deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into MDBranchUpdateOnboardServersTopic

Browse Source
This commit is contained in:
ManikaDhiman
2020-07-01 09:15:56 -07:00
parent f005c7e7c3 b93f598b33
commit 9fe3e9678b
8 changed files with 233 additions and 221 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
.openpublishing.redirection.json
View File

Binary file not shown.

93
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -19,10 +19,10 @@ ms.reviewer:
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
**Applies to**
- Windows 10, version 1703 or later
- On-premises deployment
- Certificate trust
- Windows 10, version 1703 or later
- On-premises deployment
- Certificate trust
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
@ -38,6 +38,19 @@ A new Active Directory Federation Services farm should have a minimum of two fed
Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
> [!NOTE]
>For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
> 1. Launch AD FS management console. Brose to "Services > Scope Descriptions".
> 2. Right click "Scope Descriptions" and select "Add Scope Description".
> 3. Under name type "ugs" and Click Apply > OK.
> 4. Launch Powershell as Administrator.
> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier.
> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'.
> 7. Restart the ADFS service.
> 8. On the client: Restart the client. User should be prompted to provision WHFB.
> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot.
## Update Windows Server 2016
Sign-in the federation server with _local admin_ equivalent credentials.
@ -52,9 +65,10 @@ Sign-in the federation server with _local admin_ equivalent credentials.
Windows Hello for Business on-premises deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com)
* Subject Alternate Name: Your device registration service name, such as *enterpriseregistration.contoso.com*
- Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
- Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com)
- Subject Alternate Name: Your device registration service name, such as *enterpriseregistration.contoso.com*
You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com.
@ -65,6 +79,7 @@ Its recommended that you mark the private key as exportable so that the same
Be sure to enroll or import the certificate into the AD FS servers computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
### Internal Web Server Authentication Certificate Enrollment
Sign-in the federation server with domain administrator equivalent credentials.
1. Start the Local Computer **Certificate Manager** (certlm.msc).
@ -83,10 +98,11 @@ A server authentication certificate should appear in the computers Personal c
## Deploy the Active Directory Federation Service Role
The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments.
* Device registration
* Key registration
* Certificate registration authority (certificate trust deployments)
The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments:
- Device registration
- Key registration
- Certificate registration authority (certificate trust deployments)
>[!IMPORTANT]
> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.
@ -94,6 +110,7 @@ The Active Directory Federation Service (AD FS) role provides the following serv
Windows Hello for Business depends on proper device registration. For on-premises deployments, Windows Server 2016 AD FS handles device registration.
Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
1. Start **Server Manager**. Click **Local Server** in the navigation pane.
2. Click **Manage** and then click **Add Roles and Features**.
3. Click **Next** on the **Before you begin** page.
@ -107,12 +124,13 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
## Review
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
* Confirm the AD FS farm uses the correct database configuration.
* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load.
* Confirm **all** AD FS servers in the farm have the latest updates.
* Confirm all AD FS servers have a valid server authentication certificate
* The subject of the certificate is the common name (FQDN) of the host or a wildcard name.
* The alternate name of the certificate contains a wildcard or the FQDN of the federation service
- Confirm the AD FS farm uses the correct database configuration.
- Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load.
- Confirm **all** AD FS servers in the farm have the latest updates.
- Confirm all AD FS servers have a valid server authentication certificate.
- The subject of the certificate is the common name (FQDN) of the host or a wildcard name.
- The alternate name of the certificate contains a wildcard or the FQDN of the federation service.
## Device Registration Service Account Prerequisite
@ -130,8 +148,9 @@ GMSA uses the Microsoft Key Distribution Service that is located on Windows Serv
#### Create KDS Root Key
Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
1. Start an elevated Windows PowerShell console.
2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`
2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`.
