deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 16:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into jdsb

Browse Source
This commit is contained in:
Jeanie Decker 2018-11-30 07:29:43 -08:00
commit 9e6bafd483
49 changed files with 928 additions and 573 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
mdop/dart-v10/getting-started-with-dart-10.md
View File

@ -14,13 +14,12 @@ ms.date: 08/30/2016
# Getting Started with DaRT 10
Microsoft Diagnostics and Recovery Toolset (DaRT) 10 requires thorough planning before you deploy it or use its features. If you are new to this product, we recommend that you read the documentation carefully. Before you deploy the product to a production environment, we also recommend that you validate your deployment plan in a test network environment. You might also consider taking a class about relevant technologies. For more information about Microsoft training opportunities, see the Microsoft Training Overview at [https://go.microsoft.com/fwlink/p/?LinkId=80347](https://go.microsoft.com/fwlink/?LinkId=80347).
**Note**  
A downloadable version of this administrators guide is not available. However, you can learn about a special mode of the TechNet Library that allows you to select articles, group them in a collection, and print them or export them to a file at <https://go.microsoft.com/fwlink/?LinkId=272493> (https://go.microsoft.com/fwlink/?LinkId=272493).
Additional downloadable information about this product can also be found at <https://go.microsoft.com/fwlink/?LinkId=267420>.
Microsoft Diagnostics and Recovery Toolset (DaRT) 10 requires thorough planning before you deploy it or use its features. If you are new to this product, we recommend that you read the documentation carefully. Before you deploy the product to a production environment, we also recommend that you validate your deployment plan in a test network environment. You might also consider taking a class about relevant technologies.
>[!NOTE]  
>A downloadable version of this administrators guide is not available. However, you can click **Download PDF** at the bottom of the Table of Contents pane to get a PDF version of this guide.
>
>Additional information about this product can also be found on the [Diagnostics and Recovery Toolset documentation download page.](https://www.microsoft.com/download/details.aspx?id=27754)
 
## Getting started with DaRT 10

2
mdop/index.md
View File

@ -167,7 +167,7 @@ MDOP is a suite of products that can help streamline desktop deployment, managem
MDOP subscribers can download the software at the [Microsoft Volume Licensing website (MVLS)](https://go.microsoft.com/fwlink/p/?LinkId=166331).
<a href="" id="purchase-mdop"></a>**Purchase MDOP**
Visit the enterprise [Purchase Windows Enterprise Licensing](https://www.microsoft.com/windows/enterprise/how-to-buy.aspx) website to find out how to purchase MDOP for your business.
Visit the enterprise [Purchase Windows Enterprise Licensing](https://www.microsoft.com/licensing/how-to-buy/how-to-buy) website to find out how to purchase MDOP for your business.
 

BIN
windows/client-management/mdm/images/class-guids.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/client-management/mdm/images/hardware-ids.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

