the **Export** feature. For more information on filters, see [View and organize the Devices list](machines-view-overview.md).
>[!NOTE]
>Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
>Export the list in CSV format to display the unfiltered data. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is.
![Screenshot of Devices list page](images/atp-devices-list-page.png)
You can view the device details when you click on a misconfigured or inactive device.
## Related topic
- [Fix unhealthy sensors in Microsoft Defender ATP](fix-unhealthy-sensors.md)

6
windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
View File

@ -1,6 +1,6 @@
---
title: Collect investigation package API
description: Use this API to create calls related to the collecting an investigation package from a machine.
description: Use this API to create calls related to the collecting an investigation package from a device.
keywords: apis, graph api, supported apis, collect investigation package
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -24,7 +24,7 @@ ms.topic: article
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
## API description
Collect investigation package from a machine.
Collect investigation package from a device.
## Limitations
@ -42,7 +42,7 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

6
windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md
View File

@ -37,7 +37,7 @@ The following OS versions are supported:
- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/en-us/help/4490481))
>[!NOTE]
>A patch must be deployed before machine onboarding in order to configure Microsoft Defender ATP to the correct environment.
>A patch must be deployed before device onboarding in order to configure Microsoft Defender ATP to the correct environment.
The following OS versions are not supported:
- Windows Server 2008 R2 SP1
@ -67,7 +67,7 @@ The following capabilities are not currently available:
The following capabilities are not currently available:
- Threat protection report
- Machine health and compliance report
- Device health and compliance report
- Integration with third-party products
@ -92,7 +92,7 @@ You'll need to ensure that traffic from the following are allowed:
Service location | DNS record
:---|:---
Common URLs for all locations (Global location) | ```crl.microsoft.com```<br>```ctldl.windowsupdate.com```<br>```notify.windows.com```<br>```settings-win.data.microsoft.com``` <br><br> NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 machines running version 1803 or earlier.
Common URLs for all locations (Global location) | ```crl.microsoft.com```<br>```ctldl.windowsupdate.com```<br>```notify.windows.com```<br>```settings-win.data.microsoft.com``` <br><br> NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 devices running version 1803 or earlier.
Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com``` <br>```winatp-gw-usgt.microsoft.com```<br>```winatp-gw-usgv.microsoft.com```<br>```*.blob.core.usgovcloudapi.net```

6
windows/security/threat-protection/microsoft-defender-atp/conditional-access.md
View File

@ -41,7 +41,7 @@ The compliance policy is used with Conditional Access to allow only devices that
## Understand the Conditional Access flow
Conditional Access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated.
The flow begins with machines being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune.
The flow begins with devices being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune.
Depending on how you configure policies in Intune, Conditional Access can be set up so that when certain conditions are met, the policy is applied.
@ -55,8 +55,8 @@ To resolve the risk found on a device, you'll need to return the device to a com
There are three ways to address a risk:
1. Use Manual or automated remediation.
2. Resolve active alerts on the machine. This will remove the risk from the machine.
3. You can remove the machine from the active policies and consequently, Conditional Access will not be applied on the machine.
2. Resolve active alerts on the device. This will remove the risk from the device.
3. You can remove the device from the active policies and consequently, Conditional Access will not be applied on the device.
Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure Conditional Access](configure-conditional-access.md).

6
windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
View File

@ -1,6 +1,6 @@
---
title: Overview of Configuration score in Microsoft Defender Security Center
description: Your configuration score shows the collective security configuration state of your machines across application, operating system, network, accounts, and security controls
description: Your configuration score shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls
keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -25,7 +25,7 @@ ms.topic: conceptual
>[!NOTE]
> Secure score is now part of Threat & Vulnerability Management as Configuration score.
Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your machines across the following categories:
Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:
- Application
- Operating system
@ -60,7 +60,7 @@ You can improve your security configuration when you remediate issues from the s
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up.
4. **Submit request**. You will see a confirmation message that the remediation task has been created.
>![Remediation task creation confirmation](images/tvm_remediation_task_created.png)
![Remediation task creation confirmation](images/tvm_remediation_task_created.png)
5. Save your CSV file.
![Save csv file](images/tvm_save_csv_file.png)

2
windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
View File

@ -27,7 +27,7 @@ This section guides you through the steps you need to take to configure Threat &
### Before you begin
> [!IMPORTANT]
> Threat & Vulnerability Management data currently supports Windows 10 machines. Upgrade to Windows 10 to account for the rest of your devices threat and vulnerability exposure data.</br>
> Threat & Vulnerability Management data currently supports Windows 10 devices. Upgrade to Windows 10 to account for the rest of your devices threat and vulnerability exposure data.</br>
Ensure that you have the right RBAC permissions to configure your Threat & Vulnerability Management integration with Microsoft Intune or Microsoft Endpoint Configuration Manager.

2
windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md
View File

@ -32,7 +32,7 @@ You'll need to install and configure some files and tools to use Micro Focus Arc
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
## Before you begin

2
windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md
View File

@ -37,7 +37,7 @@ To configure automated investigation and remediation, you [turn on the features]
## Set up device groups
1. In the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)), on the **Settings** page, under **Permissions**, select **Device groups**.
2. Select **+ Add machine group**.
2. Select **+ Add device group**.
3. Create at least one device group, as follows:
- Specify a name and description for the device group.
- In the **Automation level list**, select a level, such as **Full remediate threats automatically**. The automation level determines whether remediation actions are taken automatically, or only upon approval. To learn more, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).