### Windows Server 2008 or 2008 R2 Domain Controllers
@ -140,6 +159,7 @@ Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key
#### Create an AD FS Service Account
Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
1. Open **Active Directory Users and Computers**.
2. Right-click the **Users** container, Click **New**. Click **User**.
3. In the **New Object User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**.
@ -241,12 +261,12 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th
## Review
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
* Confirm you followed the correct procedures based on the domain controllers used in your deployment
* Confirm you followed the correct procedures based on the domain controllers used in your deployment.
* Windows Server 2012 or Windows Server 2012 R2
* Windows Server 2008 or Windows Server 2008 R2
* Confirm you have the correct service account based on your domain controller version.
* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs.
* Confirm you used a certificate with the correct names as the server authentication certificate
* Confirm you used a certificate with the correct names as the server authentication certificate.
* Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
* Certificate serial number
* Certificate thumbprint
@ -282,8 +302,8 @@ Sign-in a certificate authority or management workstations with _domain administ
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs.
6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
>[!NOTE]
> The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
> [!NOTE]
> The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
8. On the **Security** tab, click **Add**.
@ -316,11 +336,12 @@ Sign-in a certificate authority or management workstations with _domain administ
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs.
**Note:** If you use different template names, youll need to remember and substitute these names in different portions of the deployment.
> [!NOTE]
> If you use different template names, youll need to remember and substitute these names in different portions of the deployment.
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box.
* Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
10. On the **Request Handling** tab, select the **Renew with same key** check box.
11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
@ -332,7 +353,7 @@ Sign-in a certificate authority or management workstations with _domain administ
Sign-in to an **AD FS Windows Server 2016** computer with _enterprise administrator_ equivalent credentials.
1. Open an elevated command prompt.
2. Run `certutil dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
2. Run `certutil dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`.
>[!NOTE]
>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. Its important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
@ -369,14 +390,14 @@ Approximately 60 days prior to enrollment agent certificates expiration, the
### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service
> [!NOTE]
> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)?redirectedfrom=MSDN)
> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)?redirectedfrom=MSDN).
Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script:
> [!TIP]
> Make sure to change the $enrollmentService and $configNC variables before running the script.
```Powershell
```powershell
# Replace this with your Device Registration Service endpoint
$enrollmentService = "enterpriseregistration.contoso.com"
# Replace this with your Active Directory configuration naming context
@ -420,8 +441,8 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
6. On the **Select server roles** page, click **Next**.
7. Select **Network Load Balancing** on the **Select features** page.
8. Click **Install** to start the feature installation
![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png)
8. Click **Install** to start the feature installation.
![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png)
### Configure Network Load Balancing for AD FS
@ -457,7 +478,7 @@ Sign-in the domain controller or administrative workstation with domain administ
3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**.
6. Close the DNS Management console
6. Close the DNS Management console.
## Configure the Intranet Zone to include the federation service
@ -465,10 +486,10 @@ The Windows Hello provisioning presents web pages from the federation service.
### Create an Intranet Zone Group Policy
Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials
1. Start the **Group Policy Management Console** (gpmc.msc)
Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials:
1. Start the **Group Policy Management Console** (gpmc.msc).
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Right-click **Group Policy object** and select **New**
3. Right-click **Group Policy object** and select **New**.
4. Type **Intranet Zone Settings** in the name box and click **OK**.
5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**.
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
@ -478,7 +499,7 @@ Sign-in the domain controller or administrative workstation with _Domain Admin_
### Deploy the Intranet Zone Group Policy object
1. Start the **Group Policy Management Console** (gpmc.msc)
1. Start the **Group Policy Management Console** (gpmc.msc).
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…**
3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
@ -490,8 +511,8 @@ Before you continue with the deployment, validate your deployment progress by re
* Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance.
* Confirm you properly configured the Windows Hello for Business authentication certificate template—to include:
* Issuance requirements of an authorized signature from a certificate request agent.
* The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe
* The Windows Hello for Business Users group, or equivalent has the allow enroll permissions
* The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe.
* The Windows Hello for Business Users group, or equivalent has the allow enroll permissions.
