deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 22:33:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into wip-dep

Browse Source
This commit is contained in:
Joey Caparas
2020-04-06 09:30:45 -07:00
parent 681f9c7c17 f7aef59bc3
commit a3b0df4ee3
242 changed files with 2851 additions and 1348 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -151,8 +151,8 @@ function CheckExemption($_ModName)
}
function CheckFailedDriver($_ModName, $CIStats)''
{''
function CheckFailedDriver($_ModName, $CIStats)
{
Log "Module: " $_ModName.Trim()
if(CheckExemption($_ModName.Trim()) - eq 1)
{
@ -959,7 +959,7 @@ function PrintToolVersion
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""
LogAndConsole "Readiness Tool Version 3.7 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""

6
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
View File

@ -154,6 +154,9 @@ These procedures configure NTFS and share permissions on the web server to allow
![CDP Share Permissions](images/aadj/cdp-share-permissions.png)
9. In the **Advanced Sharing** dialog box, click **OK**.
> [!Tip]
> Make sure that users can access **\\\Server FQDN\sharename**.
#### Disable Caching
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**.
@ -325,6 +328,9 @@ Sign-in a workstation with access equivalent to a _domain user_.
14. Click **Save**
15. Sign-out of the Azure portal.
> [!IMPORTANT]
> For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication).
## Section Review
> [!div class="checklist"]
> * Configure Internet Information Services to host CRL distribution point

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
View File

@ -122,11 +122,9 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co
>
> If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section.
#### Azure MFA Provider
If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant.
#### Configure Azure MFA Settings
Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
#### Azure MFA User States
After you have completed configuring your Azure MFA settings, you want to review [How to require two-step verification for a user](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
View File

@ -37,7 +37,7 @@ You are ready to configure device registration for your hybrid environment. Hybr
## Configure Azure for Device Registration
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/)
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/).
Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
@ -49,7 +49,7 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. Configure Azure Device Registration (*You are here*)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -102,8 +102,8 @@ Organizations using older directory synchronization technology, such as DirSync
<br>
## Federation with Azure ##
You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) or [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later.
## Federation with Azure
You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/whatis-phs) or [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later.
> [!div class="checklist"]
> * Non-federated environments

14
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -53,7 +53,7 @@ This table provides info about the most common problems you might encounter whil
</tr>
<tr>
<td>WIP is designed for use by a single user per device.</td>
<td>A secondary user on a device might experience app compat issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled users content can be revoked during the unenrollment process.</td>
<td>A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled users content can be revoked during the unenrollment process.</td>
<td>We recommend only having one user per managed device.</td>
</tr>
<tr>
@ -121,17 +121,25 @@ This table provides info about the most common problems you might encounter whil
<tr>
<td>Only enlightened apps can be managed without device enrollment
</td>
<td>If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintenionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.</td>
<td>If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.</td>
<td>If all apps need to be managed, enroll the device for MDM.
</td>
</tr>
<tr>
<td>By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can&#39;t access it.<br/> </td>
<td>By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can&#39;t access it.<br/> </td>
<td>Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
</td>
<td>If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
</td>
</tr>
<tr>
<td>Microsoft Office Outlook offline data files (PST and OST files) are not marked as <strong>Work</strong> files, and are therefore not protected.
</td>
<td>If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.
</td>
<td>It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually.
</td>
</tr>
</table>
> [!NOTE]

12
windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
View File

@ -172,17 +172,7 @@ You can try any of the processes included in these scenarios, but you should foc
</ul>
</td>
</tr>
<tr>
<td>Stop Google Drive from syncing WIP protected files and folders.</td>
<td>
<ul>
<li>In silent configuration, add Google Drive to Protected Apps and set it to Deny. This way, Google Drive will not sync WIP protected files and folders.</li>
<li>Google Drive details</li>
Publisher=O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US
File=GOOGLEDRIVESYNC.EXE
</ul>
</td>
</tr>
</table>
>[!NOTE]