18
windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md
View File

@ -1,7 +1,7 @@
---
title: Configure alert notifications in Microsoft Defender ATP
description: You can use Microsoft Defender Advanced Threat Protection to configure email notification settings for security alerts, based on severity and other criteria.
keywords: email notifications, configure alert notifications, windows defender atp notifications, windows defender atp alerts, windows 10 enterprise, windows 10 education
keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -32,15 +32,15 @@ You can configure Microsoft Defender ATP to send email notifications to specifie
You can set the alert severity levels that trigger notifications. You can also add or remove recipients of the email notification. New recipients get notified about alerts encountered after they are added. For more information about alerts, see [View and organize the Alerts queue](alerts-queue.md).
If you're using role-based access control (RBAC), recipients will only receive notifications based on the machine groups that were configured in the notification rule.
Users with the proper permission can only create, edit, or delete notifications that are limited to their machine group management scope.
Only users assigned to the Global administrator role can manage notification rules that are configured for all machine groups.
If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule.
Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope.
Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups.
The email notification includes basic information about the alert and a link to the portal where you can do further investigation.
## Create rules for alert notifications
You can create rules that determine the machines and alert severities to send email notifications for and the notification recipients.
You can create rules that determine the devices and alert severities to send email notifications for and the notification recipients.
1. In the navigation pane, select **Settings** > **Alert notifications**.
@ -51,12 +51,12 @@ You can create rules that determine the machines and alert severities to send em
- **Rule name** - Specify a name for the notification rule.
- **Include organization name** - Specify the customer name that appears on the email notification.
- **Include tenant-specific portal link** - Adds a link with the tenant ID to allow access to a specific tenant.
- **Include machine information** - Includes the machine name in the email alert body.
- **Include device information** - Includes the device name in the email alert body.
>[!NOTE]
> This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Microsoft Defender ATP data.
- **Machines** - Choose whether to notify recipients for alerts on all machines (Global administrator role only) or on selected machine groups. For more information, see [Create and manage machine groups](machine-groups.md).
- **Devices** - Choose whether to notify recipients for alerts on all devices (Global administrator role only) or on selected device groups. For more information, see [Create and manage device groups](machine-groups.md).
- **Alert severity** - Choose the alert severity level.
4. Click **Next**.
@ -67,10 +67,6 @@ You can create rules that determine the machines and alert severities to send em
7. Click **Save notification rule**.
Here's an example email notification:
![Image of example email notification](images/atp-example-email-notification.png)
## Edit a notification rule
1. Select the notification rule you'd like to edit.

50
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows 10 devices to Microsoft Defender ATP via Group Policy
description: Use Group Policy to deploy the configuration package on Windows 10 machines so that they are onboarded to the service.
keywords: configure machines using group policy, machine management, configure Windows ATP machines, onboard Microsoft Defender Advanced Threat Protection machines, group policy
description: Use Group Policy to deploy the configuration package on Windows 10 devices so that they are onboarded to the service.
keywords: configure devices using group policy, device management, configure Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, group policy
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -18,7 +18,7 @@ ms.topic: article
ms.date: 04/24/2018
---
# Onboard Windows 10 machines using Group Policy
# Onboard Windows 10 devices using Group Policy
**Applies to:**
@ -37,7 +37,7 @@ ms.date: 04/24/2018
> For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates.
## Onboard machines using Group Policy
## Onboard devices using Group Policy
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@ -48,7 +48,7 @@ ms.date: 04/24/2018
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called *OptionalParamsPolicy* and the file *WindowsDefenderATPOnboardingScript.cmd*.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
@ -65,15 +65,15 @@ ms.date: 04/24/2018
9. Click **OK** and close any open GPMC windows.
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md).
> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
## Additional Microsoft Defender ATP configuration settings
For each machine, you can state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
For each device, you can state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
### Configure sample collection settings
1. On your GP management machine, copy the following files from the
1. On your GP management device, copy the following files from the
configuration package:
a. Copy _AtpConfiguration.admx_ into _C:\\Windows\\PolicyDefinitions_
@ -95,17 +95,17 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
5. Click **Windows components** and then **Windows Defender ATP**.
6. Choose to enable or disable sample sharing from your machines.
6. Choose to enable or disable sample sharing from your devices.
>[!NOTE]
> If you don't set a value, the default value is to enable sample collection.
## Offboard machines using Group Policy
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
## Offboard devices using Group Policy
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
@ -117,7 +117,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machine. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
@ -134,25 +134,25 @@ For security reasons, the package used to Offboard machines will expire 30 days
9. Click **OK** and close any open GPMC windows.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
## Monitor machine configuration
With Group Policy there isnt an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor device configuration
With Group Policy there isnt an option to monitor deployment of policies on the devices. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor machines using the portal
## Monitor devices using the portal
1. Go to [Microsoft Defender Security Center](https://securitycenter.windows.com/).
2. Click **Machines list**.
3. Verify that machines are appearing.
2. Click **Devices list**.
3. Verify that devices are appearing.
> [!NOTE]
> It can take several days for machines to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the machine, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
> It can take several days for devices to start showing on the **Devices list**. This includes the time it takes for the policies to be distributed to the device, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting.
## Related topics
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machines](run-detection-test.md)
- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP devices](run-detection-test.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

38
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows 10 machines using Mobile Device Management tools
description: Use Mobile Device Management tools to deploy the configuration package on machines so that they are onboarded to the service.
keywords: onboard machines using mdm, machine management, onboard Windows ATP machines, onboard Microsoft Defender Advanced Threat Protection machines, mdm
title: Onboard Windows 10 devices using Mobile Device Management tools
description: Use Mobile Device Management tools to deploy the configuration package on devices so that they are onboarded to the service.
keywords: onboard devices using mdm, device management, onboard Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, mdm
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -18,7 +18,7 @@ ms.topic: article
ms.date: 12/06/2018
---
# Onboard Windows 10 machines using Mobile Device Management tools
# Onboard Windows 10 devices using Mobile Device Management tools
**Applies to:**
@ -27,7 +27,7 @@ ms.date: 12/06/2018
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink)
You can use mobile device management (MDM) solutions to configure machines. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage machines.
You can use mobile device management (MDM) solutions to configure devices. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage devices.
For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
@ -36,7 +36,7 @@ If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwi
For more information on enabling MDM with Microsoft Intune, see [Device enrollment (Microsoft Intune)](https://docs.microsoft.com/mem/intune/enrollment/device-enrollment).
## Onboard machines using Microsoft Intune
## Onboard devices using Microsoft Intune
Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
@ -44,18 +44,18 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh
> [!NOTE]
> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
> - Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.
> - The **Health Status for onboarded devices** policy uses read-only properties and can't be remediated.
> - Configuration of diagnostic data reporting frequency is only available for devices on Windows 10, version 1703.
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that a machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md).
> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
## Offboard and monitor machines using Mobile Device Management tools
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
## Offboard and monitor devices using Mobile Device Management tools
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
@ -79,15 +79,15 @@ For more information on Microsoft Intune policy settings see, [Windows 10 policy
> [!NOTE]
> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
> The **Health Status for offboarded devices** policy uses read-only properties and can't be remediated.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)
- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