178
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -6,14 +6,11 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/23/2018
ms.date: 11/30/2018
---
# Policy CSP - DeviceInstallation
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<hr/>
@ -80,12 +77,20 @@ ms.date: 07/23/2018
<!--/Scope-->
<!--Description-->
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install.
> [!TIP]
> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings).
To get the hardware ID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Hardware Ids** from the **Property** menu:
![Hardware IDs](images/hardware-ids.png)
<!--/Description-->
> [!TIP]
@ -95,6 +100,7 @@ If you disable or do not configure this policy setting, and no other policy sett
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow installation of devices that match any of these device IDs*
@ -114,6 +120,37 @@ ADMX Info:
<!--/Validation-->
<!--/Policy-->
To enable this policy, use the following SyncML. This example allows Windows to install compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `&#xF000;` as a delimiter.
``` syntax
<SyncML>
<SyncBody>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">string</Format>
</Meta>
<Data><enabled/><Data id="DeviceInstall_IDs_Allow_List" value="1&#xF000;USB\Composite&#xF000;2&#xF000;USB\Class_FF"/></Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]
>>> Section start 2018/11/15 12:26:41.659
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
<hr/>
<!--Policy-->
@ -152,12 +189,23 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install.
> [!TIP]
> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.
If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
This setting allows device installation based on the serial number of a removable device if that number is in the hardware ID.
If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
For a list of Class and ClassGUID entries for device setup classes, see [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
To get the ClassGUID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Class GUID** from the **Property** menu:
![Class GUIDs](images/class-guids.png)
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@ -166,6 +214,7 @@ If you disable or do not configure this policy setting, and no other policy sett
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow installation of devices using drivers that match these device setup classes*
@ -185,6 +234,40 @@ ADMX Info:
<!--/Validation-->
<!--/Policy-->
To enable this policy, use the following SyncML. This example allows Windows to install CD-ROM drives, floppy disks, and modems.
Enclose the class GUID within curly brackets {}. To configure multiple classes, use `&#xF000;` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_Classes_Deny_Retroactive to true.
``` syntax
<SyncML>
<SyncBody>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">string</Format>
</Meta>
<Data><enabled/><Data id="DeviceInstall_Classes_Allow_List" value="1&#xF000;{4d36e969-e325-11ce-bfc1-08002be10318}&#xF000;2&#xF000;{4d36e969-e325-11ce-bfc1-08002be10318}&#xF000;3&#xF000;{4d36e969-e325-11ce-bfc1-08002be10318}"/></Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]
>>> Section start 2018/11/15 12:26:41.659
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
<hr/>
<!--Policy-->
@ -229,6 +312,8 @@ If you enable this policy setting, Windows does not retrieve device metadata for
If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@ -300,6 +385,7 @@ If you enable this policy setting, Windows is prevented from installing or updat
If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@ -371,6 +457,13 @@ If you enable this policy setting, Windows is prevented from installing a device
If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
For more information about hardware IDs and compatible IDs, see [Device Identification Strings](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings).
To get the hardware ID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Hardware Ids** from the **Property** menu:
![Hardware IDs](images/hardware-ids.png)
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@ -389,7 +482,38 @@ ADMX Info:
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `&#xF000;` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true.
``` syntax
<SyncML>
<SyncBody>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">string</Format>
</Meta>
<Data><enabled/><data id="DeviceInstall_IDs_Deny_Retroactive" value="true"/><Data id="DeviceInstall_IDs_Deny_List" value="1&#xF000;USB\Composite&#xF000;2&#xF000;USB\Class_FF"/></Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]
>>> Section start 2018/11/15 12:26:41.659
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
<!--Policy-->
<a href="" id="deviceinstallation-preventinstallationofmatchingdevicesetupclasses"></a>**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**
@ -433,6 +557,13 @@ If you enable this policy setting, Windows is prevented from installing or updat
If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
For a list of Class and ClassGUID entries for device setup classes, see [System-Defined Device Setup Classes Available to Vendors](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
To get the ClassGUID for a device, open Device Manager, right-click the name of the device and click **Properties**. On the **Details** tab, select **Class GUID** from the **Property** menu:
![Class GUIDs](images/class-guids.png)
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
@ -452,13 +583,46 @@ ADMX Info:
<!--/Policy-->
<hr/>
To enable this policy, use the following SyncML. This example prevents Windows from installing CD-ROM drives, floppy disks, and modems (ClassGuid= {4d36e980-e325-11ce-bfc1-08002be10318}). This policy example also applies to matching device classes that are already installed.
Enclose the class GUID within curly brackets {}. To configure multiple classes, use `&#xF000;` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_Classes_Deny_Retroactive to true.
``` syntax
<SyncML>
<SyncBody>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">string</Format>
</Meta>
<Data><enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/><Data id="DeviceInstall_Classes_Deny_List" value="1&#xF000;{4d36e969-e325-11ce-bfc1-08002be10318}&#xF000;2&#xF000;{4d36e969-e325-11ce-bfc1-08002be10318}&#xF000;3&#xF000;{4d36e969-e325-11ce-bfc1-08002be10318}"/></Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
To verify the policies are applied properly, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log:
```txt
>>> [Device Installation Restrictions Policy Check]
>>> Section start 2018/11/15 12:26:41.659
<<< Section end 2018/11/15 12:26:41.751
<<< [Exit status: SUCCESS]
```
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in the next major release of Windows 10.
- 5 - Added in Windows 10, version 1809.
<!--/Policies-->

4
windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md
View File

@ -35,10 +35,10 @@ When replacing a users device, UE-V automatically restores settings if the us
You can also use the Windows PowerShell cmdlet, Restore-UevBackup, to restore settings from a different device. To clone the settings packages for the new device, use the following cmdlet in Windows PowerShell:
``` syntax
Restore-UevBackup -Machine <MachineName>
Restore-UevBackup -ComputerName <Computer name>
```
where &lt;MachineName&gt; is the computer name of the device.
where &lt;ComputerName&gt; is the computer name of the device.
Templates such as the Office 2013 template that include many applications can either all be included in the roamed (default) or backed up profile. Individual apps in a template suite follow the group. Office 2013 in-box templates include both roaming and backup-only settings. Backup-only settings cannot be included in a roaming profile.

22
windows/deployment/update/servicing-stack-updates.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
author: Jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
ms.date: 11/13/2018
ms.date: 11/29/2018
---
# Servicing stack updates
@ -15,38 +15,38 @@ ms.date: 11/13/2018
**Applies to**
- Windows 10
- Windows 10, Windows 8.1, Windows 8, Windows 7
## What is a servicing stack update?
The "servicing stack" is the code that installs other operating system updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
## Why should servicing stack updates be installed and kept up to date?
Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates. Servicing stack updates improve the reliability and performance of the update process.
Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
## When are they released?
Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required.
Servicing stack update are scheduled to release simultaneously with the monthly quality updates. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
>[!NOTE]
>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
## What's the difference between a servicing stack update and a cumulative update?
Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
However, there are some operating system fixes that arent included in a cumulative update but are still pre-requisites for the cumulative update. That is, the component that performs the actual updates sometimes itself requires an update. Those fixes are available in a servicing stack update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
If a given cumulative update required a servicing stack update, you'll see that information in the release notes for the update. **If you try to install the cumulative update without installing the servicing stack update, you'll get an error.**
## Is there any special guidance?
Typically, the improvements are reliability, security, and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
## Installation notes
* Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
* Installing servicing stack update does not require restarting the device, so installation should not be disruptive.
* Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
* Search to install latest available [Servicing stack update for Windows 10](https://support.microsoft.com/search?query=servicing%20stack%20update%20Windows%2010).
* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).