614
windows/security/threat-protection/TOC.md
View File

@ -6,101 +6,340 @@
### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
### [Preview features](microsoft-defender-atp/preview.md)
### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md)
## [Deployment strategy](microsoft-defender-atp/deployment-strategy.md)
## [Plan deployment](microsoft-defender-atp/deployment-strategy.md)
## [Deployment guide]()
### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
### [Phase 2: Setup](microsoft-defender-atp/production-deployment.md)
### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
## [Security administration]()
### [Threat & Vulnerability Management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
### [Configuration score](microsoft-defender-atp/configuration-score.md)
### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
### [Threat & Vulnerability Management]()
#### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
#### [Configuration score](microsoft-defender-atp/configuration-score.md)
#### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
### [Attack surface reduction]()
#### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
#### [Attack surface reduction evaluation](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
#### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
#### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
#### [Attack surface reduction controls]()
##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md)
##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
##### [Customize attack surface reduction rules](microsoft-defender-atp/customize-attack-surface-reduction.md)
#### [Hardware-based isolation]()
##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
##### [Hardware-based isolation evaluation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application isolation]()
###### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md)
###### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
###### [Audit Application control policies](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
##### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
#### [Device control]()
##### [Control USB devices](device-control/control-usb-devices-using-intune.md)
##### [Device Guard]()
###### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
#### [Exploit protection]()
##### [Protect devices from exploits](microsoft-defender-atp/exploit-protection.md)
##### [Exploit protection evaluation](microsoft-defender-atp/evaluate-exploit-protection.md)
#### [Network protection]()
##### [Protect your network](microsoft-defender-atp/network-protection.md)
##### [Network protection evaluation](microsoft-defender-atp/evaluate-network-protection.md)
#### [Web protection]()
##### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
##### [Web threat protection]()
###### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
###### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
###### [Respond to web threats](microsoft-defender-atp/web-protection-response.md)
##### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
#### [Controlled folder access]()
##### [Protect folders](microsoft-defender-atp/controlled-folders.md)
##### [Controlled folder access evaluation](microsoft-defender-atp/evaluate-controlled-folder-access.md)
#### [Network firewall]()
##### [Network firewall overview](windows-firewall/windows-firewall-with-advanced-security.md)
##### [Network firewall evaluation](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
### [Next-generation protection]()
#### [Next-generation protection overview](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
#### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
#### [Configure next-generation protection]()
##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
##### [Configure behavioral, heuristic, and real-time protection]()
###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
##### [Antivirus compatibility]()
###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
##### [Deploy, manage updates, and report on antivirus]()
###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
###### [Report on antivirus protection]()
####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
###### [Manage updates and apply baselines]()
####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
##### [Customize, initiate, and review the results of scans and remediation]()
###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage antivirus in your business]()
###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
##### [Manage scans and remediation]()
###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage next-generation protection in your business]()
###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md)
###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
#### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
#### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md)
### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
#### [What's New](microsoft-defender-atp/mac-whatsnew.md)
#### [Deploy]()
##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
##### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md)
##### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
##### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
#### [Update](microsoft-defender-atp/mac-updates.md)
#### [Configure]()
##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
#### [Troubleshoot]()
##### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md)
##### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md)
##### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md)
##### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md)
#### [Privacy](microsoft-defender-atp/mac-privacy.md)
#### [Resources](microsoft-defender-atp/mac-resources.md)
### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
#### [What's New](microsoft-defender-atp/linux-whatsnew.md)
#### [Deploy]()
##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
##### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
##### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
#### [Update](microsoft-defender-atp/linux-updates.md)
#### [Configure]()
##### [Configure and validate exclusions](microsoft-defender-atp/linux-exclusions.md)
##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
##### [Set preferences](microsoft-defender-atp/linux-preferences.md)
#### [Troubleshoot]()
##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md)
##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md)
##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
#### [Resources](microsoft-defender-atp/linux-resources.md)
### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
## [Security operations]()
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
### [Incidents queue]()
#### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
#### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
#### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
### [Alerts queue]()
#### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
#### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
#### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
#### [Investigate files](microsoft-defender-atp/investigate-files.md)
#### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
#### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
#### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
##### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
#### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
### [Endpoint detection and response]()
#### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md)
#### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md)
#### [Incidents queue]()
##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md)
##### [Manage incidents](microsoft-defender-atp/manage-incidents.md)
##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md)
#### [Alerts queue]()
##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md)
##### [Manage alerts](microsoft-defender-atp/manage-alerts.md)
##### [Investigate alerts](microsoft-defender-atp/investigate-alerts.md)
##### [Investigate files](microsoft-defender-atp/investigate-files.md)
##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
#### [Machines list]()
##### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
##### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
#### [Take response actions]()
##### [Take response actions on a machine]()
###### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
###### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
###### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
###### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
###### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
###### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
###### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
###### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
###### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
###### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
##### [Take response actions on a file]()
###### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
###### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
###### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
###### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
###### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
###### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
###### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
###### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
###### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
###### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
###### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
### [Machines list]()
#### [View and organize the Machines list](microsoft-defender-atp/machines-view-overview.md)
#### [Manage machine group and tags](microsoft-defender-atp/machine-tags.md)
#### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
##### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
### [Take response actions]()
#### [Take response actions on a machine]()
##### [Response actions on machines](microsoft-defender-atp/respond-machine-alerts.md)
##### [Manage tags](microsoft-defender-atp/respond-machine-alerts.md#manage-tags)
##### [Initiate an automated investigation](microsoft-defender-atp/respond-machine-alerts.md#initiate-automated-investigation)
##### [Initiate Live Response session](microsoft-defender-atp/respond-machine-alerts.md#initiate-live-response-session)
##### [Collect investigation package](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
##### [Run antivirus scan](microsoft-defender-atp/respond-machine-alerts.md#run-windows-defender-antivirus-scan-on-machines)
##### [Restrict app execution](microsoft-defender-atp/respond-machine-alerts.md#restrict-app-execution)
##### [Isolate machines from the network](microsoft-defender-atp/respond-machine-alerts.md#isolate-machines-from-the-network)
##### [Consult a threat expert](microsoft-defender-atp/respond-machine-alerts.md#consult-a-threat-expert)
##### [Check activity details in Action center](microsoft-defender-atp/respond-machine-alerts.md#check-activity-details-in-action-center)
#### [Take response actions on a file]()
##### [Response actions on files](microsoft-defender-atp/respond-file-alerts.md)
##### [Stop and quarantine files in your network](microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network)
##### [Restore file from quarantine](microsoft-defender-atp/respond-file-alerts.md#restore-file-from-quarantine)
##### [Add indicators to block or allow a file](microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
##### [Consult a threat expert](microsoft-defender-atp/respond-file-alerts.md#consult-a-threat-expert)
##### [Check activity details in Action center](microsoft-defender-atp/respond-file-alerts.md#check-activity-details-in-action-center)
##### [Download or collect file](microsoft-defender-atp/respond-file-alerts.md#download-or-collect-file)
##### [Deep analysis](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
##### [Submit files for analysis](microsoft-defender-atp/respond-file-alerts.md#submit-files-for-analysis)
##### [View deep analysis reports](microsoft-defender-atp/respond-file-alerts.md#view-deep-analysis-reports)
##### [Troubleshoot deep analysis](microsoft-defender-atp/respond-file-alerts.md#troubleshoot-deep-analysis)
### [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md)
#### [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md)
#### [Investigate entities using Live response]()
##### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
### [Investigate entities using Live response]()
#### [Investigate entities on machines](microsoft-defender-atp/live-response.md)
#### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md)
### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
##### [Shadow protection?](windows-defender-antivirus/shadow-protection.md)
#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
#### [Reporting]()
##### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
##### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
##### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
#### [Custom detections]()
##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
### [Automated investigation and response]()
#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
### [Advanced hunting]()
#### [Advanced hunting overview](microsoft-defender-atp/advanced-hunting-overview.md)
@ -128,17 +367,13 @@
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
### [Reporting]()
#### [Power BI - How to use API - Samples](microsoft-defender-atp/api-power-bi.md)
#### [Create and build Power BI reports using Microsoft Defender ATP data connectors (deprecated)](microsoft-defender-atp/powerbi-reports.md)
#### [Threat protection reports](microsoft-defender-atp/threat-protection-reports.md)
#### [Machine health and compliance reports](microsoft-defender-atp/machine-reports.md)
### [Threat analytics](microsoft-defender-atp/threat-analytics.md)
### [Custom detections]()
#### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md)
#### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md)
@ -174,171 +409,6 @@
#### [Increase compliance to the security baseline](microsoft-defender-atp/configure-machines-security-baseline.md)
#### [Optimize ASR rule deployment and detections](microsoft-defender-atp/configure-machines-asr.md)
### [Manage capabilities]()
#### [Configure attack surface reduction]()
##### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md)
#### [Hardware-based isolation]()
##### [System isolation](windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md)
##### [Application isolation]()
###### [Install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
###### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Device control]()
###### [Control USB devices](device-control/control-usb-devices-using-intune.md)
###### [Device Guard]()
####### [Code integrity](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
####### [Memory integrity]()
######## [Understand memory integrity](device-guard/memory-integrity.md)
######## [Hardware qualifications](device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
######## [Enable HVCI](device-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### [Exploit protection]()
###### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
###### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
###### [Import/export configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
##### [Network protection](microsoft-defender-atp/enable-network-protection.md)
##### [Controlled folder access](microsoft-defender-atp/enable-controlled-folders.md)
##### [Attack surface reduction controls]()
###### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md)
###### [Customize attack surface reduction](microsoft-defender-atp/customize-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)
#### [Configure next-generation protection]()
##### [Configure Windows Defender Antivirus features](windows-defender-antivirus/configure-windows-defender-antivirus-features.md)
##### [Utilize Microsoft cloud-delivered protection](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
###### [Enable cloud-delivered protection](windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md)
###### [Specify the cloud-delivered protection level](windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md)
###### [Configure and validate network connections](windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md)
###### [Prevent security settings changes with tamper protection](windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md)
###### [Enable Block at first sight](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
###### [Configure the cloud block timeout period](windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
##### [Configure behavioral, heuristic, and real-time protection]()
###### [Configuration overview](windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
###### [Detect and block Potentially Unwanted Applications](windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
###### [Enable and configure always-on protection and monitoring](windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
##### [Antivirus on Windows Server 2016](windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
##### [Antivirus compatibility]()
###### [Compatibility charts](windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
###### [Use limited periodic antivirus scanning](windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md)
##### [Deploy, manage updates, and report on antivirus]()
###### [Preparing to deploy](windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md)
###### [Deploy and enable antivirus](windows-defender-antivirus/deploy-windows-defender-antivirus.md)
####### [Deployment guide for VDI environments](windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md)
###### [Report on antivirus protection]()
####### [Review protection status and alerts](windows-defender-antivirus/report-monitor-windows-defender-antivirus.md)
####### [Troubleshoot antivirus reporting in Update Compliance](windows-defender-antivirus/troubleshoot-reporting.md)
###### [Manage updates and apply baselines]()
####### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
####### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
####### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
####### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
####### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
####### [Manage updates for mobile devices and VMs](windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
##### [Customize, initiate, and review the results of scans and remediation]()
###### [Configuration overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning antivirus options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
##### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage antivirus in your business]()
###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Group Policy settings to configure and manage antivirus](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage antivirus](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to configure and manage antivirus](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to configure and manage antivirus](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe commandline tool to configure and manage antivirus](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
##### [Manage scans and remediation]()
###### [Management overview](windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
####### [Exclusions overview](windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions based on file name, extension, and folder location](windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
####### [Configure and validate exclusions for files opened by processes](windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
####### [Configure antivirus exclusions on Windows Server 2016](windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
###### [Configure scanning options](windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
##### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure remediation for scans](windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
###### [Configure scheduled scans](windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
###### [Configure and run scans](windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
###### [Review scan results](windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md)
###### [Run and review the results of an offline scan](windows-defender-antivirus/windows-defender-offline.md)
###### [Restore quarantined files](windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md)
##### [Manage next-generation protection in your business]()
###### [Handle false positives/negatives in Windows Defender Antivirus](windows-defender-antivirus/antivirus-false-positives-negatives.md)
###### [Management overview](windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md)
###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next generation protection](windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md)
###### [Use Group Policy settings to manage next generation protection](windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md)
###### [Use PowerShell cmdlets to manage next generation protection](windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md)
###### [Use Windows Management Instrumentation (WMI) to manage next generation protection](windows-defender-antivirus/use-wmi-windows-defender-antivirus.md)
###### [Use the mpcmdrun.exe command line tool to manage next generation protection](windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md)
#### [Microsoft Defender Advanced Threat Protection for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md)
##### [What's New](microsoft-defender-atp/mac-whatsnew.md)
##### [Deploy]()
###### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md)
###### [JAMF-based deployment](microsoft-defender-atp/mac-install-with-jamf.md)
###### [Deployment with a different Mobile Device Management (MDM) system](microsoft-defender-atp/mac-install-with-other-mdm.md)
###### [Manual deployment](microsoft-defender-atp/mac-install-manually.md)
##### [Update](microsoft-defender-atp/mac-updates.md)
##### [Configure]()
###### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
###### [Set preferences](microsoft-defender-atp/mac-preferences.md)
###### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
##### [Troubleshoot]()
###### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md)
###### [Troubleshoot performance issues](microsoft-defender-atp/mac-support-perf.md)
###### [Troubleshoot kernel extension issues](microsoft-defender-atp/mac-support-kext.md)
###### [Troubleshoot license issues](microsoft-defender-atp/mac-support-license.md)
##### [Privacy](microsoft-defender-atp/mac-privacy.md)
##### [Resources](microsoft-defender-atp/mac-resources.md)
#### [Microsoft Defender Advanced Threat Protection for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md)
##### [Deploy]()
###### [Manual deployment](microsoft-defender-atp/linux-install-manually.md)
###### [Puppet based deployment](microsoft-defender-atp/linux-install-with-puppet.md)
###### [Ansible based deployment](microsoft-defender-atp/linux-install-with-ansible.md)
##### [Update](microsoft-defender-atp/linux-updates.md)
##### [Configure]()
###### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md)
###### [Set preferences](microsoft-defender-atp/linux-preferences.md)
##### [Resources](microsoft-defender-atp/linux-resources.md)
#### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)
### [Configure portal settings]()
#### [Set up preferences](microsoft-defender-atp/preferences-setup.md)
#### [General]()
@ -376,51 +446,7 @@
## Reference
### [Capabilities]()
#### [Threat & Vulnerability Management]()
##### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
##### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [Attack surface reduction]()
##### [Overview of attack surface reduction](microsoft-defender-atp/overview-attack-surface-reduction.md)
##### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md)
##### [Hardware-based isolation]()
###### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
###### [Application isolation]()
####### [Application guard overview](windows-defender-application-guard/wd-app-guard-overview.md)
####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md)
###### [System integrity](windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
##### [Exploit protection](microsoft-defender-atp/exploit-protection.md)
##### [Network protection](microsoft-defender-atp/network-protection.md)
##### [Web protection]()
###### [Web protection overview](microsoft-defender-atp/web-protection-overview.md)
###### [Web threat protection]()
####### [Web threat protection overview](microsoft-defender-atp/web-threat-protection.md)
####### [Monitor web security](microsoft-defender-atp/web-protection-monitoring.md)
####### [Respond to web threats](microsoft-defender-atp/web-protection-response.md)
###### [Web content filtering](microsoft-defender-atp/web-content-filtering.md)
##### [Controlled folder access](microsoft-defender-atp/controlled-folders.md)
##### [Attack surface reduction](microsoft-defender-atp/attack-surface-reduction.md)
##### [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
#### [Next-generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
##### [Better together: Windows Defender Antivirus and Microsoft Defender ATP](windows-defender-antivirus/why-use-microsoft-antivirus.md)
##### [Better together: Windows Defender Antivirus and Office 365](windows-defender-antivirus/office-365-windows-defender-antivirus.md)
#### [Endpoint detection and response](microsoft-defender-atp/overview-endpoint-detection-response.md)
##### [Shadow protection](windows-defender-antivirus/shadow-protection.md)
#### [Overview of AIR](microsoft-defender-atp/automated-investigations.md)
### [Management and APIs]()
#### [Overview of management and APIs](microsoft-defender-atp/management-apis.md)
@ -591,28 +617,9 @@
### [Information protection in Windows overview]()
#### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md)
#### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md)
### [Evaluate Microsoft Defender ATP]()
#### [Attack surface reduction and next-generation capability evaluation]()
##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
##### [Hardware-based isolation](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
##### [Application control](windows-defender-application-control/audit-windows-defender-application-control-policies.md)
##### [Exploit protection](microsoft-defender-atp/evaluate-exploit-protection.md)
##### [Network Protection](microsoft-defender-atp/evaluate-network-protection.md)
##### [Controlled folder access](microsoft-defender-atp/evaluate-controlled-folder-access.md)
##### [Attack surface reduction](microsoft-defender-atp/evaluate-attack-surface-reduction.md)
##### [Network firewall](windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
##### [Evaluate next-generation protection](windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
### [Access the Microsoft Defender ATP Community Center](microsoft-defender-atp/community.md)
### [Helpful resources](microsoft-defender-atp/helpful-resources.md)
@ -696,6 +703,9 @@
#### [Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
### [Windows Sandbox](windows-sandbox/windows-sandbox-overview.md)
#### [Windows Sandbox architecture](windows-sandbox/windows-sandbox-architecture.md)
#### [Windows Sandbox configuration](windows-sandbox/windows-sandbox-configure-using-wsb-file.md)
### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)