18
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md
View File

@ -1,7 +1,7 @@
---
title: Onboard non-Windows machines to the Microsoft Defender ATP service
description: Configure non-Windows machines so that they can send sensor data to the Microsoft Defender ATP service.
keywords: onboard non-Windows machines, macos, linux, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines
title: Onboard non-Windows devices to the Microsoft Defender ATP service
description: Configure non-Windows devices so that they can send sensor data to the Microsoft Defender ATP service.
keywords: onboard non-Windows devices, macos, linux, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Onboard non-Windows machines
# Onboard non-Windows devices
**Applies to:**
@ -33,12 +33,12 @@ You'll need to know the exact Linux distros and macOS versions that are compatib
- [Microsoft Defender ATP for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements)
- [Microsoft Defender ATP for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements).
## Onboarding non-Windows machines
You'll need to take the following steps to onboard non-Windows machines:
## Onboarding non-Windows devices
You'll need to take the following steps to onboard non-Windows devices:
1. Select your preferred method of onboarding:
- For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-atp-mac).
- For other non-Windows devices choose **Onboard non-Windows machines through third-party integration**.
- For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**.
1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed.
@ -51,7 +51,7 @@ You'll need to take the following steps to onboard non-Windows machines:
2. Run a detection test by following the instructions of the third-party solution.
## Offboard non-Windows machines
## Offboard non-Windows devices
1. Follow the third-party's documentation to disconnect the third-party solution from Microsoft Defender ATP.
@ -63,7 +63,7 @@ You'll need to take the following steps to onboard non-Windows machines:
## Related topics
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Onboard Windows 10 devices](configure-endpoints.md)
- [Onboard servers](configure-server-endpoints.md)
- [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