2
windows/deployment/upgrade/upgrade-readiness-data-sharing.md
View File

@ -42,7 +42,7 @@ In order to set the WinHTTP proxy system-wide on your computers, you need to
The WinHTTP scenario is most appropriate for customers who use a single proxy or f. If you have more advanced proxy requirements, refer to Scenario 3.
If you want to learn more about Proxy considerations on Windows, please take a look at this post in the ieinternals blog
If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/).
### Logged-in users Internet connection

9
windows/security/information-protection/tpm/tpm-recommendations.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/16/2018
ms.date: 11/29/2018
---
# TPM recommendations
@ -64,6 +64,9 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
> [!NOTE]
> TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
## Discrete, Integrated or Firmware TPM?
There are three implementation options for TPMs:
@ -113,6 +116,10 @@ The following table defines which Windows features require TPM support.
| TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes | |
| Virtual Smart Card | Yes | Yes | Yes | |
| Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. |
| Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
| SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
| DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. |
## OEM Status on TPM 2.0 system availability and certified parts

4
windows/security/information-protection/tpm/trusted-platform-module-overview.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms-author: v-anbic
ms.date: 08/21/2018
ms.date: 11/29/2018
---
# Trusted Platform Module Technology Overview
@ -69,7 +69,7 @@ Some things that you can check on the device are:
- Is SecureBoot supported and enabled?
> [!NOTE]
> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1).
> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
## Supported versions for device health attestation

8
windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
author: justinha
ms.localizationpriority: medium
ms.date: 10/12/2018
ms.date: 11/28/2018
---
# How Windows Information Protection protects files with a sensitivity label
@ -27,11 +27,13 @@ Microsoft information protection technologies work together as an integrated sol
Microsoft information protection technologies include:
- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects data at rest on endpoint devices, and manages apps to protect data in use.
- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP.
- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365 and other first-party or third-party Software-as-a-Service (SaaS) apps.
- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:
- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.
End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:
![Sensitivity labels](images/sensitivity-labels.png)

3
windows/security/threat-protection/TOC.md
View File

@ -265,7 +265,7 @@
######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md)
######## [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md)
######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
@ -284,6 +284,7 @@
######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md)
######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md)
######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)

7
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: jsuther1974
ms.date: 05/03/2018
ms.date: 11/28/2018
---
# Windows Defender Application Control
@ -17,6 +17,7 @@ ms.date: 05/03/2018
- Windows 10
- Windows Server 2016
- Windows Server 2019
With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks.
In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative.
@ -36,9 +37,9 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs
## WDAC System Requirements
WDAC policies can only be created on computers running Windows 10 Enterprise or Windows Server 2016.
WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016.
They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune.
Group Policy can also be used to distribute Group Policy Objects that contain WDAC policies on computers running Windows 10 Enterprise or Windows Server 2016.
Group Policy or Intune can be used to distribute WDAC policies.
## New and changed functionality

4
windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
View File

@ -8,14 +8,14 @@ ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.author: justinha
ms.date: 09/07/2018
ms.date: 11/27/2018
---
# Windows Defender Application Guard overview
**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete.
Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.

4
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -262,7 +262,7 @@
####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md)
###### [Machine](machine-windows-defender-advanced-threat-protection-new.md)
####### [Get machines](get-machines-windows-defender-advanced-threat-protection-new.md)
####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md)
####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md)
####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md)
####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md)
@ -280,7 +280,7 @@
####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md)
####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md)
####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)
####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md)
###### [User](user-windows-defender-advanced-threat-protection-new.md)
####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md)