* Confirm all certificate templates were properly published to the appropriate issuing certificate authorities.
* Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template.
* Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet.
@ -511,7 +532,7 @@ You need to verify the AD FS service has properly enrolled for an enrollment age
### Event Logs
Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show
Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show:
* The account name under which the certificate was enrolled.
* The action, which should read enroll.

27
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -19,11 +19,13 @@ ms.reviewer:
# Configure Windows Hello for Business: Active Directory Federation Services
**Applies to**
- Windows 10, version 1703 or later
- Hybrid deployment
- Certificate trust
- Windows 10, version 1703 or later
- Hybrid deployment
- Certificate trust
## Federation Services
The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
@ -45,7 +47,6 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials.
>[!NOTE]
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
### Group Memberships for the AD FS Service Account
The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
@ -57,13 +58,27 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
1. Open **Active Directory Users and Computers**.
2. Click the **Users** container in the navigation pane.
3. Right-click **Windows Hello for Business Users** group
4. Click the **Members** tab and click **Add**
3. Right-click **Windows Hello for Business Users** group.
4. Click the **Members** tab and click **Add**.
5. In the **Enter the object names to select** text box, type **adfssvc** or substitute the name of the AD FS service account in your AD FS deployment. Click **OK**.
6. Click **OK** to return to **Active Directory Users and Computers**.
7. Restart the AD FS server.
> [!NOTE]
>For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions".
> 2. Right click "Scope Descriptions" and select "Add Scope Description".
> 3. Under name type "ugs" and Click Apply > OK.
> 4. Launch Powershell as Administrator.
> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier.
> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'.
> 7. Restart the ADFS service.
> 8. On the client: Restart the client. User should be prompted to provision WHFB.
> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot.
### Section Review
> [!div class="checklist"]
> * Configure the registration authority.
> * Update group memberships for the AD FS service account.

224
windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
View File

@ -54,7 +54,7 @@ You can disable the automatic exclusion lists with Group Policy, PowerShell cmdl
### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure, and then click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
@ -72,18 +72,18 @@ Set-MpPreference -DisableAutoExclusions $true
[Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
[Use PowerShell with Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
[Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/).
### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019
Use the **Set** method of the [MSFT_MpPreference](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
Use the **Set** method of the [MSFT_MpPreference](https://docs.microsoft.com/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties:
```WMI
DisableAutoExclusions
```
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
- [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
## List of automatic exclusions
@ -95,110 +95,110 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
#### Windows "temp.edb" files
- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb`
- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
- `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log`
#### Windows Update files or Automatic Update files
- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb`
- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
- `%windir%\SoftwareDistribution\Datastore\*\edb.chk`
- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
- `%windir%\SoftwareDistribution\Datastore\*\edb\*.log`
- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs`
- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
- `%windir%\SoftwareDistribution\Datastore\*\Res\*.log`
#### Windows Security files
- *%windir%*\Security\database\\*.chk
- `%windir%\Security\database\*.chk`
- *%windir%*\Security\database\\*.edb
- `%windir%\Security\database\*.edb`
- *%windir%*\Security\database\\*.jrs
- `%windir%\Security\database\*.jrs`
- *%windir%*\Security\database\\*.log
- `%windir%\Security\database\*.log`
- *%windir%*\Security\database\\*.sdb
- `%windir%\Security\database\*.sdb`
#### Group Policy files
- *%allusersprofile%*\NTUser.pol
- `%allusersprofile%\NTUser.pol`
- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
- `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol`
- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
- `%SystemRoot%\System32\GroupPolicy\User\registry.pol`
#### WINS files
- *%systemroot%*\System32\Wins\\*\\\*.chk
- `%systemroot%\System32\Wins\*\*.chk`
- *%systemroot%*\System32\Wins\\*\\\*.log
- `%systemroot%\System32\Wins\*\*.log`
- *%systemroot%*\System32\Wins\\*\\\*.mdb
- `%systemroot%\System32\Wins\*\*.mdb`
- *%systemroot%*\System32\LogFiles\
- `%systemroot%\System32\LogFiles\`
- *%systemroot%*\SysWow64\LogFiles\
- `%systemroot%\SysWow64\LogFiles\`
#### File Replication Service (FRS) exclusions
- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- *%windir%*\Ntfrs\jet\sys\\*\edb.chk
- `%windir%\Ntfrs\jet\sys\*\edb.chk`
- *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
- `%windir%\Ntfrs\jet\*\Ntfrs.jdb`
- *%windir%*\Ntfrs\jet\log\\*\\\*.log
- `%windir%\Ntfrs\jet\log\*\*.log`
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory`
- *%windir%*\Ntfrs\\*\Edb\*.log
- `%windir%\Ntfrs\*\Edb\*.log`
- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
- `%systemroot%\Sysvol\*\Nntfrs_cmp*\`
- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
- *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
- `%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\`
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
> [!NOTE]
> For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus#opt-out-of-automatic-exclusions).