66
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows 10 machines using Configuration Manager
description: Use Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service.
keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines
title: Onboard Windows 10 devices using Configuration Manager
description: Use Configuration Manager to deploy the configuration package on devices so that they are onboarded to the service.
keywords: onboard devices using sccm, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -18,7 +18,7 @@ ms.topic: article
ms.date: 02/07/2020
---
# Onboard Windows 10 machines using Configuration Manager
# Onboard Windows 10 devices using Configuration Manager
**Applies to:**
@ -30,17 +30,17 @@ ms.date: 02/07/2020
<span id="sccm1606"/>
## Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager current branch
## Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager current branch
Configuration Manager current branch has integrated support to configure and manage Microsoft Defender ATP on managed devices. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).
<span id="sccm1602"/>
## Onboard Windows 10 machines using earlier versions of System Center Configuration Manager
## Onboard Windows 10 devices using earlier versions of System Center Configuration Manager
You can use existing Configuration Manager functionality to create a policy to configure your machines. This action is supported in System Center 2012 R2 Configuration Manager.
You can use existing Configuration Manager functionality to create a policy to configure your devices. This action is supported in System Center 2012 R2 Configuration Manager.
### Onboard machines using System Center Configuration Manager
### Onboard devices using System Center Configuration Manager
1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
@ -62,10 +62,10 @@ You can use existing Configuration Manager functionality to create a policy to c
> Microsoft Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading.
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md).
> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
>
> Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a machine has been onboarded. An application is a different type of object than a package and program.
> If a machine is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the machine until the rule detects the status change.
> Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program.
> If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change.
>
> This behavior can be accomplished by creating a detection rule checking if the "OnboardingState" registry value (of type REG_DWORD) = 1.
> This registry value is located under "HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status".
@ -73,10 +73,10 @@ For more information, see [Configure Detection Methods in System Center 2012 R2
### Configure sample collection settings
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine.
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure theyre complaint.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a device.
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted devices to make sure theyre complaint.
The configuration is set through the following registry key entry:
@ -88,8 +88,8 @@ Value: 0 or 1
Where:<br>
Key type is a D-WORD. <br>
Possible values are:
- 0 - doesn't allow sample sharing from this machine
- 1 - allows sharing of all file types from this machine
- 0 - doesn't allow sample sharing from this device
- 1 - allows sharing of all file types from this device
The default value in case the registry key doesnt exist is 1.
@ -97,18 +97,18 @@ For more information about System Center Configuration Manager Compliance see [I
## Offboard machines using Configuration Manager
## Offboard devices using Configuration Manager
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
### Offboard machines using Microsoft Endpoint Configuration Manager current branch
### Offboard devices using Microsoft Endpoint Configuration Manager current branch
If you use Microsoft Endpoint Configuration Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file).
### Offboard machines using System Center 2012 R2 Configuration Manager
### Offboard devices using System Center 2012 R2 Configuration Manager
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
@ -127,18 +127,18 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create
a. Choose a predefined device collection to deploy the package to.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
## Monitor machine configuration
## Monitor device configuration
If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Microsoft Defender ATP dashboard in the Configuration Manager console. For more information, see [Microsoft Defender Advanced Threat Protection - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor).
If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts:
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the machines in your network.
1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the devices in your network.
2. Checking that the machines are compliant with the Microsoft Defender ATP service (this ensures the machine can complete the onboarding process and can continue to report data to the service).
2. Checking that the devices are compliant with the Microsoft Defender ATP service (this ensures the device can complete the onboarding process and can continue to report data to the service).
### Confirm the configuration package has been correctly deployed
@ -150,15 +150,15 @@ If you're using System Center 2012 R2 Configuration Manager, monitoring consists
4. Review the status indicators under **Completion Statistics** and **Content Status**.
If there are failed deployments (machines with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the machines. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
![Configuration Manager showing successful deployment with no errors](images/sccm-deployment.png)
### Check that the machines are compliant with the Microsoft Defender ATP service
### Check that the devices are compliant with the Microsoft Defender ATP service
You can set a compliance rule for configuration item in System Center 2012 R2 Configuration Manager to monitor your deployment.
This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines.
This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted devices.
Monitor the following registry key entry:
```
@ -169,9 +169,9 @@ Value: “1”
For more information, see [Introduction to compliance settings in System Center 2012 R2 Configuration Manager](https://docs.microsoft.com/previous-versions/system-center/system-center-2012-R2/gg682139\(v=technet.10\)).
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)
- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

60
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md
View File

@ -1,7 +1,7 @@
---
title: Onboard Windows 10 machines using a local script
description: Use a local script to deploy the configuration package on machines so that they are onboarded to the service.
keywords: configure machines using a local script, machine management, configure Windows ATP machines, configure Microsoft Defender Advanced Threat Protection machines
title: Onboard Windows 10 devices using a local script
description: Use a local script to deploy the configuration package on devices so that they are onboarded to the service.
keywords: configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Onboard Windows 10 machines using a local script
# Onboard Windows 10 devices using a local script
**Applies to:**
@ -29,12 +29,12 @@ ms.topic: article
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink)
You can also manually onboard individual machines to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all machines in your network.
You can also manually onboard individual devices to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all devices in your network.
> [!NOTE]
> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints.md).
> The script has been optimized to be used on a limited number of devices (1-10 devices). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 devices](configure-endpoints.md).
## Onboard machines
## Onboard devices
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@ -46,9 +46,9 @@ You can also manually onboard individual machines to Microsoft Defender ATP. You
d. Click **Download package** and save the .zip file.
2. Extract the contents of the configuration package to a location on the machine you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
2. Extract the contents of the configuration package to a location on the device you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*.
3. Open an elevated command-line prompt on the machine and run the script:
3. Open an elevated command-line prompt on the device and run the script:
a. Go to **Start** and type **cmd**.
@ -60,16 +60,16 @@ You can also manually onboard individual machines to Microsoft Defender ATP. You
5. Press the **Enter** key or click **OK**.
For information on how you can manually validate that the machine is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md).
>[!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
## Configure sample collection settings
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis.
You can manually configure the sample sharing setting on the machine by using *regedit* or creating and running a *.reg* file.
You can manually configure the sample sharing setting on the device by using *regedit* or creating and running a *.reg* file.
The configuration is set through the following registry key entry:
@ -81,17 +81,17 @@ Value: 0 or 1
Where:<br>
Name type is a D-WORD. <br>
Possible values are:
- 0 - doesn't allow sample sharing from this machine
- 1 - allows sharing of all file types from this machine
- 0 - doesn't allow sample sharing from this device
- 1 - allows sharing of all file types from this device
The default value in case the registry key doesnt exist is 1.
## Offboard machines using a local script
For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
## Offboard devices using a local script
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
> Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
@ -103,9 +103,9 @@ For security reasons, the package used to Offboard machines will expire 30 days
d. Click **Download package** and save the .zip file.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the machines. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the devices. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*.
3. Open an elevated command-line prompt on the machine and run the script:
3. Open an elevated command-line prompt on the device and run the script:
a. Go to **Start** and type **cmd**.
@ -118,26 +118,26 @@ For security reasons, the package used to Offboard machines will expire 30 days
5. Press the **Enter** key or click **OK**.
> [!IMPORTANT]
> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months.
> Offboarding causes the device to stop sending sensor data to the portal but data from the device, including reference to any alerts it has had will be retained for up to 6 months.
## Monitor machine configuration
## Monitor device configuration
You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding.md) to verify that the script completed successfully and the agent is running.
Monitoring can also be done directly on the portal, or by using the different deployment tools.
### Monitor machines using the portal
### Monitor devices using the portal
1. Go to Microsoft Defender Security Center.
2. Click **Machines list**.
2. Click **Devices list**.
3. Verify that machines are appearing.
3. Verify that devices are appearing.
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)
- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

62
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md
View File

@ -1,7 +1,7 @@
---
title: Onboard non-persistent virtual desktop infrastructure (VDI) machines
description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Microsoft Defender ATP the service.