41
windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md
View File

@ -15,10 +15,12 @@ ms.date: 12/08/2017
# Add or Remove Machine Tags API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
- Adds or remove tag to a specific machine.
## Permissions
@ -68,10 +70,10 @@ Here is an example of a request that adds machine tag.
[!include[Improve request performance](improverequestperformance-new.md)]
```
POST https://api.securitycenter.windows.com/api/machines/863fed4b174465c703c6e412965a31b5e1884cc4/tags
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
Content-type: application/json
{
"Value" : "Test Tag",
"Value" : "test Tag 2",
"Action": "Add"
}
@ -85,26 +87,25 @@ HTTP/1.1 200 Ok
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity",
"id": "863fed4b174465c703c6e412965a31b5e1884cc4",
"computerDnsName": "mymachine55.contoso.com",
"firstSeen": "2018-07-31T14:20:55.8223496Z",
"lastSeen": "2018-09-27T08:44:05.6228836Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.2.166",
"agentVersion": "10.3720.16299.98",
"osBuild": 16299,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"machineTags": [
"Test Tag"
],
"rbacGroupId": 75,
"riskScore": "Medium",
"aadDeviceId": null
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```
To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.
- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body.

14
windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
View File

@ -37,12 +37,12 @@ To effectively build queries that span multiple tables, you need to understand t
| ActionType | string | Type of activity that triggered the event |
| AdditionalFields | string | Additional information about the event in JSON array format |
| AlertId | string | Unique identifier for the alert |
| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
| ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if its connected publicly to the internet. |
| DefaultGateways | string | Default gateway addresses in JSON array format |
| DnsServers | string | DNS server addresses in JSON array format |
| DnsAddresses | string | DNS server addresses in JSON array format |
| EventTime | datetime | Date and time when the event was recorded |
| EventType | string | Table where the record is stored |
| FileName | string | Name of the file that the recorded action was applied to |
| FileOriginIp | string | IP address where the file was downloaded from |
| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
@ -61,7 +61,7 @@ To effectively build queries that span multiple tables, you need to understand t
| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event |
| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event |
| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
@ -71,6 +71,7 @@ To effectively build queries that span multiple tables, you need to understand t
| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
| LocalIP | string | IP address assigned to the local machine used during communication |
| LocalPort | int | TCP port on the local machine used during communication |
| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. |
| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
| LogonType | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br>
@ -81,7 +82,6 @@ To effectively build queries that span multiple tables, you need to understand t
| NetworkAdapterName | string | Name of the network adapter |
| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). |
| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). |
| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format |
| OSArchitecture | string | Architecture of the operating system running on the machine |
| OSBuild | string | Build version of the operating system running on the machine |
| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
@ -94,7 +94,7 @@ To effectively build queries that span multiple tables, you need to understand t
| ProcessId | int | Process ID (PID) of the newly created process |
| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log |
| Protocol | string | IP protocol used, whether TCP or UDP |
| PublicIP | string | Public IP address used by the onboarded machine to connect to the Windows Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. |
| RegistryKey | string | Registry key that the recorded action was applied to |
| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
@ -102,12 +102,14 @@ To effectively build queries that span multiple tables, you need to understand t
| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |
| RemoteIP | string | IP address that was being connected to |
| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast |
| RemotePort | int | TCP port on the remote device that was being connected to |
| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
| TunnelingProtocol | string | Tunneling protocol, if the interface is used for this purpose, for example: <br> - Various IPv6 to IPv4 tunneling protocols (6to4, Teredo, ISATAP) <br> - VPN (PPTP, SSTP) <br> - SSH <br> **NOTE:** This field doesnt provide full IP tunneling specifications. |
| Table | string | Table that contains the details of the event |
| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH |
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)

19
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -65,15 +65,16 @@ For more information on the query language and supported operators, see [Query L
The following tables are exposed as part of Advanced hunting:
- **AlertEvents** - Stores alerts related information
- **MachineInfo** - Stores machines properties
- **ProcessCreationEvents** - Stores process creation events
- **NetworkCommunicationEvents** - Stores network communication events
- **FileCreationEvents** - Stores file creation, modification, and rename events
- **RegistryEvents** - Stores registry key creation, modification, rename and deletion events
- **LogonEvents** - Stores login events
- **ImageLoadEvents** - Stores load dll events
- **MiscEvents** - Stores several types of events, process injection events, access to LSASS processes, and others.
- **AlertEvents** - Alerts on Windows Defender Security Center
- **MachineInfo** - Machine information, including OS information
- **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains
- **ProcessCreationEvents** - Process creation and related events
- **NetworkCommunicationEvents** - Network connection and related events
- **FileCreationEvents** - File creation, modification, and other file system events
- **RegistryEvents** - Creation and modification of registry entries
- **LogonEvents** - Login and other authentication events
- **ImageLoadEvents** - DLL loading events
- **MiscEvents** - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts
These tables include data from the last 30 days.

63
windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -17,7 +17,7 @@ ms.date: 12/08/2017
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
[!include[Prerelease information](prerelease.md)]
Represents an alert entity in WDATP.
@ -37,45 +37,48 @@ Method|Return Type |Description
# Properties
Property | Type | Description
:---|:---|:---
id | String | Alert ID
severity | String | Severity of the alert. Allowed values are: 'Low', 'Medium' and 'High'.
status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'.
id | String | Alert ID.
incidentId | String | The [Incident](incidents-queue.md) ID of the Alert.
assignedTo | String | Owner of the alert.
severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'.
status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'.
investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' .
classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' .
detectionSource | string | Detection source.
threatFamilyName | string | Threat family.
title | string | Alert title.
description | String | Description of the threat, identified by the alert.
recommendedAction | String | Action recommended for handling the suspected threat.
alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created.
category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'.
title | string | Alert title
threatFamilyName | string | Threat family
detectionSource | string | Detection source
assignedTo | String | Owner of the alert
classification | String | Specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'.
determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'
lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine.
firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine.
resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'.
lastEventTime | DateTimeOffset | The last occurrence of the event that triggered the alert on the same machine.
firstEventTime | DateTimeOffset | The first occurrence of the event that triggered the alert on that machine.
machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert.
# JSON representation
```json
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```

4
windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 09/03/2018
ms.date: 11/28/2018
---
# Assign user access to Windows Defender Security Center
@ -31,7 +31,7 @@ Windows Defender ATP supports two ways to manage permissions:
> [!NOTE]
>If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch:
>- Users with full access (Security Administrators) are automatically assigned the default **Global administrator** role, which also has full access. Only global administrators can manage permissions using RBAC.
>- Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Windows Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Windows Defender ATP administrator role after switching to RBAC. Only users assigned to the Windows Defender ATP administrator role can manage permissions using RBAC.
>- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC.
>- After switching to RBAC, you will not be able to switch back to using basic permissions management.