> For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions).
- *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
- `%systemdrive%\System Volume Information\DFSR\$db_normal$`
- *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
- `%systemdrive%\System Volume Information\DFSR\FileIDTable_*`
- *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
- `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*`
- *%systemdrive%*\System Volume Information\DFSR\\*.XML
- `%systemdrive%\System Volume Information\DFSR\*.XML`
- *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
- `%systemdrive%\System Volume Information\DFSR\$db_dirty$`
- *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
- `%systemdrive%\System Volume Information\DFSR\$db_clean$`
- *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
- `%systemdrive%\System Volume Information\DFSR\$db_lostl$`
- *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
- `%systemdrive%\System Volume Information\DFSR\Dfsr.db`
- *%systemdrive%*\System Volume Information\DFSR\\*.frx
- `%systemdrive%\System Volume Information\DFSR\*.frx`
- *%systemdrive%*\System Volume Information\DFSR\\*.log
- `%systemdrive%\System Volume Information\DFSR\*.log`
- *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
- `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs`
- *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
- `%systemdrive%\System Volume Information\DFSR\Tmp.edb`
#### Process exclusions
- *%systemroot%*\System32\dfsr.exe
- `%systemroot%\System32\dfsr.exe`
- *%systemroot%*\System32\dfsrs.exe
- `%systemroot%\System32\dfsrs.exe`
#### Hyper-V exclusions
@ -206,59 +206,59 @@ This section lists the file type exclusions, folder exclusions, and process excl
- File type exclusions:
- *.vhd
- `*.vhd`
- *.vhdx
- `*.vhdx`
- *.avhd
- `*.avhd`
- *.avhdx
- `*.avhdx`
- *.vsv
- `*.vsv`
- *.iso
- `*.iso`
- *.rct
- `*.rct`
- *.vmcx
- `*.vmcx`
- *.vmrs
- `*.vmrs`
- Folder exclusions:
- *%ProgramData%*\Microsoft\Windows\Hyper-V
- `%ProgramData%\Microsoft\Windows\Hyper-V`
- *%ProgramFiles%*\Hyper-V
- `%ProgramFiles%\Hyper-V`
- *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
- `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots`
- *%Public%*\Documents\Hyper-V\Virtual Hard Disks
- `%Public%\Documents\Hyper-V\Virtual Hard Disks`
- Process exclusions:
- *%systemroot%*\System32\Vmms.exe
- `%systemroot%\System32\Vmms.exe`
- *%systemroot%*\System32\Vmwp.exe
- `%systemroot%\System32\Vmwp.exe`
#### SYSVOL files
- *%systemroot%*\Sysvol\Domain\\*.adm
- `%systemroot%\Sysvol\Domain\*.adm`
- *%systemroot%*\Sysvol\Domain\\*.admx
- `%systemroot%\Sysvol\Domain\*.admx`
- *%systemroot%*\Sysvol\Domain\\*.adml
- `%systemroot%\Sysvol\Domain\*.adml`
- *%systemroot%*\Sysvol\Domain\Registry.pol
- `%systemroot%\Sysvol\Domain\Registry.pol`
- *%systemroot%*\Sysvol\Domain\\*.aas
- `%systemroot%\Sysvol\Domain\*.aas`
- *%systemroot%*\Sysvol\Domain\\*.inf
- `%systemroot%\Sysvol\Domain\*.inf`
- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
- `%systemroot%\Sysvol\Domain\*.Scripts.ini`
- *%systemroot%*\Sysvol\Domain\\*.ins
- `%systemroot%\Sysvol\Domain\*.ins`
- *%systemroot%*\Sysvol\Domain\Oscfilter.ini
- `%systemroot%\Sysvol\Domain\Oscfilter.ini`