4
windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
View File

@ -42,7 +42,7 @@ The following tables provide more information about the hardware, firmware, and
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
> **Important**&nbsp;&nbsp;The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
@ -75,6 +75,6 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|------|
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |

24
windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
View File

@ -30,13 +30,19 @@ Windows Defender Antivirus is the [next generation protection](https://www.youtu
**Download the latest transparency report: [Examining industry test results, November 2019](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)**
### AV-TEST: Protection score of 6.0/6.0 in the latest test
### AV-TEST: Protection score of 5.5/6.0 in the latest test
The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The following scores are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) <sup>**Latest**</sup>
- January - February 2020 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2020/microsoft-windows-defender-antivirus-4.18-200614/) <sup>**Latest**</sup>
Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 13,889 malware samples used. This industry-leading antivirus solution has consistently achieved a perfect Protection score in all AV-TEST cycles in the past 14 months.
Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, with 21,008 malware samples used.
- November - December 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2019/microsoft-windows-defender-antivirus-4.18-195015/)
- September - October 2019 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2019/microsoft-windows-defender-antivirus-4.18-194115/)
- July — August 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2019/microsoft-windows-defender-antivirus-4.18-193215/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
- May — June 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2019/microsoft-windows-defender-antivirus-4.18-192415/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
@ -52,9 +58,11 @@ The AV-TEST Product Review and Certification Report tests on three categories: p
Business Security Test consists of three main parts: the Real-World Protection Test that mimics online malware attacks, the Malware Protection Test where the malware enters the system from outside the internet (for example by USB), and the Performance Test that looks at the impact on the system's performance.
- Business Security Test 2019 (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp) <sup>**Latest**</sup>
- Business Security Test 2019 (August — November): [Real-World Protection Rate 99.6%](https://www.av-comparatives.org/tests/business-security-test-2019-august-november/) <sup>**Latest**</sup>
Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.9% in the latest test.
Windows Defender Antivirus has scored consistently high in Real-World Protection Rates over the past year, with 99.6% in the latest test.
- Business Security Test 2019 Factsheet (August — September): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-august-september-2019-factsheet/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
- Business Security Test 2019 (March — June): [Real-World Protection Rate 99.9%](https://www.av-comparatives.org/tests/business-security-test-2019-march-june/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)
@ -66,9 +74,11 @@ Business Security Test consists of three main parts: the Real-World Protection T
SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services.
- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
- Enterprise Endpoint Protection October — December 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/oct-dec-2019-enterprise.pdf) <sup>**pdf**</sup>
Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but one public threat.
Microsoft's next-gen protection was named one of the leading products, stopping all targeted attacks and all but two public threats.
- Enterprise Endpoint Protection July — September 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/jul-sep-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4kagp)
- Enterprise Endpoint Protection April — June 2019: [AAA award](https://selabs.uk/download/enterprise/epp/2019/apr-jun-2019-enterprise.pdf) <sup>**pdf**</sup> | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE3Esbl)