4
windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md
View File

@ -39,7 +39,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
## HTTP request
```
POST https://api.securitycenter.windows.com/api/CreateAlertByReference
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
```
## Request headers
@ -77,7 +77,7 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
POST https://api.securitycenter.windows.com/api/CreateAlertByReference
POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference
Content-Length: application/json
{

179
windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md
View File

@ -21,12 +21,17 @@ ms.date: 11/15/2018
- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/)
- Currently, [Machine](machine-windows-defender-advanced-threat-protection-new.md) and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities supports all OData queries.
- [Alert](alerts-windows-defender-advanced-threat-protection-new.md) entity support all OData queries except $filter.
- Not all properties are filterable.
### Properties that supports $filter:
- [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category.
- [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId.
- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc.
### Example 1
**Get all the machines with the tag 'ExampleTag'**
- Get all the machines with the tag 'ExampleTag'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
@ -41,25 +46,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "b9d4c51123327fb2a25db29ff1b8f3b64888e7ba",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2018-03-07T11:19:11.7234147Z",
"lastSeen": "2018-11-15T11:23:38.3196947Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.17.255.241",
"lastExternalIpAddress": "123.220.196.180",
"agentVersion": "10.6400.18282.1001",
"osBuild": 18282,
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"isAadJoined": true,
"machineTags": [
"ExampleTag"
],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "North",
"aadDeviceId": null
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -70,6 +73,50 @@ Content-type: application/json
### Example 2
- Get all the alerts that created after 2018-10-20 00:00:00
```
HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z
```
**Response:**
```
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
.
.
.
]
}
```
### Example 3
- Get all the machines with 'High' 'RiskScore'
```
@ -85,23 +132,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "e3a77eeddb83d581238792387b1239b01286b2f",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2016-11-02T23:26:03.7882168Z",
"lastSeen": "2018-11-12T10:27:08.708723Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.123.10.33",
"lastExternalIpAddress": "124.124.160.172",
"agentVersion": "10.6300.18279.1001",
"osBuild": 18279,
"healthStatus": "ImpairedCommunication",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -110,7 +157,7 @@ Content-type: application/json
}
```
### Example 3
### Example 4
- Get top 100 machines with 'HealthStatus' not equals to 'Active'
@ -127,23 +174,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "1113333ddb83d581238792387b1239b01286b2f",
"computerDnsName": "examples.dev.corp.Contoso.com",
"firstSeen": "2016-11-02T23:26:03.7882168Z",
"lastSeen": "2018-11-12T10:27:08.708723Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "123.123.10.33",
"lastExternalIpAddress": "124.124.160.172",
"agentVersion": "10.6300.18279.1001",
"osBuild": 18279,
"healthStatus": "ImpairedCommunication",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "Medium",
"aadDeviceId": "d90b0b99-1234-1234-1234-b91d50c6796a"
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -152,12 +199,12 @@ Content-type: application/json
}
```
### Example 4
### Example 5
- Get all the machines that last seen after 2018-10-20
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-10-20Z
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
```
**Response:**
@ -169,23 +216,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "83113465ffceca4a731234e5dcde3357e026e873",
"computerDnsName": "examples-vm10",
"firstSeen": "2018-11-12T16:07:50.1706168Z",
"lastSeen": "2018-11-12T16:07:50.1706168Z",
"osPlatform": "WindowsServer2019",
"osVersion": null,
"lastIpAddress": "10.123.72.35",
"lastExternalIpAddress": "123.220.2.3",
"agentVersion": "10.6300.18281.1000",
"osBuild": 18281,
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 5,
"rbacGroupName": "Developers",
"riskScore": "None",
"aadDeviceId": null
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "High",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ]
},
.
.
@ -194,7 +241,7 @@ Content-type: application/json
}
```
### Example 5
### Example 6
- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP

30
windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md
View File

@ -15,11 +15,12 @@ ms.date: 12/08/2017
# Find machines by internal IP API
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp
- The given timestamp must be in the past 30 days.
@ -83,22 +84,23 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "863fed4b174465c703c6e412965a31b5e1884cc4",
"computerDnsName": "mymachine33.contoso.com",
"firstSeen": "2018-07-31T14:20:55.8223496Z",
"lastSeen": null,
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-09-22T08:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "10.248.240.38",
"lastExternalIpAddress": "167.220.2.166",
"agentVersion": "10.3720.16299.98",
"osBuild": 16299,
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 75,
"riskScore": "Medium",
"aadDeviceId": null
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
]
}

33
windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md
View File

@ -64,7 +64,7 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442
```
**Response**
@ -75,24 +75,25 @@ Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"id": "636688558380765161_2136280442",
"severity": "Informational",
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```

29
windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md
View File

@ -14,12 +14,13 @@ ms.date: 12/08/2017
---
# Get alert related machine information API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves machine that is related to a specific alert.
- Retrieves machine that is related to a specific alert.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -77,22 +78,22 @@ HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity",
"id": "ff0c3800ed8d66738a514971cd6867166809369f",
"computerDnsName": "amazingmachine.contoso.com",
"firstSeen": "2017-12-10T07:47:34.4269783Z",
"lastSeen": "2017-12-10T07:47:34.4269783Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": "10.0.0.0",
"systemProductName": null,
"lastIpAddress": "172.17.0.0",
"lastExternalIpAddress": "167.220.0.0",
"agentVersion": "10.5830.17732.1001",
"osBuild": 17732,
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 75,
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": "80fe8ff8-0000-0000-9591-41f0491218f9"
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```