keywords: configure virtual desktop infrastructure (VDI) machine, vdi, machine management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints
title: Onboard non-persistent virtual desktop infrastructure (VDI) devices
description: Deploy the configuration package on virtual desktop infrastructure (VDI) device so that they are onboarded to Microsoft Defender ATP the service.
keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -18,17 +18,17 @@ ms.topic: article
ms.date: 04/16/2020
---
# Onboard non-persistent virtual desktop infrastructure (VDI) machines
# Onboard non-persistent virtual desktop infrastructure (VDI) devices
**Applies to:**
- Virtual desktop infrastructure (VDI) machines
- Virtual desktop infrastructure (VDI) devices
>[!WARNING]
> Micrsosoft Defender ATP currently does not support Windows Virtual Desktop multi-user session.
> Microsoft Defender ATP support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink)
## Onboard non-persistent virtual desktop infrastructure (VDI) machines
## Onboard non-persistent virtual desktop infrastructure (VDI) devices
Microsoft Defender ATP supports non-persistent VDI session onboarding.
@ -40,15 +40,15 @@ Microsoft Defender ATP supports non-persistent VDI session onboarding.
There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario:
- Instant early onboarding of a short-lived sessions, which must be onboarded to Microsoft Defender ATP prior to the actual provisioning.
- The machine name is typically reused for new sessions.
- The device name is typically reused for new sessions.
VDI machines can appear in Microsoft Defender ATP portal as either:
VDI devices can appear in Microsoft Defender ATP portal as either:
- Single entry for each machine.
Note that in this case, the *same* machine name must be configured when the session is created, for example using an unattended answer file.
- Multiple entries for each machine - one for each session.
- Single entry for each device.
Note that in this case, the *same* device name must be configured when the session is created, for example using an unattended answer file.
- Multiple entries for each device - one for each session.
The following steps will guide you through onboarding VDI machines and will highlight steps for single and multiple entries.
The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries.
>[!WARNING]
> For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft Defender ATP sensor onboarding.
@ -68,8 +68,8 @@ The following steps will guide you through onboarding VDI machines and will high
>[!NOTE]
>If you don't see the `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup` folder, it might be hidden. You'll need to choose the **Show hidden files and folders** option from file explorer.
3. The following step is only applicable if you're implementing a single entry for each machine: <br>
**For single entry for each machine**:<br>
3. The following step is only applicable if you're implementing a single entry for each device: <br>
**For single entry for each device**:<br>
a. From the `WindowsDefenderATPOnboardingPackage`, copy the `Onboard-NonPersistentMachine.ps1` file to `golden/master` image to the path `C:\WINDOWS\System32\GroupPolicy\Machine\Scripts\Startup`. <br>
>[!NOTE]
@ -78,30 +78,30 @@ The following steps will guide you through onboarding VDI machines and will high
4. Open a Local Group Policy Editor window and navigate to **Computer Configuration** > **Windows Settings** > **Scripts** > **Startup**.
>[!NOTE]
>Domain Group Policy may also be used for onboarding non-persistent VDI machines.
>Domain Group Policy may also be used for onboarding non-persistent VDI devices.
5. Depending on the method you'd like to implement, follow the appropriate steps: <br>
**For single entry for each machine**:<br>
**For single entry for each device**:<br>
Select the **PowerShell Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to onboarding PowerShell script `Onboard-NonPersistentMachine.ps1`. <br><br>
**For multiple entries for each machine**:<br>
**For multiple entries for each device**:<br>
Select the **Scripts** tab, then click **Add** (Windows Explorer will open directly in the path where you copied the onboarding script earlier). Navigate to the onboarding bash script `WindowsDefenderATPOnboardingScript.cmd`.
6. Test your solution:
a. Create a pool with one machine.
a. Create a pool with one device.
b. Logon to machine.
b. Logon to device.
c. Logoff from machine.
c. Logoff from device.
d. Logon to machine with another user.
d. Logon to device with another user.
e. **For single entry for each machine**: Check only one entry in Microsoft Defender Security Center.<br>
**For multiple entries for each machine**: Check multiple entries in Microsoft Defender Security Center.
e. **For single entry for each device**: Check only one entry in Microsoft Defender Security Center.<br>
**For multiple entries for each device**: Check multiple entries in Microsoft Defender Security Center.
7. Click **Machines list** on the Navigation pane.
7. Click **Devices list** on the Navigation pane.
8. Use the search function by entering the machine name and select **Machine** as search type.
8. Use the search function by entering the device name and select **Device** as search type.
## Updating non-persistent virtual desktop infrastructure (VDI) images
As a best practice, we recommend using offline servicing tools to patch golden/master images.<br>
@ -120,7 +120,7 @@ For more information on DISM commands and offline servicing, please refer to the
If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health:
1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script).
1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script).
2. Ensure the sensor is stopped by running the command below in a CMD window:
@ -143,8 +143,8 @@ If offline servicing is not a viable option for your non-persistent VDI environm
5. Re-seal the golden/master image as you normally would.
## Related topics
- [Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 machines using a local script](configure-endpoints-script.md)
- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md)
- [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
- [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md)
- [Onboard Windows 10 devices using a local script](configure-endpoints-script.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

20
windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md
View File

@ -1,7 +1,7 @@
---
title: Onboarding tools and methods for Windows 10 machines
description: Onboard Windows 10 machines so that they can send sensor data to the Microsoft Defender ATP sensor
keywords: Onboard Windows 10 machines, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune
title: Onboarding tools and methods for Windows 10 devices
description: Onboard Windows 10 devices so that they can send sensor data to the Microsoft Defender ATP sensor
keywords: Onboard Windows 10 devices, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Onboarding tools and methods for Windows 10 machines
# Onboarding tools and methods for Windows 10 devices
**Applies to:**
@ -26,7 +26,7 @@ ms.topic: conceptual
Machines in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the machines in your organization.
Devices in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization.
The following deployment tools and methods are supported:
@ -38,11 +38,11 @@ The following deployment tools and methods are supported:
## In this section
Topic | Description
:---|:---
[Onboard Windows 10 machines using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on machines.
[Onboard Windows machines using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on machines.
[Onboard Windows 10 machines using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on machine.
[Onboard Windows 10 machines using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints.
[Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI machines.
[Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on devices.
[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
[Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
[Onboard Windows 10 devices using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints.
[Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink)

4
windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md
View File

@ -48,6 +48,6 @@ For more information about ASR rule deployment in Microsoft 365 security center,
**Related topics**
* [Ensure your machines are configured properly](configure-machines.md)
* [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
* [Ensure your devices are configured properly](configure-machines.md)
* [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
* [Monitor compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)

34
windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md
View File

@ -1,6 +1,6 @@
---
title: Get machines onboarded to Microsoft Defender ATP
description: Track onboarding of Intune-managed machines to Windows Defender ATP and increase onboarding rate.
title: Get devices onboarded to Microsoft Defender ATP
description: Track onboarding of Intune-managed devices to Microsoft Defender ATP and increase onboarding rate.
keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -17,34 +17,34 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Get machines onboarded to Microsoft Defender ATP
# Get devices onboarded to Microsoft Defender ATP
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
Each onboarded device adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a device can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
Before you can track and manage onboarding of machines:
- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management)
Before you can track and manage onboarding of devices:
- [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management)
- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
## Discover and track unprotected machines
## Discover and track unprotected devices
The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 machines that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 machines.
The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 devices.
![Machine configuration management Onboarding card](images/secconmgmt_onboarding_card.png)<br>
*Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine*
![Device configuration management Onboarding card](images/secconmgmt_onboarding_card.png)<br>
*Card showing onboarded devices compared to the total number of Intune-managed Windows 10 device*
>[!NOTE]
>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that dont use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that dont use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your devices.
## Onboard more machines with Intune profiles
## Onboard more devices with Intune profiles
Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 machines](onboard-configure.md). For Intune-managed machines, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select machines, effectively onboarding these devices to the service.
Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 devices](onboard-configure.md). For Intune-managed devices, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select devices, effectively onboarding these devices to the service.
From the **Onboarding** card, select **Onboard more machines** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.
From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state.
![Microsoft Defender ATP device compliance page on Intune device management](images/secconmgmt_onboarding_1deviceconfprofile.png)<br>
*Microsoft Defender ATP device compliance page on Intune device management*
@ -55,16 +55,16 @@ From the **Onboarding** card, select **Onboard more machines** to create and ass
>[!NOTE]
> If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**.
From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard. To do this, you can either:
From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the devices you want to onboard. To do this, you can either:
- Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile.