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# Advanced hunting query best practices

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceEvents

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceFileEvents

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceImageLoadEvents

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceInfo

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceLogonEvents

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceNetworkEvents

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceNetworkInfo

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceProcessEvents

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# DeviceRegistryEvents

90
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# Learn the advanced hunting query language
@ -32,64 +31,87 @@ Advanced hunting is based on the [Kusto query language](https://docs.microsoft.c
In Microsoft Defender Security Center, go to **Advanced hunting** to run your first query. Use the following example:
```kusto
// Finds PowerShell execution events that could involve a download.
DeviceProcessEvents
// Finds PowerShell execution events that could involve a download
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine contains "http:"
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
// Pivoting on PowerShell processes
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
// Suspicious commands
| where ProcessCommandLine has_any("WebClient",
"DownloadFile",
"DownloadData",
"DownloadString",
"WebRequest",
"Shellcode",
"http",
"https")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
| top 100 by Timestamp
```
This is how it will look like in advanced hunting.
![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example.png)
![Image of Microsoft Defender ATP advanced hunting query](images/advanced-hunting-query-example-2.png)
### Describe the query and specify the table to search
The query starts with a short comment describing what it is for. This helps if you later decide to save your query and share it with others in your organization.
### Describe the query and specify the tables to search
A short comment has been added to the beginning of the query to describe what it is for. This helps if you later decide to save the query and share it with others in your organization.
```kusto
// Finds PowerShell execution events that could involve a download.
DeviceProcessEvents
// Finds PowerShell execution events that could involve a download
```
The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by adding with the table name `DeviceProcessEvents` and add piped elements as needed.
The query itself will typically start with a table name followed by a series of elements started by a pipe (`|`). In this example, we start by creating a union of two tables, `DeviceProcessEvents` and `DeviceNetworkEvents`, and add piped elements as needed.
```kusto
union DeviceProcessEvents, DeviceNetworkEvents
```
### Set the time range
The first piped element is a time filter scoped within the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
The first piped element is a time filter scoped to the previous seven days. Keeping the time range as narrow as possible ensures that queries perform well, return manageable results, and don't time out.
```kusto
| where Timestamp > ago(7d)
```
### Search for specific executable files
The time range is immediately followed by a search for files representing the PowerShell application.
```kusto
| where FileName in ("powershell.exe", "POWERSHELL.EXE", "powershell_ise.exe", "POWERSHELL_ISE.EXE")
### Check specific processes
The time range is immediately followed by a search for process file names representing the PowerShell application.
```
### Search for specific command lines
Afterwards, the query looks for command lines that are typically used with PowerShell to download files.
```kusto
| where ProcessCommandLine has "Net.WebClient"
or ProcessCommandLine has "DownloadFile"
or ProcessCommandLine has "Invoke-WebRequest"
or ProcessCommandLine has "Invoke-Shellcode"
or ProcessCommandLine contains "http:"
// Pivoting on PowerShell processes
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
```
### Select result columns and length
Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns and `top` limits the number of results, making the results well-formatted and reasonably large and easy to process.
### Search for specific command strings
Afterwards, the query looks for strings in command lines that are typically used to download files using PowerShell.
```kusto
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
// Suspicious commands
| where ProcessCommandLine has_any("WebClient",
"DownloadFile",
"DownloadData",
"DownloadString",
"WebRequest",
"Shellcode",
"http",
"https")
```
### Customize result columns and length
Now that your query clearly identifies the data you want to locate, you can add elements that define what the results look like. `project` returns specific columns, and `top` limits the number of results. These operators help ensure the results are well-formatted and reasonably large and easy to process.
```kusto
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
| top 100 by Timestamp
```
Click **Run query** to see the results. You can expand the screen view so you can focus on your hunting query and the results.
Click **Run query** to see the results. Select the expand icon at the top right of the query editor to focus on your hunting query and the results.
![Image of the Expand control in the advanced hunting query editor](images/advanced-hunting-expand.png)
>[!TIP]
>You can view query results as charts and quickly adjust filters. For guidance, [read about working with query results](advanced-hunting-query-results.md)
## Learn common query operators for advanced hunting

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 10/08/2019
---
# Use shared queries in advanced hunting

13
windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md
View File

@ -15,7 +15,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 04/24/2018
ms.date: 03/27/2020
---
# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
@ -27,6 +27,9 @@ ms.date: 04/24/2018
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
>[!NOTE]
>The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
There are several options you can choose from to customize the alerts queue view.
On the top navigation you can:
@ -45,10 +48,10 @@ You can apply the following filters to limit the list of alerts and get a more f
Alert severity | Description
:---|:---
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines.
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines. Some examples of these are credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
Medium </br>(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
Low </br>(Yellow) | Alerts on threats associated with prevalent malware, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
Informational </br>(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
#### Understanding alert severity
It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.

1
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md
View File

@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 10/15/2018
ms.reviewer:
manager: dansimp
ms.custom: asr

5
windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md
View File

@ -101,7 +101,7 @@ The following sections describe each of the 15 attack surface reduction rules. T
[Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | 01443614-cd74-433a-b99e-2ecdc07bfc25 | Supported
[Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | c1db55ab-c21a-4637-bb3f-a12568109d35 | Supported
[Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | Supported
[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Not supported
[Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | d1e49aac-8f56-4280-b9ba-993a6d77406c | Supported
[Block untrusted and unsigned processes that run from USB](#block-untrusted-and-unsigned-processes-that-run-from-usb) | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | Supported
[Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) | 26190899-1602-49e8-8b27-eb1d0a1ce869 | Supported
[Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Supported
@ -273,9 +273,6 @@ GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
This rule blocks processes created through [PsExec](https://docs.microsoft.com/sysinternals/downloads/psexec) and [WMI](https://docs.microsoft.com/windows/win32/wmisdk/about-wmi) from running. Both PsExec and WMI can remotely execute code, so there is a risk of malware abusing this functionality for command and control purposes, or to spread an infection throughout an organization's network.
> [!IMPORTANT]
> File and folder exclusions do not apply to this attack surface reduction rule.
> [!WARNING]
> Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr) because this rule blocks WMI commands the Configuration Manager client uses to function correctly.