### Active Directory exclusions
@ -268,51 +268,51 @@ This section lists the exclusions that are delivered automatically when you inst
The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- %windir%\Ntds\ntds.dit
- `%windir%\Ntds\ntds.dit`
- %windir%\Ntds\ntds.pat
- `%windir%\Ntds\ntds.pat`
#### The AD DS transaction log files
The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
- %windir%\Ntds\EDB*.log
- `%windir%\Ntds\EDB*.log`
- %windir%\Ntds\Res*.log
- `%windir%\Ntds\Res*.log`
- %windir%\Ntds\Edb*.jrs
- `%windir%\Ntds\Edb*.jrs`
- %windir%\Ntds\Ntds*.pat
- `%windir%\Ntds\Ntds*.pat`
- %windir%\Ntds\TEMP.edb
- `%windir%\Ntds\TEMP.edb`
#### The NTDS working folder
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- %windir%\Ntds\Temp.edb
- `%windir%\Ntds\Temp.edb`
- %windir%\Ntds\Edb.chk
- `%windir%\Ntds\Edb.chk`
#### Process exclusions for AD DS and AD DS-related support files
- %systemroot%\System32\ntfrs.exe
- `%systemroot%\System32\ntfrs.exe`
- %systemroot%\System32\lsass.exe
- `%systemroot%\System32\lsass.exe`
### DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
- *%systemroot%*\System32\DHCP\\*\\\*.mdb
- `%systemroot%\System32\DHCP\*\*.mdb`
- *%systemroot%*\System32\DHCP\\*\\\*.pat
- `%systemroot%\System32\DHCP\*\*.pat`
- *%systemroot%*\System32\DHCP\\*\\\*.log
- `%systemroot%\System32\DHCP\*\*.log`
- *%systemroot%*\System32\DHCP\\*\\\*.chk
- `%systemroot%\System32\DHCP\*\*.chk`
- *%systemroot%*\System32\DHCP\\*\\\*.edb
- `%systemroot%\System32\DHCP\*\*.edb`
### DNS Server exclusions
@ -320,27 +320,27 @@ This section lists the file and folder exclusions and the process exclusions tha
#### File and folder exclusions for the DNS Server role
- *%systemroot%*\System32\Dns\\*\\\*.log
- `%systemroot%\System32\Dns\*\*.log`
- *%systemroot%*\System32\Dns\\*\\\*.dns
- `%systemroot%\System32\Dns\*\*.dns`
- *%systemroot%*\System32\Dns\\*\\\*.scc
- `%systemroot%\System32\Dns\*\*.scc`
- *%systemroot%*\System32\Dns\\*\BOOT
- `%systemroot%\System32\Dns\*\BOOT`
#### Process exclusions for the DNS Server role
- *%systemroot%*\System32\dns.exe
- `%systemroot%\System32\dns.exe`
### File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
- *%SystemDrive%*\ClusterStorage
- `%SystemDrive%\ClusterStorage`
- *%clusterserviceaccount%*\Local Settings\Temp
- `%clusterserviceaccount%\Local Settings\Temp`
- *%SystemDrive%*\mscs
- `%SystemDrive%\mscs`
### Print Server exclusions
@ -348,19 +348,19 @@ This section lists the file type exclusions, folder exclusions, and the process
#### File type exclusions
- *.shd
- `*.shd`
- *.spl
- `*.spl`
#### Folder exclusions
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
- *%system32%*\spool\printers\\*
- `%system32%\spool\printers\*`
#### Process exclusions
- spoolsv.exe
- `spoolsv.exe`
### Web Server exclusions
@ -368,35 +368,35 @@ This section lists the folder exclusions and the process exclusions that are del
#### Folder exclusions
- *%SystemRoot%*\IIS Temporary Compressed Files
- `%SystemRoot%\IIS Temporary Compressed Files`
- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files`
- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
- `%SystemDrive%\inetpub\temp\ASP Compiled Templates`
- *%systemDrive%*\inetpub\logs
- `%systemDrive%\inetpub\logs`
- *%systemDrive%*\inetpub\wwwroot