- Create the device configuration profile from scratch.
For more information, [read about using Intune device configuration profiles to onboard machines to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile).
For more information, [read about using Intune device configuration profiles to onboard devices to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
## Related topics
- [Ensure your machines are configured properly](configure-machines.md)
- [Ensure your devices are configured properly](configure-machines.md)
- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
- [Optimize ASR rule deployment and detections](configure-machines-asr.md)

38
windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md
View File

@ -1,7 +1,7 @@
---
title: Increase compliance to the Microsoft Defender ATP security baseline
description: The Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
keywords: Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection ASR, security baseline
keywords: Intune management, MDATP, WDATP, Microsoft Defender, advanced threat protection ASR, security baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -29,42 +29,42 @@ Security baselines ensure that security features are configured according to gui
To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).
Before you can deploy and track compliance to security baselines:
- [Enroll your machines to Intune management](configure-machines.md#enroll-machines-to-intune-management)
- [Enroll your devices to Intune management](configure-machines.md#enroll-devices-to-intune-management)
- [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions)
## Compare the Microsoft Defender ATP and the Windows Intune security baselines
The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
- [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows)
- [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp)
Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released.
Ideally, devices onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released.
>[!NOTE]
>The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
>The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments.
## Monitor compliance to the Microsoft Defender ATP security baseline
The **Security baseline** card on [machine configuration management](configure-machines.md) provides an overview of compliance across Windows 10 machines that have been assigned the Microsoft Defender ATP security baseline.
The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Microsoft Defender ATP security baseline.
![Security baseline card](images/secconmgmt_baseline_card.png)<br>
*Card showing compliance to the Microsoft Defender ATP security baseline*
Each machine is given one of the following status types:
Each device is given one of the following status types:
- **Matches baseline**—machine settings match all the settings in the baseline
- **Does not match baseline**—at least one machine setting doesn't match the baseline
- **Misconfigured**—at least one baseline setting isn't properly configured on the machine and is in a conflict, error, or pending state
- **Not applicable**—At least one baseline setting isn't applicable on the machine
- **Matches baseline**—device settings match all the settings in the baseline
- **Does not match baseline**—at least one device setting doesn't match the baseline
- **Misconfigured**—at least one baseline setting isn't properly configured on the device and is in a conflict, error, or pending state
- **Not applicable**—At least one baseline setting isn't applicable on the device
To review specific machines, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the machines.
To review specific devices, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the devices.
>[!NOTE]
>You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
>You might experience discrepancies in aggregated data displayed on the device configuration management page and those displayed on overview screens in Intune.
## Review and assign the Microsoft Defender ATP security baseline
Machine configuration management monitors baseline compliance only of Windows 10 machines that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to machines on Intune device management.
Device configuration management monitors baseline compliance only of Windows 10 devices that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to devices on Intune device management.
1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.
@ -82,22 +82,22 @@ Machine configuration management monitors baseline compliance only of Windows 10
![Security baseline options during profile creation on Intune](images/secconmgmt_baseline_intuneprofile2.png)<br>
*Security baseline options during profile creation on Intune*
4. Assign the profile to the appropriate machine group.
4. Assign the profile to the appropriate device group.
![Security baseline profiles on Intune](images/secconmgmt_baseline_intuneprofile3.png)<br>
*Assigning the security baseline profile on Intune*
5. Create the profile to save it and deploy it to the assigned machine group.
5. Create the profile to save it and deploy it to the assigned device group.
![Assigning the security baseline on Intune](images/secconmgmt_baseline_intuneprofile4.png)<br>
*Creating the security baseline profile on Intune*
>[!TIP]
>Security baselines on Intune provide a convenient way to comprehensively secure and protect your machines. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines).
>Security baselines on Intune provide a convenient way to comprehensively secure and protect your devices. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines).
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
## Related topics
- [Ensure your machines are configured properly](configure-machines.md)
- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
- [Ensure your devices are configured properly](configure-machines.md)
- [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
- [Optimize ASR rule deployment and detections](configure-machines-asr.md)

30
windows/security/threat-protection/microsoft-defender-atp/configure-machines.md
View File

@ -1,6 +1,6 @@
---
title: Ensure your machines are configured properly
description: Properly configure machines to boost overall resilience against threats and enhance your capability to detect and respond to attacks.
title: Ensure your devices are configured properly
description: Properly configure devices to boost overall resilience against threats and enhance your capability to detect and respond to attacks.
keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -17,44 +17,46 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Ensure your machines are configured properly
# Ensure your devices are configured properly
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
With properly configured machines, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your machines:
With properly configured devices, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your devices:
- Onboard to Microsoft Defender ATP
- Meet or exceed the Microsoft Defender ATP security baseline configuration
- Have strategic attack surface mitigations in place
Click **Configuration management** from the navigation menu to open the Device configuration management page.
![Security configuration management page](images/secconmgmt_main.png)<br>
*Machine configuration management page*
*Device configuration management page*
You can track configuration status at an organizational level and quickly take action in response to poor onboarding coverage, compliance issues, and poorly optimized attack surface mitigations through direct, deep links to device management pages on Microsoft Intune and Microsoft 365 security center.
In doing so, you benefit from:
- Comprehensive visibility of the events on your machines
- Robust threat intelligence and powerful machine learning technologies for processing raw events and identifying the breach activity and threat indicators
- Comprehensive visibility of the events on your devices
- Robust threat intelligence and powerful device learning technologies for processing raw events and identifying the breach activity and threat indicators
- A full stack of security features configured to efficiently stop the installation of malicious implants, hijacking of system files and process, data exfiltration, and other threat activities
- Optimized attack surface mitigations, maximizing strategic defenses against threat activity while minimizing impact to productivity
## Enroll machines to Intune management
## Enroll devices to Intune management
Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines.
Device configuration management works closely with Intune device management to establish the inventory of the devices in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 devices.
Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
Before you can ensure your devices are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 devices. For more information about Intune enrollment options, read about [setting up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll).
>[!NOTE]
>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign).
>[!TIP]
>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
>To optimize device management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
## Obtain required permissions
By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding machines and deploying the security baseline.
By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline.
If you have been assigned other roles, ensure you have the necessary permissions:
@ -72,8 +74,8 @@ If you have been assigned other roles, ensure you have the necessary permissions
## In this section
Topic | Description
:---|:---
[Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed machines and onboard more machines through Intune.
[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed machines.
[Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune.
[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices.
[Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)

31
windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md
View File

@ -24,7 +24,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
## Before you begin
Ensure that you have Microsoft Defender ATP deployed in your environment with machines enrolled, and not just on a laboratory set-up.
Ensure that you have Microsoft Defender ATP deployed in your environment with devices enrolled, and not just on a laboratory set-up.
Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service.
@ -37,15 +37,15 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M
2. Click **Apply**.
![Image of Microsoft Threat Experts settings](images/mte-collaboratewithmte.png)
![Image of Microsoft Threat Experts settings](images/mte-collaboratewithmte.png)
3. Enter your name and email address so that Microsoft can get back to you on your application.
![Image of Microsoft Threat Experts application](images/mte-apply.png)
![Image of Microsoft Threat Experts application](images/mte-apply.png)
4. Read the [privacy statement](https://privacy.microsoft.com/en-us/privacystatement), then click **Submit** when you're done. You will receive a welcome email once your application is approved.
![Image of Microsoft Threat Experts application confirmation](images/mte-applicationconfirmation.png)
![Image of Microsoft Threat Experts application confirmation](images/mte-applicationconfirmation.png)
6. From the navigation pane, go to **Settings** > **General** > **Advanced features** to turn the **Threat Experts** toggle on. Click **Save preferences**.
@ -68,13 +68,13 @@ You'll start receiving targeted attack notification from Microsoft Threat Expert
## Consult a Microsoft threat expert about suspicious cybersecurity activities in your organization
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised machine, or a threat intelligence context that you see on your portal dashboard.
You can partner with Microsoft Threat Experts who can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, a potentially compromised device, or a threat intelligence context that you see on your portal dashboard.