33
windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
View File

@ -25,7 +25,7 @@ ms.topic: conceptual
>[!NOTE]
> Secure score is now part of Threat & Vulnerability Management as Configuration score.
Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects the collective security configuration state of your machines across the following categories:
Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your machines across the following categories:
- Application
- Operating system
@ -33,7 +33,7 @@ Your Configuration score is visible in the [Threat & Vulnerability Management da
- Accounts
- Security controls
A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks.
Select a category to go to the [**Security recommendations**](tvm-security-recommendation.md) page and view the relevant recommendations.
## How it works
@ -43,35 +43,31 @@ A higher configuration score means your endpoints are more resilient from cybers
The data in the configuration score card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction) by remediating the misconfiguration
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)
- Collect and maintain best practice configuration benchmarks (vendors, security feeds, internal research teams)
- Collect and monitor changes of security control configuration state from all assets
From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks.
## Improve your security configuration
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
1. From the Configuration score card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md), select **Security controls**. The [**Security recommendations**](tvm-security-recommendation.md) page opens to shows the list of recommendations related to security controls.
1. From the Configuration score card in the Threat & Vulnerability Management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
![Security controls related security recommendations](images/tvm_security_controls.png)
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to an email for follow-up.
>![Request remediation](images/tvm_request_remediation.png).
You will see a confirmation message that the remediation task has been created.
4. **Submit request**. You will see a confirmation message that the remediation task has been created.
>![Remediation task creation confirmation](images/tvm_remediation_task_created.png)
4. Save your CSV file.
5. Save your CSV file.
![Save csv file](images/tvm_save_csv_file.png)
5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
6. Review the machine **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
7. Review the **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:
@ -86,17 +82,14 @@ You can improve your security configuration when you remediate issues from the s
## Related topics
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)

14
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -38,8 +38,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- Transparent proxy
- Web Proxy Auto-discovery Protocol (WPAD)
> [!NOTE]
> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
> [!NOTE]
> If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
- Manual static proxy configuration:
- Registry based configuration
@ -120,6 +120,16 @@ United States | ```us.vortex-win.data.microsoft.com``` <br> ```ussus1eastprod.bl
If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs.
### Log analytics agent requirements
The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016.
|Agent Resource|Ports |Direction |Bypass HTTPS inspection|
|------|---------|--------|--------|
|*.ods.opinsights.azure.com |Port 443 |Outbound|Yes |
|*.oms.opinsights.azure.com |Port 443 |Outbound|Yes |
|*.blob.core.windows.net |Port 443 |Outbound|Yes |
## Microsoft Defender ATP service backend IP range
If your network devices don't support the URLs added to an "allow" list in the prior section, you can use the following information.

16
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -25,7 +25,7 @@ ms.topic: article
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows Server, 2019
- Windows Server, 2019 and later
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink)
@ -38,7 +38,7 @@ The service supports the onboarding of the following servers:
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows Server 2019
- Windows Server 2019 and later
For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128).
@ -113,7 +113,7 @@ The following steps are required to enable this integration:
On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**.
- [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings).
3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md).
Once completed, you should see onboarded servers in the portal within an hour.
@ -153,11 +153,13 @@ Support for Windows Server, version 1803 and Windows 2019 provides deeper insigh
b. Run the following PowerShell command to verify that the passive mode was configured:
```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
```PowerShell
Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}
```
c. Confirm that a recent event containing the passive mode event is found:
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
3. Run the following command to check if Windows Defender AV is installed:
@ -172,8 +174,8 @@ Microsoft Defender ATP integrates with Azure Security Center to provide a compre
The following capabilities are included in this integration:
- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding).
> [!NOTE]
> Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
> [!NOTE]
> Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016.
- Servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console.
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-expand.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/advanced-hunting-query-example.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 36 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/cve-detection-logic.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/eos-upcoming-eos.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 17 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/remediation_swupdatefilter.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 305 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/software-drilldown-eos.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 97 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-discovered-vulnerabilities.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-vulnerable-software500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-weaknesses-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 105 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_machine_page_flyout.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 37 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_machineslist.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 51 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_request_remediation.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 47 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/version-eos-date.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/windows-server-drilldown.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 179 KiB

118
windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md Normal file
View File

@ -0,0 +1,118 @@
---
title: Configure and validate exclusions for Microsoft Defender ATP for Linux
description: Provide and validate exclusions for Microsoft Defender ATP for Linux. Exclusions can be set for files, folders, and processes.
keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configure and validate exclusions for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring.
> [!IMPORTANT]
> The exclusions described in this article don't apply to other Microsoft Defender ATP for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections.
You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Linux scans.
Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Linux.
> [!WARNING]
> Defining exclusions lowers the protection offered by Microsoft Defender ATP for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
## Supported exclusion types
The follow table shows the exclusion types supported by Microsoft Defender ATP for Linux.
Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the machine | `.test`
File | A specific file identified by the full path | `/var/log/test.log`<br/>`/var/log/*.log`<br/>`/var/log/install.?.log`
Folder | All files under the specified folder | `/var/log/`<br/>`/var/*/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`<br/>`cat`<br/>`c?t`
File, folder, and process exclusions support the following wildcards:
Wildcard | Description | Example | Matches
---|---|---|---
\* | Matches any number of any characters including none | `/var/\*/\*.log` | `/var/log/system.log`
? | Matches any single character | `file?.log` | `file1.log`<br/>`file2.log`
## How to configure the list of exclusions
### From the management console
For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
### From the command line
Run the following command to see the available switches for managing exclusions:
```bash
$ mdatp --exclusion
```
Examples:
- Add an exclusion for a file extension:
```bash
$ mdatp --exclusion --add-extension .txt
Configuration updated successfully
```
- Add an exclusion for a file:
```bash
$ mdatp --exclusion --add-folder /var/log/dummy.log
Configuration updated successfully
```
- Add an exclusion for a folder:
```bash
$ mdatp --exclusion --add-folder /var/log/
Configuration updated successfully
```
- Add an exclusion for a process:
```bash
$ mdatp --exclusion --add-process cat
Configuration updated successfully
```
## Validate exclusions lists with the EICAR test file
You can validate that your exclusion lists are working by using `curl` to download a test file.
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
```
If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
```bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt
```
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.

4
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -79,7 +79,7 @@ Download the onboarding package from Microsoft Defender Security Center:
## Create Ansible YAML files
Create subtask or role files that contribute to an actual task. First create the `copy_onboarding_pkg.yml` file under the `/etc/ansible/roles` directory:
Create subtask or role files that contribute to an actual task. First create the `download_copy_blob.yml` file under the `/etc/ansible/roles` directory:
- Copy the onboarding package to all client machines:
@ -158,7 +158,7 @@ Create subtask or role files that contribute to an actual task. First create the
- name: Add Microsoft APT key
apt_key:
keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229C
id: BC528686B50D79E339D3721CEB3E94ADBE1229CF
when: ansible_os_family == "Debian"
- name: Add Microsoft yum repository for MDATP

2
windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
View File

@ -18,7 +18,7 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configuring Microsoft Defender ATP for static proxy discovery
# Configure Microsoft Defender ATP for Linux for static proxy discovery
**Applies to:**

91
windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md Normal file
View File

@ -0,0 +1,91 @@
---
title: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
ms.reviewer:
description: Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
keywords: microsoft, defender, atp, linux, cloud, connectivity, communication
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
## Run the connectivity test
To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line:
```bash
$ mdatp --connectivity-test
```
If the connectivity test fails, check if the machine has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
## Troubleshooting steps for environments without proxy or with transparent proxy
To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:
```bash
curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
The output from this command should be similar to:
```
OK https://x.cp.wd.microsoft.com/api/report
OK https://cdn.x.cp.wd.microsoft.com/ping
```
## Troubleshooting steps for environments with static proxy
> [!WARNING]
> PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used.
>
> Intercepting proxies are also not supported for security reasons. Configure your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your proxy certificate to the global store will not allow for interception.
If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port:
```bash
$ curl -x http://proxy_address:port -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
Ensure that you use the same proxy address and port as configured in the `/lib/system/system/mdatp.service` file. Check your proxy configuration if there are errors from the above commands.
To use a static proxy, the `mdatp.service` file must be modified. Ensure the leading `#` is removed to uncomment the following line from `/lib/systemd/system/mdatp.service`:
```bash
#Environment="HTTPS_PROXY=http://address:port"
```
Also ensure that the correct static proxy address is filled in to replace `address:port`.
If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting:
```bash
$ sudo systemctl daemon-reload; sudo systemctl restart mdatp
```
Upon success, attempt another connectivity test from the command line:
```bash
$ mdatp --connectivity-test
```
If the problem persists, contact customer support.
## Resources
- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md).