75
windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -21,8 +21,10 @@ ms.date: 12/08/2017
[!include[Prerelease information](prerelease.md)]
Retrieves top recent alerts.
- Retrieves a collection of Alerts.
- Supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category".
- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -81,50 +83,55 @@ Here is an example of the response.
>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call.
```
```json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"description": "Some alert description 2",
"recommendedAction": "Some recommended action 2",
"alertCreationTime": "2018-08-04T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 2",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"lastEventTime": "2018-08-03T07:02:52.0894451Z",
"firstEventTime": "2018-08-03T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}
```
## Related topics
- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

62
windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -84,44 +84,46 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"description": "Some alert description 2",
"recommendedAction": "Some recommended action 2",
"alertCreationTime": "2018-08-04T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 2",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"lastEventTime": "2018-08-03T07:02:52.0894451Z",
"firstEventTime": "2018-08-03T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

58
windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -80,42 +80,42 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines",
"value": [
{
"id": "02ea9a24e8bd39c247ed7ca0edae879c321684e5",
"computerDnsName": "testMachine1",
"firstSeen": "2018-07-30T20:12:00.3708661Z",
"lastSeen": "2018-07-30T20:12:00.3708661Z",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"lastIpAddress": "10.209.67.177",
"lastExternalIpAddress": "167.220.1.210",
"agentVersion": "10.5830.18208.1000",
"osBuild": 18208,
"healthStatus": "Inactive",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 75,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "02efb9a9b85f07749a018fbf3f962b4700b3b949",
"computerDnsName": "testMachine2",
"firstSeen": "2018-07-30T19:50:47.3618349Z",
"lastSeen": "2018-07-30T19:50:47.3618349Z",
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"lastIpAddress": "10.209.70.231",
"lastExternalIpAddress": "167.220.0.28",
"agentVersion": "10.5830.18208.1000",
"osBuild": 18208,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"isAadJoined": false,
"machineTags": [],
"rbacGroupId": 75,
"riskScore": "None",
"aadDeviceId": null
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

33
windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -82,24 +82,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636692391408655573_2010598859",
"severity": "Low",
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop@contoso.com",
"severity": "High",
"status": "New",
"description": "test alert",
"recommendedAction": "do this and that",
"alertCreationTime": "2018-08-07T11:45:40.0199932Z",
"category": "None",
"title": "test alert",
"threatFamilyName": null,
"detectionSource": "CustomerTI",
"classification": null,
"determination": null,
"assignedTo": null,
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"lastEventTime": "2018-08-03T16:45:21.7115182Z",
"firstEventTime": "2018-08-03T16:45:21.7115182Z",
"actorName": null,
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

25
windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,13 +14,14 @@ ms.date: 12/08/2017
---
# Get file related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Retrieves a collection of machines related to a given file hash.
- Retrieves a collection of machines related to a given file hash.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -83,39 +84,37 @@ Content-type: application/json
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"computerDnsName": "mymachine1.contoso.com",
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lasttSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
"computerDnsName": "mymachine2.contoso.com",
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lasttSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

33
windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -81,24 +81,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636692391408655573_2010598859",
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "New",
"description": "test alert",
"recommendedAction": "do this and that",
"alertCreationTime": "2018-08-07T11:45:40.0199932Z",
"category": "None",
"title": "test alert",
"threatFamilyName": null,
"detectionSource": "CustomerTI",
"classification": null,
"determination": null,
"assignedTo": null,
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"lastEventTime": "2018-08-03T16:45:21.7115182Z",
"firstEventTime": "2018-08-03T16:45:21.7115182Z",
"actorName": null,
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

20
windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -85,18 +85,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"riskScore": "Low",
"aadDeviceId": null
"rbacGroupName": "The-A-Team",
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@ -104,18 +104,18 @@ Content-type: application/json
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

17
windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md
View File

@ -15,12 +15,13 @@ ms.date: 12/08/2017
# Get machine by ID API
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieves a machine entity by ID.
[!include[Prerelease information](prerelease.md)]
- Retrieves a machine entity by ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -85,18 +86,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
}
```

33
windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -81,24 +81,25 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636692391408655573_2010598859",
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "New",
"description": "test alert",
"recommendedAction": "do this and that",
"alertCreationTime": "2018-08-07T11:45:40.0199932Z",
"category": "None",
"title": "test alert",
"threatFamilyName": null,
"detectionSource": "CustomerTI",
"classification": null,
"determination": null,
"assignedTo": null,
"status": "InProgress",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"lastEventTime": "2018-08-03T16:45:21.7115182Z",
"firstEventTime": "2018-08-03T16:45:21.7115182Z",
"actorName": null,
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07"
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

4
windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md
View File

@ -14,12 +14,14 @@ ms.date: 12/08/2017
---
# Get machineAction API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
Get action performed on a machine.
- Get action performed on a machine.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)

13
windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md
View File

@ -15,14 +15,16 @@ ms.date: 12/08/2017
# List MachineActions API
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Gets collection of actions done on machines.
Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
[!include[Prerelease information](prerelease.md)]
- Gets collection of actions done on machines.
- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc".
- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
@ -167,3 +169,6 @@ Content-type: application/json
]
}
```
## Related topics
- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

34
windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -15,15 +15,16 @@ ms.date: 12/08/2017
# List machines API
[!include[Prerelease information](prerelease.md)]
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId"
[!include[Prerelease information](prerelease.md)]
- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days.
- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/).
- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId".
- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)
## Permissions
@ -87,18 +88,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@ -106,19 +107,22 @@ Content-type: application/json
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}
```
## Related topics
- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md)