> [!NOTE]
> - Alert inquiries related to your organization's customized threat intelligence data are currently not supported. Consult your security operations or incident response team for details.
> - You will need to have the "Manage security settings" permission in the Security Center portal to be able to submit a "Consult a threat expert" inquiry.
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or machine is in view before you send an investigation request.
1. Navigate to the portal page with the relevant information that you'd like to investigate, for example, the **Incident** page. Ensure that the page for the relevant alert or device is in view before you send an investigation request.
2. From the upper right-hand menu, click **?**. Then, select **Consult a threat expert**.
@ -88,33 +88,36 @@ You can partner with Microsoft Threat Experts who can be engaged directly from w
![Image of Microsoft Threat Experts Experts on Demand full subscription screen](images/mte-eod-fullsubscription.png)
The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or machine details page that you were at when you made the request.
The **Inquiry topic** field is pre-populated with the link to the relevant page for your investigation request. For example, a link to the incident, alert, or device details page that you were at when you made the request.
3. In the next field, provide enough information to give the Microsoft Threat Experts enough context to start the investigation.
4. Enter the email address that you'd like to use to correspond with Microsoft Threat Experts.
> [!NOTE]
> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub. Watch this video for a quick overview of the Microsoft Services Hub.
> Customers with Premier Support subscription mapped to their Office 365 license can track the status of their Experts on Demand cases through Microsoft Services Hub.
Watch this video for a quick overview of the Microsoft Services Hub.
>[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4pk9f]
<BR>
## Sample investigation topics that you can consult with Microsoft Threat Experts
**Alert information**
- We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further?
- Weve observed two similar attacks which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
- Weve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious Powershell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference?
- I receive an odd alert today for abnormal number of failed logins from a high profile users device. I cannot find any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts? What type of sign-ins are being monitored?
- Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”.
**Possible machine compromise**
- Can you help answer why we see “Unknown process observed?” This is seen quite frequently on many machines. We appreciate any input to clarify whether this is related to malicious activity.
- Can you help answer why we see “Unknown process observed?” This message or alert is seen frequently on many devices. We appreciate any input to clarify whether this message or alert is related to malicious activity.
- Can you help validate a possible compromise on the following system on [date] with similar behaviors as the previous [malware name] malware detection on the same system in [month]?
**Threat intelligence details**
- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
- I recently saw a [social media reference e.g., Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor?
- This morning, we detected a phishing email that delivered a malicious Word document to a user. This caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link?
- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor?
**Microsoft Threat Experts alert communications**
- Can your incident response team help us address the targeted attack notification that we got?
@ -133,7 +136,7 @@ Response from Microsoft Threat Experts varies according to your inquiry. They wi
- Investigation requires more time
- Initial information was enough to conclude the investigation
It is crucial to respond in a timely manner to keep the investigation moving.
It is crucial to respond in quickly to keep the investigation moving.
## Related topic
- [Microsoft Threat Experts overview](microsoft-threat-experts.md)

16
windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md
View File

@ -1,7 +1,7 @@
---
title: Configure managed security service provider support
description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP
description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP
keywords: managed security service provider, mssp, configure, integration
search.product: eADQiWindows 10XVcnh
@ -24,9 +24,9 @@ ms.date: 09/03/2018
**Applies to:**
- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
@ -44,7 +44,7 @@ The integration will allow MSSPs to take the following actions:
- Get email notifications, and
- Fetch alerts through security information and event management (SIEM) tools
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Windows Defender ATP tenant so that the MSSP can access the portal.
Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal.
Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP.
@ -54,7 +54,7 @@ In general, the following configuration steps need to be taken:
- **Grant the MSSP access to Microsoft Defender Security Center** <br>
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Windows Defender ATP tenant.
This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant.
- **Configure alert notifications sent to MSSPs** <br>
@ -97,7 +97,7 @@ Granting access to guest user is done the same way as granting access to a user
If you're using basic permissions to access the portal, the guest user must be assigned a Security Administrator role in **your** tenant. For more information, see [Use basic permissions to access the portal](basic-permissions.md).
If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Windows Defender ATP, see [Manage portal access using RBAC](rbac.md).
If you're using role-based access control (RBAC), the guest user must be to added to the appropriate group or groups in **your** tenant. Fore more information on RBAC in Microsoft Defender ATP, see [Manage portal access using RBAC](rbac.md).
>[!NOTE]
@ -166,7 +166,7 @@ Step 3: allow your application on Microsoft Defender Security Center
### Step 1: Create an application in Azure Active Directory (Azure AD)
You'll need to create an application and grant it permissions to fetch alerts from your customer's Windows Defender ATP tenant.
You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant.
1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/).
@ -296,7 +296,7 @@ You'll need to have **Manage portal system settings** permission to allow the ap
5. Click **Authorize application**.
You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md).
- In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value.

12
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -1,5 +1,5 @@
---
title: Configure machine proxy and Internet connection settings
title: Configure device proxy and Internet connection settings
description: Configure the Microsoft Defender ATP proxy and internet settings to enable communication with the cloud service.
keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server
search.product: eADQiWindows 10XVcnh
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Configure machine proxy and Internet connectivity settings
# Configure device proxy and Internet connectivity settings
**Applies to:**
@ -106,8 +106,8 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed below from HTTPS scanning.
> [!NOTE]
> settings-win.data.microsoft.com is only needed if you have Windows 10 machines running version 1803 or earlier.<br>
> URLs that include v20 in them are only needed if you have Windows 10 machines running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 machine running version 1803 or later and onboarded to US Data Storage region.
> settings-win.data.microsoft.com is only needed if you have Windows 10 devices running version 1803 or earlier.<br>
> URLs that include v20 in them are only needed if you have Windows 10 devices running version 1803 or later. For example, ```us-v20.events.data.microsoft.com``` is needed for a Windows 10 device running version 1803 or later and onboarded to US Data Storage region.
Service location | Microsoft.com DNS record
-|-
@ -156,7 +156,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on.
2. Extract the contents of MDATPClientAnalyzer.zip on the machine.
2. Extract the contents of MDATPClientAnalyzer.zip on the device.
3. Open an elevated command-line:
@ -200,5 +200,5 @@ However, if the connectivity check results indicate a failure, an HTTP error is
## Related topics
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Onboard Windows 10 devices](configure-endpoints.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

26
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -1,7 +1,7 @@
---
title: Onboard servers to the Microsoft Defender ATP service
description: Onboard servers so that they can send sensor data to the Microsoft Defender ATP sensor.
keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers
keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -78,7 +78,7 @@ You'll need to take the following steps if you choose to onboard servers through
Otherwise, install and configure MMA to report sensor data to Microsoft Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
> [!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
### Configure and update System Center Endpoint Protection clients
@ -92,9 +92,9 @@ The following steps are required to enable this integration:
### Turn on Server monitoring from the Microsoft Defender Security Center portal
1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**.
2. Select Windows Server 2012 R2 and 2016 as the operating system.
2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent.
@ -123,7 +123,7 @@ Once completed, you should see onboarded servers in the portal within an hour.
### Option 2: Onboard servers through Azure Security Center
1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**.
1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**.
2. Select Windows Server 2008 R2 SP1, 2012 R2 and 2016 as the operating system.
@ -143,13 +143,13 @@ Supported tools include:
- Group Policy
- Microsoft Endpoint Configuration Manager
- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
- VDI onboarding scripts for non-persistent machines
- VDI onboarding scripts for non-persistent devices
For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
Support for Windows Server, provide deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md).
2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly:
@ -195,7 +195,7 @@ The following capabilities are included in this integration:
## Offboard servers
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client machines.
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.
For other server versions, you have two options to offboard servers from the service:
- Uninstall the MMA agent
@ -228,7 +228,7 @@ To offboard the server, you can use either of the following methods:
1. In the navigation pane, select **Settings** > **Onboarding**.
1. Select **Windows Server 2012 R2 and 2016** as the operating system and get your Workspace ID:
1. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system and get your Workspace ID:
![Image of server onboarding](images/atp-server-offboarding-workspaceid.png)
@ -244,8 +244,8 @@ To offboard the server, you can use either of the following methods:
```
## Related topics
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Onboard non-Windows machines](configure-endpoints-non-windows.md)
- [Onboard Windows 10 devices](configure-endpoints.md)
- [Onboard non-Windows devices](configure-endpoints-non-windows.md)
- [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)
- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md)
- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