121
windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md Normal file
View File

@ -0,0 +1,121 @@
---
title: Troubleshoot installation issues for Microsoft Defender ATP for Linux
ms.reviewer:
description: Troubleshoot installation issues for Microsoft Defender ATP for Linux
keywords: microsoft, defender, atp, linux, installation
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot installation issues for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
## Verify if installation succeeded
An error in installation may or may not result in a meaningful error message by the package manager. To verify if the installation succeeded, one can obtain and check the installation logs using:
```bash
$ sudo journalctl | grep 'microsoft-mdatp' > installation.log
$ grep 'postinstall end' installation.log
microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
```
An output from the previous command with correct date and time of installation indicates success.
Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file.
## Installation failed
Check if the mdatp service is running
```bash
$ systemctl status mdatp
● mdatp.service - Microsoft Defender ATP
Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2020-03-26 10:37:30 IST; 23h ago
Main PID: 1966 (wdavdaemon)
Tasks: 105 (limit: 4915)
CGroup: /system.slice/mdatp.service
├─1966 /opt/microsoft/mdatp/sbin/wdavdaemon
├─1967 /opt/microsoft/mdatp/sbin/wdavdaemon
└─1968 /opt/microsoft/mdatp/sbin/wdavdaemon
```
## Steps to troubleshoot if mdatp service isn't running
1. Check if “mdatp” user exists:
```bash
$ id “mdatp”
```
If theres no output, run
```bash
$ sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
```
2. Try enabling and restarting the service using:
```bash
$ sudo systemctl enable mdatp
$ sudo systemctl restart mdatp
```
3. If mdatp.service isn't found upon running the previous command, run
```bash
$ sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
where <systemd_path> is
/lib/systemd/system for Ubuntu and Debian distributions
/usr/lib/systemd/system for Rhel, CentOS, Oracle and SLES
```
and then rerun step 2.
4. If the above steps dont work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.
5. Ensure that the daemon has executable permission.
```bash
$ ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
-rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
```
If the daemon doesn't have executable permissions, make it executable using:
```bash
$ sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
```
and retry running step 2.
6. Ensure that the file system containing wdavdaemon isn't mounted with “noexec”.
## If mdatp service is running, but EICAR text file detection doesn't work
1. Check the file system type using:
```bash
$ findmnt -T <path_of_EICAR_file>
```
Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.
## Command-line tool “mdatp” isn't working
1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
```bash
$ sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
```
and try again.
If none of the above steps help, collect the diagnostic logs:
```bash
$ sudo mdatp --diagnostic --create
```
Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.

82
windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Troubleshoot performance issues for Microsoft Defender ATP for Linux
description: Troubleshoot performance issues in Microsoft Defender ATP for Linux.
keywords: microsoft, defender, atp, linux, performance
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Troubleshoot performance issues for Microsoft Defender ATP for Linux
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md)
This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux.
Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.
Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux.
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Linux is contributing to the performance issues.
If your device is not managed by your organization, real-time protection can be disabled from the command line:
```bash
$ mdatp --config realTimeProtectionEnabled false
```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md).
2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender ATP for Linux.
> [!NOTE]
> This feature is available in version 100.90.70 or newer.
This feature is enabled by default on the `Dogfood` and `InsisderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
```bash
$ mdatp config real_time_protection_statistics_enabled on
```
This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:
```bash
$ mdatp health
```
Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:
```bash
$ mdatp --config realTimeProtectionEnabled true
```
To collect current statistics, run:
```bash
$ mdatp diagnostic real_time_protection_statistics # you can use > stat.log to redirect to file
```
The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
> [!NOTE]
> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers.
4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
See [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md) for details.

27
windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md Normal file
View File

@ -0,0 +1,27 @@
---
title: What's new in Microsoft Defender Advanced Threat Protection for Linux
description: List of major changes for Microsoft Defender ATP for Linux.
keywords: microsoft, defender, atp, linux, whatsnew, release
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: security
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# What's new in Microsoft Defender Advanced Threat Protection for Linux
## 100.90.70
- Antivirus [exclusions now support wildcards](linux-exclusions.md#supported-exclusion-types)
- Added the ability to [troubleshoot performance issues](linux-support-perf.md) through the `mdatp` command-line tool
- Improvements to make the package installation more robust
- Performance improvements & bug fixes

12
windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md
View File

@ -41,10 +41,10 @@ The follow table shows the exclusion types supported by Microsoft Defender ATP f
Exclusion | Definition | Examples
---|---|---
File extension | All files with the extension, anywhere on the machine | .test
File | A specific file identified by the full path | /var/log/test.log
Folder | All files under the specified folder | /var/log/
Process | A specific process (specified either by the full path or file name) and all files opened by it | /bin/cat<br/>cat
File extension | All files with the extension, anywhere on the machine | `.test`
File | A specific file identified by the full path | `/var/log/test.log`
Folder | All files under the specified folder | `/var/log/`
Process | A specific process (specified either by the full path or file name) and all files opened by it | `/bin/cat`<br/>`cat`
## How to configure the list of exclusions
@ -64,7 +64,7 @@ Select the type of exclusion that you wish to add and follow the prompts.
You can validate that your exclusion lists are working by using `curl` to download a test file.
In the following Bash snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the *.testing extension*, replace *test.txt* with *test.testing*. If you are testing a path, ensure that you run the command within that path.
In the following Bash snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure that you run the command within that path.
```bash
$ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
@ -72,7 +72,7 @@ $ curl -o test.txt https://www.eicar.org/download/eicar.com.txt
If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html).
If you do not have internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command:
```bash
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > test.txt

7
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -26,6 +26,13 @@ ms.topic: conceptual
>
> If you have previously whitelisted the kernel extension as part of your remote deployment, that warning should not be presented to the end user. If you have not previously deployed a policy to whitelist the kernel extension, your users will be presented with the warning. To proactively silence the warning, you can still deploy a configuration to whitelist the kernel extension. Refer to the instructions in the [JAMF-based deployment](mac-install-with-jamf.md#approved-kernel-extension) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.
## 100.90.27
- You can now [set an update channel](mac-updates.md#set-the-channel-name) for Microsoft Defender ATP for Mac that is different from the system-wide update channel
- New product icon
- Other user experience improvements
- Bug fixes
## 100.86.92
- Improvements around compatibility with Time Machine

2
windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
View File

@ -122,7 +122,7 @@ It's important to understand the following prerequisites prior to creating indic
>[!IMPORTANT]
> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection (link) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS): <br>
> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement: <br>
> NOTE:
>- IP is supported for all three protocols
>- Encrypted URLs (full path) can only be blocked on first party browsers