62
windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md
View File

@ -81,44 +81,46 @@ Content-type: application/json
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts",
"value": [
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"id": "441688558380765161_2136280442",
"incidentId": 8633,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"description": "Some alert description 1",
"recommendedAction": "Some recommended action 1",
"alertCreationTime": "2018-08-03T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 1",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-25T16:19:21.8409809Z",
"firstEventTime": "2018-11-25T16:17:50.0948658Z",
"lastEventTime": "2018-11-25T16:18:01.809871Z",
"resolvedTime": null,
"lastEventTime": "2018-08-02T07:02:52.0894451Z",
"firstEventTime": "2018-08-02T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369f"
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
},
{
"id": "636688558380765161_2136280442",
"severity": "Informational",
"id": "121688558380765161_2136280442",
"incidentId": 4123,
"assignedTo": "secop@contoso.com",
"severity": "Low",
"status": "InProgress",
"description": "Some alert description 2",
"recommendedAction": "Some recommended action 2",
"alertCreationTime": "2018-08-04T01:17:17.9516179Z",
"category": "General",
"title": "Some alert title 2",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": "TruePositive",
"determination": null,
"assignedTo": "best secop ever",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-24T16:19:21.8409809Z",
"firstEventTime": "2018-11-24T16:17:50.0948658Z",
"lastEventTime": "2018-11-24T16:18:01.809871Z",
"resolvedTime": null,
"lastEventTime": "2018-08-03T07:02:52.0894451Z",
"firstEventTime": "2018-08-03T07:02:52.0894451Z",
"actorName": null,
"machineId": "ff0c3800ed8d66738a514971cd6867166809369d"
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
]
}

21
windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md
View File

@ -14,6 +14,7 @@ ms.date: 12/08/2017
---
# Get user related machines API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -87,18 +88,18 @@ Content-type: application/json
"firstSeen": "2018-08-02T14:55:03.7791856Z",
"lastSeen": "2018-08-02T14:55:03.7791856Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "172.17.230.209",
"lastExternalIpAddress": "167.220.196.71",
"agentVersion": "10.5830.18209.1001",
"osBuild": 18209,
"healthStatus": "Active",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": true,
"aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9",
"machineTags": [ "test tag 1", "test tag 2" ]
},
{
"id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7",
@ -106,18 +107,18 @@ Content-type: application/json
"firstSeen": "2018-07-09T13:22:45.1250071Z",
"lastSeen": "2018-07-09T13:22:45.1250071Z",
"osPlatform": "Windows10",
"osVersion": null,
"systemProductName": null,
"osVersion": "10.0.0.0",
"lastIpAddress": "192.168.12.225",
"lastExternalIpAddress": "79.183.65.82",
"agentVersion": "10.5820.17724.1000",
"osBuild": 17724,
"healthStatus": "Inactive",
"isAadJoined": true,
"machineTags": [],
"rbacGroupId": 140,
"rbacGroupName": "The-A-Team",
"riskScore": "Low",
"aadDeviceId": null
"isAadJoined": false,
"aadDeviceId": null,
"machineTags": [ "test tag 1" ]
}
]
}

15
windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md
View File

@ -35,13 +35,14 @@ firstSeen | DateTimeOffset | First date and time where the [machine](machine-win
lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP.
osPlatform | String | OS platform.
osVersion | String | OS Version.
lastIpAddress | Ip | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
lastExternalIpAddress | Ip | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md).
lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet.
agentVersion | String | Version of WDATP agent.
osBuild | Int | OS build number.
osBuild | Nullable long | OS build number.
healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
isAadJoined | Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
rbacGroupId | Int | RBAC Group ID.
rbacGroupName | String | RBAC Group Name.
riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined.
aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).
machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags.
rbacGroupId | Int | Group ID.
riskScore | String | Risk score as evaludated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'.
aadDeviceId | String | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined).

2
windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
View File

@ -22,7 +22,7 @@ ms.date: 11/26/2018
[!include[Prerelease information](prerelease.md)]
>![TIP]
>[!TIP]
>Go to **Advanced features** in the **Settings** page to turn on the preview features.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)

3
windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 11/05/2018
ms.date: 11/28/2018
---
# Take response actions on a machine
@ -122,6 +122,7 @@ In addition to the ability of containing an attack by stopping malicious process
>[!IMPORTANT]
> - This action is available for machines on Windows 10, version 1709 or later.
> - This feature is available if your organization uses Windows Defender Antivirus.
> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing).