4
windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
View File

@ -29,8 +29,8 @@ ms.topic: article
>[!NOTE]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.

2
windows/security/threat-protection/microsoft-defender-atp/connected-applications.md
View File

@ -20,7 +20,7 @@ ms.topic: conceptual
# Connected applications in Microsoft Defender ATP
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Connected applications integrates with the Microsoft Defender ATP platform using APIs.

2
windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
View File

@ -64,7 +64,7 @@ DeviceEvents
You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.

6
windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
View File

@ -28,7 +28,7 @@ Creates new [Alert](alerts.md) on top of **Event**.
<br>**Microsoft Defender ATP Event** is required for the alert creation.
<br>You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
<br>You can use an event found in Advanced Hunting API or Portal.
<br>If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it.
<br>If there existing an open alert on the same Device with the same Title, the new created alert will be merged with it.
<br>An automatic investigation starts automatically on alerts created via the API.
@ -48,7 +48,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
@ -71,7 +71,7 @@ Property | Type | Description
:---|:---|:---
eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**.
reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**.
machineId | String | Id of the machine on which the event was identified. **Required**.
machineId | String | Id of the device on which the event was identified. **Required**.
severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
title | String | Title for the alert. **Required**.
description | String | Description of the alert. **Required**.

24
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -23,7 +23,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
> [!NOTE]
> To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
@ -36,9 +36,9 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an
#### Required columns in the query results
To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
```kusto
DeviceEvents
@ -72,19 +72,19 @@ When saved, a new or edited custom detection rule immediately runs and checks fo
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
### 3. Specify actions on files or machines.
Your custom detection rule can automatically take actions on files or machines that are returned by the query.
### 3. Specify actions on files or devices.
Your custom detection rule can automatically take actions on files or devices that are returned by the query.
#### Actions on machines
These actions are applied to machines in the `DeviceId` column of the query results:
- **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network)
- **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines)
- **Run antivirus scan** — performs a full Microsoft Defender Antivirus scan on the machine
- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the machine
#### Actions on devices
These actions are applied to devices in the `DeviceId` column of the query results:
- **Isolate device** — applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
- **Collect investigation package** — collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
- **Run antivirus scan** — performs a full Microsoft Defender Antivirus scan on the device
- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the device
#### Actions on files
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected machine groups. This scope is independent of the scope of the rule.
- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
- **Quarantine file** — deletes the file from its current location and places a copy in quarantine
### 4. Click **Create** to save and turn on the rule.

2
windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
View File

@ -113,7 +113,7 @@ An allowed application or service only has write access to a controlled folder a
### Use Group Policy to allow specific apps
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.

6
windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
View File

@ -25,7 +25,7 @@ manager: dansimp
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
You configure these settings using the Windows Security app on an individual device, and then export the configuration as an XML file that you can deploy to other devices. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
@ -136,7 +136,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
Exporting the configuration as an XML file allows you to copy the configuration from one device onto other devices.
## PowerShell reference
@ -145,7 +145,7 @@ Exporting the configuration as an XML file allows you to copy the configuration
The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
>[!IMPORTANT]
>Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden.
>Any changes that are deployed to a device through Group Policy will override the local configuration. When setting up an initial configuration, use a device that will not have a Group Policy configuration applied to ensure your changes aren't overridden.
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:

6
windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
View File

@ -30,16 +30,16 @@ This section covers some of the most frequently asked questions regarding privac
## What data does Microsoft Defender ATP collect?
Microsoft Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.
Microsoft Defender ATP will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.
Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version).
Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and device details (such as device identifiers, names, and the operating system version).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
This data enables Microsoft Defender ATP to:
- Proactively identify indicators of attack (IOAs) in your organization
- Generate alerts if a possible attack was detected
- Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
- Provide your security operations with a view into devices, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
Microsoft does not use your data for advertising.

8
windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft Defender Antivirus compatibility with Microsoft Defender ATP
description: Learn about how Windows Defender works with Microsoft Defender ATP and how it functions when a third-party antimalware client is used.
keywords: windows defender compatibility, defender, windows defender atp
keywords: windows defender compatibility, defender, microsoft defender atp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -35,12 +35,12 @@ The Microsoft Defender Advanced Threat Protection agent depends on Microsoft Def
>[!IMPORTANT]
>Microsoft Defender ATP does not adhere to the Microsoft Defender Antivirus Exclusions settings.
You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md).
If an onboarded machine is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode.
If an onboarded device is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode.
Microsoft Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
The Microsoft Defender Antivirus interface will be disabled, and users on the machine will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options.
The Microsoft Defender Antivirus interface will be disabled, and users on the device will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options.
For more information, see the [Microsoft Defender Antivirus and Microsoft Defender ATP compatibility topic](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).

2
windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
View File

@ -33,7 +33,7 @@ There are three phases in deploying Microsoft Defender ATP:
The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP.
There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md).
## In Scope

6
windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
View File

@ -73,15 +73,15 @@ The following image shows an instance of unwanted software that was detected and
### Will EDR in block mode have any impact on a user's antivirus protection?
No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
No. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
### Why do I need to keep Microsoft Defender Antivirus up to date?
Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date.
Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date.
### Why do we need cloud protection on?
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models.
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
## Related articles

4
windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
View File

@ -34,7 +34,7 @@ You can enable controlled folder access by using any of these methods:
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the device.
Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
@ -91,7 +91,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
## Group Policy
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.

Some files were not shown because too many files have changed in this diff Show More