30
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
View File

@ -70,6 +70,8 @@ In general you need to take the following steps:
- [Deploy using Puppet configuration management tool](linux-install-with-puppet.md)
- [Deploy using Ansible configuration management tool](linux-install-with-ansible.md)
If you experience any installation failures, refer to [Troubleshooting installation failures in Microsoft Defender ATP for Linux](linux-support-install.md).
### System requirements
- Supported Linux server distributions and versions:
@ -103,10 +105,10 @@ The following table lists the services and their associated URLs that your netwo
| Service location | DNS record |
| ---------------------------------------- | ----------------------- |
| Common URLs for all locations | x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> *.blob.core.windows.net <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/> events.data.microsoft.com |
| European Union | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com |
| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com |
| United States | unitedstates.x.cp.wd.microsoft.com <br/> us-v20.events.data.microsoft.com |
| Common URLs for all locations | x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/> events.data.microsoft.com |
| European Union | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com <br/> usseu1northprod.blob.core.windows.net <br/> usseu1westprod.blob.core.windows.net |
| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com <br/> ussuk1southprod.blob.core.windows.net <br/> ussuk1westprod.blob.core.windows.net |
| United States | unitedstates.x.cp.wd.microsoft.com <br/> us-v20.events.data.microsoft.com <br/> ussus1eastprod.blob.core.windows.net <br/> ussus1westprod.blob.core.windows.net |
> [!NOTE]
> For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server)
@ -117,25 +119,7 @@ Microsoft Defender ATP can discover a proxy server by using the following discov
If a proxy or firewall is blocking anonymous traffic, make sure that anonymous traffic is permitted in the previously listed URLs. For transparent proxies, no additional configuration is needed for Microsoft Defender ATP. For static proxy, follow the steps in [Manual Static Proxy Configuration](linux-static-proxy-configuration.md).
## Validating cloud connectivity
To test that a connection is not blocked, open [https://x.cp.wd.microsoft.com/api/report](https://x.cp.wd.microsoft.com/api/report) and [https://cdn.x.cp.wd.microsoft.com/ping](https://cdn.x.cp.wd.microsoft.com/ping) in a browser.
If you prefer the command line, you can also check the connection by running the following command in Terminal:
```bash
$ curl -w ' %{url_effective}\n' 'https://x.cp.wd.microsoft.com/api/report' 'https://cdn.x.cp.wd.microsoft.com/ping'
```
The output from this command should be similar to the following:
> `OK https://x.cp.wd.microsoft.com/api/report`
> `OK https://cdn.x.cp.wd.microsoft.com/ping`
Once Microsoft Defender ATP is installed, connectivity can be validated by running the following command in Terminal:
```bash
$ mdatp --connectivity-test
```
For troubleshooting steps, see the [Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux](linux-support-connectivity.md) page.
## How to update Microsoft Defender ATP for Linux

8
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md
View File

@ -73,10 +73,10 @@ The following table lists the services and their associated URLs that your netwo
| Service location | DNS record |
| ---------------------------------------- | ----------------------- |
| Common URLs for all locations | x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> *.blob.core.windows.net <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/> events.data.microsoft.com |
| European Union | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com |
| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com |
| United States | unitedstates.x.cp.wd.microsoft.com <br/> us-v20.events.data.microsoft.com |
| Common URLs for all locations | x.cp.wd.microsoft.com <br/> cdn.x.cp.wd.microsoft.com <br/> eu-cdn.x.cp.wd.microsoft.com <br/> wu-cdn.x.cp.wd.microsoft.com <br/> officecdn-microsoft-com.akamaized.net <br/> crl.microsoft.com <br/> events.data.microsoft.com |
| European Union | europe.x.cp.wd.microsoft.com <br/> eu-v20.events.data.microsoft.com <br/> usseu1northprod.blob.core.windows.net <br/> usseu1westprod.blob.core.windows.net |
| United Kingdom | unitedkingdom.x.cp.wd.microsoft.com <br/> uk-v20.events.data.microsoft.com <br/> ussuk1southprod.blob.core.windows.net <br/> ussuk1westprod.blob.core.windows.net |
| United States | unitedstates.x.cp.wd.microsoft.com <br/> us-v20.events.data.microsoft.com <br/> ussus1eastprod.blob.core.windows.net <br/> ussus1westprod.blob.core.windows.net |
Microsoft Defender ATP can discover a proxy server by using the following discovery methods:
- Web Proxy Auto-discovery Protocol (WPAD)

10
windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
View File

@ -96,7 +96,7 @@ Ensure that your machines:
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
@ -104,10 +104,6 @@ Ensure that your machines:
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/)

45
windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md
View File

@ -28,23 +28,23 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink).
Microsoft Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions.
>[!IMPORTANT]
>This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview.md).
> [!IMPORTANT]
> This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview.md).
To onboard down-level Windows client endpoints to Microsoft Defender ATP, you'll need to:
- Configure and update System Center Endpoint Protection clients.
- Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP as instructed below.
>[!TIP]
> [!TIP]
> After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
## Configure and update System Center Endpoint Protection clients
>[!IMPORTANT]
>This step is required only if your organization uses System Center Endpoint Protection (SCEP).
> [!IMPORTANT]
> This step is required only if your organization uses System Center Endpoint Protection (SCEP).
Microsoft Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
@ -59,16 +59,16 @@ The following steps are required to enable this integration:
Review the following details to verify minimum system requirements:
- Install the [February 2018 monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
>[!NOTE]
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
> [!NOTE]
> Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
- Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
- Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
>[!NOTE]
>Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
>Don't install .NET framework 4.0.x, since it will negate the above installation.
> [!NOTE]
> Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
> Don't install .NET Framework 4.0.x, since it will negate the above installation.
- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
@ -93,29 +93,10 @@ Once completed, you should see onboarded endpoints in the portal within an hour.
### Configure proxy and Internet connectivity settings
- Each Windows endpoint must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway).
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Microsoft Defender ATP service:
Agent Resource | Ports
:---|:---
| *.oms.opinsights.azure.com | 443 |
| *.blob.core.windows.net | 443 |
| *.azure-automation.net | 443 |
| *.ods.opinsights.azure.com | 443 |
| winatp-gw-cus.microsoft.com | 443 |
| winatp-gw-eus.microsoft.com | 443 |
| winatp-gw-neu.microsoft.com | 443 |
| winatp-gw-weu.microsoft.com | 443 |
|winatp-gw-uks.microsoft.com | 443 |
|winatp-gw-ukw.microsoft.com | 443 |
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
## Offboard client endpoints
To offboard, you can uninstall the MMA agent from the endpoint or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the endpoint will no longer send sensor data to Microsoft Defender ATP.
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink)
> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevele-belowfoldlink).

26
windows/security/threat-protection/microsoft-defender-atp/onboarding.md
View File

@ -1,5 +1,5 @@
---
title: Onboard to the Micrsoft Defender ATP service
title: Onboard to the Microsoft Defender ATP service
description:
keywords:
search.product: eADQiWindows 10XVcnh
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Onboard to the Micrsoft Defender ATP service
# Onboard to the Microsoft Defender ATP service
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -34,7 +34,7 @@ Deploying Microsoft Defender ATP is a three-phase process:
<td align="center">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
<img src="images/setup.png" alt="Setup the Microsoft Defender ATP service" title="Setup" />
<br/>Phase 2: Setup </a><br>
<br/>Phase 2: Set up </a><br>
</td>
<td align="center" bgcolor="#d5f5e3">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
@ -184,11 +184,11 @@ Before the systems can be onboarded into the workspace, the deployment scripts n
Edit the InstallMMA.cmd with a text editor, such as notepad and update the
following lines and save the file:
![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png)
![Image of onboarding](images/a22081b675da83e8f62a046ae6922b0d.png)
Edit the ConfiguerOMSAgent.vbs with a text editor, such as notepad, and update the following lines and save the file:
![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png)
![Image of onboarding](images/09833d16df7f37eda97ea1d5009b651a.png)
Microsoft Monitoring Agent (MMA) is currently (as of January 2019) supported on the following Windows Operating
Systems:
@ -257,15 +257,15 @@ MMA for enrollment into the workspace.
9. Set Run to **Hidden**.
10. Set **Program can run** to **Whether or not a user is logged on**.
10. Set **Program can run** to **Whether or not a user is logged on**.
11. Click **Next**.
11. Click **Next**.
12. Set the **Maximum allowed run time** to 720.
12. Set the **Maximum allowed run time** to 720.
13. Click **Next**.
13. Click **Next**.
![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png)
![Image of Microsoft Endpoint Configuration Manager console](images/262a41839704d6da2bbd72ed6b4a826a.png)
14. Verify the configuration, then click **Next**.
@ -275,12 +275,12 @@ MMA for enrollment into the workspace.
16. Click **Close**.
17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP
17. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP
Onboarding Package just created and select **Deploy**.
18. On the right panel select the appropriate collection.
19. Click **OK**.
19. Click **OK**.
## Next generation protection
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
@ -318,7 +318,7 @@ needs on how Antivirus is configured.
![Image of next generation protection pane](images/3876ca687391bfc0ce215d221c683970.png)
3. Right-click on the newly created antimalware policy and select **Deploy** .
3. Right-click on the newly created antimalware policy and select **Deploy**.
![Image of next generation protection pane](images/f5508317cd8c7870627cb4726acd5f3d.png)