105
windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md Normal file
View File

@ -0,0 +1,105 @@
---
title: Stop and quarantine file API
description: Use this API to stop and quarantine file.
keywords: apis, graph api, supported apis, stop and quarantine file
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 12/08/2017
---
# Stop and quarantine file API
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
[!include[Prerelease information](prerelease.md)]
- Stop execution of a file on a machine and delete it.
[!include[Machine actions note](machineactionsnote.md)]
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md)
Permission type | Permission | Permission display name
:---|:---|:---
Application | Machine.StopAndQuarantine | 'Stop And Quarantine'
Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information)
## HTTP request
```
POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile
```
## Request headers
Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
Content-Type | string | application/json. **Required**.
## Request body
In the request body, supply a JSON object with the following parameters:
Parameter | Type | Description
:---|:---|:---
Comment | String | Comment to associate with the action. **Required**.
Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**.
## Response
If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body.
## Example
**Request**
Here is an example of the request.
```
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile
Content-type: application/json
{
"Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
}
```
**Response**
Here is an example of the response.
[!include[Improve request performance](improverequestperformance-new.md)]
```
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "141408d1-384c-4c19-8b57-ba39e378011a",
"type": "StopAndQuarantineFile",
"requestor": "Analyst@contoso.com ",
"requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"relatedFileInfo": {
"fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"fileIdentifierType": "Sha1"
}
}
```

39
windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md
View File

@ -72,10 +72,10 @@ Here is an example of the request.
[!include[Improve request performance](improverequestperformance-new.md)]
```
PATCH https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442
PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442
Content-Type: application/json
{
"assignedTo": "Our designated secop"
"assignedTo": "secop2@contoso.com"
}
```
@ -86,23 +86,24 @@ Here is an example of the response.
```
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity",
"id": "636688558380765161_2136280442",
"severity": "Medium",
"status": "InProgress",
"description": "An anomalous memory operation appears to be tampering with a process associated with the Windows Defender EDR sensor.",
"recommendedAction": "A. Validate the alert.\n1. Examine the process involved in the memory operation to determine whether the process and the observed activities are normal. \n2. Check for other suspicious activities in the machine timeline.\n3. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.\n4. Submit relevant files for deep analysis and review file behaviors. \n5. Identify unusual system activity with system owners. \n\nB. Scope the incident. Find related machines, network addresses, and files in the incident graph. \n\nC. Contain and mitigate the breach. Stop suspicious processes, isolate affected machines, decommission compromised accounts or reset passwords, block IP addresses and URLs, and install security updates.\n\nD. Contact your incident response team, or contact Microsoft support for investigation and remediation services.",
"alertCreationTime": "2018-08-07T10:18:04.2665329Z",
"category": "Installation",
"title": "Possible sensor tampering in memory",
"threatFamilyName": null,
"detectionSource": "WindowsDefenderAtp",
"classification": null,
"determination": null,
"assignedTo": "Our designated secop",
"id": "121688558380765161_2136280442",
"incidentId": 7696,
"assignedTo": "secop2@contoso.com",
"severity": "High",
"status": "New",
"classification": "TruePositive",
"determination": "Malware",
"investigationState": "Running",
"category": "MalwareDownload",
"detectionSource": "WindowsDefenderAv",
"threatFamilyName": "Mikatz",
"title": "Windows Defender AV detected 'Mikatz', high-severity malware",
"description": "Some description"
"recommendedAction": "Some recommended action"
"alertCreationTime": "2018-11-26T16:19:21.8409809Z",
"firstEventTime": "2018-11-26T16:17:50.0948658Z",
"lastEventTime": "2018-11-26T16:18:01.809871Z",
"resolvedTime": null,
"lastEventTime": "2018-08-07T10:14:35.470671Z",
"firstEventTime": "2018-08-07T10:14:35.470671Z",
"actorName": null,
"machineId": "a2250e1cd215af1ea2818ef8d01a564f67542857"
"machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337"
}
```

16
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 11/19/2018
ms.date: 11/29/2018
---
# Reduce attack surfaces with attack surface reduction rules
@ -31,6 +31,8 @@ Attack surface reduction rules help prevent actions and apps that are typically
When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information.
Attack surface reduction is supported on Windows 10, version 1709 and later and Windows Server 2019.
## Requirements
Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
@ -64,9 +66,6 @@ This rule blocks the following file types from being run or launched from an ema
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
- Script archive files
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block all Office applications from creating child processes
Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access.
@ -88,18 +87,12 @@ Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to
This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block JavaScript or VBScript From launching downloaded executable content
JavaScript and VBScript scripts can be used by malware to launch other malicious apps.
This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
### Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files.
@ -132,9 +125,6 @@ This rule provides an extra layer of protection against ransomware. Executable f
Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
>[!IMPORTANT]
>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders).
>[!NOTE]
>Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat.

3
windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/02/2018
ms.date: 11/29/2018
---
# Protect important folders with controlled folder access
@ -33,6 +33,7 @@ The protected folders include common system folders, and you can [add additional
You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.
## Requirements

40
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 10/17/2018
ms.date: 11/27/2018
---
# Customize attack surface reduction rules
@ -28,7 +28,7 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running.
You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running.
This could potentially allow unsafe files to run and infect your devices.
@ -41,28 +41,24 @@ You can specify individual files or folders (using folder paths or fully qualifi
Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists).
Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe.
Exclusions apply to all attack surface reduction rules.
>[!IMPORTANT]
>Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table).
Rule description | Rule honors exclusions | GUID
Rule description | GUID
-|:-:|-
Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D
Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark yes](images/svg/check-yes.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
Block Win32 API calls from Office macro 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B
Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D
Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25
Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.

6
windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/09/2018
ms.date: 11/29/2018
---
# Protect devices from exploits
@ -22,10 +22,10 @@ ms.date: 08/09/2018
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Exploit protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).

6
windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 08/09/2018
ms.date: 11/29/2018
---
# Protect your network
@ -24,8 +24,10 @@ Network protection helps reduce the attack surface of your devices from Internet
It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
Network protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).