- `%systemDrive%\inetpub\wwwroot`
#### Process exclusions
- *%SystemRoot%*\system32\inetsrv\w3wp.exe
- `%SystemRoot%\system32\inetsrv\w3wp.exe`
- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe`
- *%SystemDrive%*\PHP5433\php-cgi.exe
- `%SystemDrive%\PHP5433\php-cgi.exe`
### Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
- *%systemroot%*\WSUS\WSUSContent
- `%systemroot%\WSUS\WSUSContent`
- *%systemroot%*\WSUS\UpdateServicesDBFiles
- `%systemroot%\WSUS\UpdateServicesDBFiles`
- *%systemroot%*\SoftwareDistribution\Datastore
- `%systemroot%\SoftwareDistribution\Datastore`
- *%systemroot%*\SoftwareDistribution\Download
- `%systemroot%\SoftwareDistribution\Download`
## Related articles

2
windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
View File

@ -58,7 +58,7 @@ There are five locations where you can specify where an endpoint should obtain u
To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads.
> [!IMPORTANT]
> If you have set [Microsoft Malware Protection Center Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services).
> If you have set [Microsoft Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is seven consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services).
> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).<p>
> Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated to support SHA-2 in order to get the latest security intelligence updates. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).

4
windows/security/threat-protection/microsoft-defender-atp/android-configure.md
View File

@ -29,7 +29,7 @@ Directory enables enforcing Device compliance and Conditional Access policies
based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense
(MTD) solution that you can deploy to leverage this capability via Intune.
For more infomation on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
For more information on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
@ -43,7 +43,7 @@ Microsoft Defender ATP for Android enables admins to configure custom indicators
## Configure web protection
Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
## Related topics
- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)

88
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -35,14 +35,15 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl
Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Please refer to the [Ansible documentation](https://docs.ansible.com/) for details.
- Ansible needs to be installed on at least on one computer (we will call it the master).
- SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication.
- The following software must be installed on all clients:
- curl
- python-apt
- unzip
- All hosts must be listed in the following format in the `/etc/ansible/hosts` file:
- All hosts must be listed in the following format in the `/etc/ansible/hosts` or relevant file:
```bash
[servers]
@ -79,55 +80,32 @@ Download the onboarding package from Microsoft Defender Security Center:
## Create Ansible YAML files
Create subtask or role files that contribute to an actual task. First create the `download_copy_blob.yml` file under the `/etc/ansible/roles` directory:
Create a subtask or role files that contribute to an playbook or task.
- Copy the onboarding package to all client devices:
- Create the onboarding task, `onboarding_setup.yml`:
```bash
- name: Copy the zip file
copy:
src: /root/WindowsDefenderATPOnboardingPackage.zip
dest: /root/WindowsDefenderATPOnboardingPackage.zip
owner: root
group: root
mode: '0644'
- name: Create MDATP directories
file:
path: /etc/opt/microsoft/mdatp/
recurse: true
state: directory
mode: 0755
owner: root
group: root
- name: Add Microsoft apt signing key
apt_key:
url: https://packages.microsoft.com/keys/microsoft.asc
state: present
when: ansible_os_family == "Debian"
```
- Create the `setup.sh` script that operates on the onboarding file, in this example located in the `/root` directory:
```bash
#!/bin/bash
# We assume WindowsDefenderATPOnboardingPackage.zip is stored in /root
cd /root || exit 1
# Unzip the archive and create the onboarding file
mkdir -p /etc/opt/microsoft/mdatp/
unzip WindowsDefenderATPOnboardingPackage.zip
cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json
```
- Create the onboarding task, `onboarding_setup.yml`, under the `/etc/ansible/roles` directory:
```bash
- name: Register mdatp_onboard.json
stat: path=/etc/opt/microsoft/mdatp/mdatp_onboard.json
stat:
path: /etc/opt/microsoft/mdatp/mdatp_onboard.json
register: mdatp_onboard
- name: Copy the setup script file
copy:
src: /root/setup.sh
dest: /root/setup.sh
owner: root
group: root
mode: '0744'
- name: Run a script to create the onboarding file
script: /root/setup.sh
- name: Extract WindowsDefenderATPOnboardingPackage.zip into /etc/opt/microsoft/mdatp
unarchive:
src: WindowsDefenderATPOnboardingPackage.zip
dest: /etc/opt/microsoft/mdatp
mode: 0600
owner: root
group: root
when: not mdatp_onboard.stat.exists
```
@ -150,6 +128,12 @@ Create subtask or role files that contribute to an actual task. First create the
> In case of Oracle Linux, replace *[distro]* with “rhel”.
```bash
- name: Add Microsoft APT key
apt_key:
keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229CF
when: ansible_os_family == "Debian"
- name: Add Microsoft apt repository for MDATP
apt_repository:
repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
@ -158,12 +142,6 @@ Create subtask or role files that contribute to an actual task. First create the
filename: microsoft-[channel].list
when: ansible_os_family == "Debian"
- name: Add Microsoft APT key
apt_key:
keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229CF
when: ansible_os_family == "Debian"
- name: Add Microsoft yum repository for MDATP
yum_repository:
name: packages-microsoft-com-prod-[channel]
@ -175,7 +153,7 @@ Create subtask or role files that contribute to an actual task. First create the
when: ansible_os_family == "RedHat"
```
- Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`.
- Create the Ansible install and uninstall YAML files.
- For apt-based distributions use the following YAML file:
@ -183,8 +161,7 @@ Create subtask or role files that contribute to an actual task. First create the
$ cat install_mdatp.yml
- hosts: servers
tasks:
- include: ../roles/download_copy_blob.yml
- include: ../roles/setup_blob.yml
- include: ../roles/onboarding_setup.yml
- include: ../roles/add_apt_repo.yml
- apt:
name: mdatp
@ -207,8 +184,7 @@ Create subtask or role files that contribute to an actual task. First create the
$ cat install_mdatp_yum.yml
- hosts: servers
tasks:
- include: ../roles/download_copy_blob.yml
- include: ../roles/setup_blob.yml
- include: ../roles/onboarding_setup.yml
- include: ../roles/add_yum_repo.yml
- yum:
name: mdatp
@ -227,7 +203,7 @@ Create subtask or role files that contribute to an actual task. First create the
## Deployment
Now run the tasks files under `/etc/ansible/playbooks/`.
Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
- Installation:

2
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
View File

@ -39,7 +39,7 @@ There are several methods and deployment tools that you can use to install and c
In general you need to take the following steps:
- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the Microsoft Defender ATP portal.
- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the [Microsoft Defender ATP portal](microsoft-defender-security-center.md).
- Deploy Microsoft Defender ATP for Linux using one of the following deployment methods:
- The command-line tool:
- [Manual deployment](linux-install-manually.md)