14
windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md
View File

@ -32,12 +32,10 @@ Inspired by the "assume breach" mindset, Microsoft Defender ATP continuously col
The response capabilities give you the power to promptly remediate threats by acting on the affected entities.
## In this section
Topic | Description
:---|:---
[Security operations dashboard](security-operations-dashboard.md) | Explore a high level overview of detections, highlighting where response actions are needed.
[Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) | View and organize the incidents queue, and manage and investigate alerts.
[Alerts queue](alerts-queue.md) | View and organize the machine alerts queue, and manage and investigate alerts.
[Machines list](machines-view-overview.md) | Investigate machines with generated alerts and search for specific events over time.
[Take response actions](response-actions.md) | Learn about the available response actions and apply them to machines and files.
## Related topics
- [Security operations dashboard](security-operations-dashboard.md)
- [Incidents queue](view-incidents-queue.md)
- [Alerts queue](alerts-queue.md)
- [Machines list](machines-view-overview.md)

4
windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md
View File

@ -38,7 +38,7 @@ Deploying Microsoft Defender ATP is a three-phase process:
<td align="center" >
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
<img src="images/setup.png" alt="Onboard to the Microsoft Defender ATP service" title="Setup the Microsoft Defender ATP service" />
<br/>Phase 2: Setup </a><br>
<br/>Phase 2: Set up </a><br>
</td>
<td align="center">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
@ -180,5 +180,5 @@ how the endpoint security suite should be enabled.
## Next step
|||
|:-------|:-----|
|![Phase 2: Setup](images/setup.png) <br>[Phase 2: Setup](production-deployment.md) | Setup Microsoft Defender ATP deployment
|![Phase 2: Setup](images/setup.png) <br>[Phase 2: Setup](production-deployment.md) | Set up Microsoft Defender ATP deployment

25
windows/security/threat-protection/microsoft-defender-atp/production-deployment.md
View File

@ -1,5 +1,5 @@
---
title: Setup Microsoft Defender ATP deployment
title: Set up Microsoft Defender ATP deployment
description:
keywords:
search.product: eADQiWindows 10XVcnh
@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Setup Microsoft Defender ATP deployment
# Set up Microsoft Defender ATP deployment
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -36,7 +36,7 @@ Deploying Microsoft Defender ATP is a three-phase process:
<td align="center"bgcolor="#d5f5e3">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment">
<img src="images/setup.png" alt="Onboard to the Microsoft Defender ATP service" title="Setup" />
<br/>Phase 2: Setup </a><br>
<br/>Phase 2: Set up </a><br>
</td>
<td align="center">
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
@ -48,7 +48,7 @@ Deploying Microsoft Defender ATP is a three-phase process:
</tr>
</table>
You are currently in the setup phase.
You are currently in the set up phase.
In this deployment scenario, you'll be guided through the steps on:
- Licensing validation
@ -69,9 +69,9 @@ Checking for the license state and whether it got properly provisioned, can be d
1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**.
- On the screen you will see all the provisioned licenses and their current **Status**.
On the screen you will see all the provisioned licenses and their current **Status**.
![Image of billing licenses](images/atp-billing-subscriptions.png)
![Image of billing licenses](images/atp-billing-subscriptions.png)
## Cloud Service Provider validation
@ -88,7 +88,7 @@ To gain access into which licenses are provisioned to your company, and to check
## Tenant Configuration
When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine.
When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a set up wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client machine.
1. From a web browser, navigate to <https://securitycenter.windows.com>.
@ -103,7 +103,7 @@ When accessing [Microsoft Defender Security Center](https://securitycenter.windo
4. Set up preferences.
**Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this setup and Microsoft will not transfer the data from the specified geolocation.
**Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this set up and Microsoft will not transfer the data from the specified geolocation.
**Data retention** - The default is 6 months.
@ -160,11 +160,8 @@ services if a computer is not permitted to connect to the Internet. The static
proxy is configurable through Group Policy (GP). The group policy can be found
under:
- Administrative Templates \> Windows Components \> Data Collection and
Preview Builds \> Configure Authenticated Proxy usage for the Connected User
Experience and Telemetry Service
- Set it to **Enabled** and select **Disable Authenticated Proxy usage**
- Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
- Set it to **Enabled** and select **Disable Authenticated Proxy usage**
1. Open the Group Policy Management Console.
2. Create a policy or edit an existing policy based off the organizational practices.
@ -261,4 +258,4 @@ You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https:
## Next step
|||
|:-------|:-----|
|![Phase 3: Onboard](images/onboard.png) <br>[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them
|![Phase 3: Onboard](images/onboard.png) <br>[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them

36
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -27,6 +27,16 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
## APIs
Threat and vulnerability management supports multiple APIs. See the following topics for related APIs:
- [Machine APIs](machine.md)
- [Recommendation APIs](vulnerability.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)
## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit
1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center.
@ -67,18 +77,24 @@ To find software or software versions which have reached end-of-support:
![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png)
### List of versions and dates
To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps:
1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected.
![Screenshot of version distribution link](images/eos-upcoming-eos.png) <br><br>
2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.
![Screenshot of version distribution link](images/software-drilldown-eos.png) <br><br>
3. Select one of the versions in the table to open. For example, version 3.5.2150.0. A flyout will appear with the end of support date.
![Screenshot of version distribution link](images/version-eos-date.png)<br><br>
After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
## Use APIs
Threat and vulnerability management supports multiple APIs. See the following topics for related APIs:
- [Machine APIs](machine.md)
- [Recommendation APIs](vulnerability.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)

9
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md
View File

@ -52,5 +52,14 @@ If while trying to take an action during a live response session, you encounter
4. Navigate to your TEMP folder.
5. Run the action you wanted to take on the copied file.
## Slow live response sessions or delays during initial connections
Live response leverages Microsoft Defender ATP sensor registration with WNS service in Windows.
If you are having connectivity issues with live response, please confirm the following:
1. `notify.windows.com` is not blocked in your environment. For more information see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
2. WpnService (Windows Push Notifications System Service) is not disabled.
Please refer to the articles below to fully understand the WpnService service behavior and requirements:
- [Windows Push Notification Services (WNS) overview](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview)
- [Enterprise Firewall and Proxy Configurations to Support WNS Traffic](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config)
- [Microsoft Push Notifications Service (MPNS) Public IP ranges](https://www.microsoft.com/en-us/download/details.aspx?id=44535)

3
windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
View File

@ -85,8 +85,8 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico
## Related topics
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
@ -94,4 +94,5 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

11
windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
View File

@ -70,21 +70,16 @@ To lower your threat and vulnerability exposure, follow these steps.
6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
## Related topics
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)

61
windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
View File

@ -26,61 +26,32 @@ ms.topic: conceptual
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), you can start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks through the integration with Microsoft Intune where remediation tickets are created.
Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations.
## How remediation requests work
## Navigate to the Remediation page
When you submit a remediation request from Threat & Vulnerability Management, it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
The dashboard will show the status of your top remediation activities. Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
## Accessing the remediation page
You can access the remediation page in a few places in the portal:
- Security recommendations flyout panel
- Navigation menu
- Top remediation activities in the dashboard
### Security recommendation flyout page
You'll see remediation options when you select one of the security recommendations in the [Security recommendations page](tvm-security-recommendation.md).
1. From the flyout panel, you'll see the security recommendation details including next steps. Select **Remediation options**.
2. In the **Remediation options** page, select **Open a ticket in Intune (for AAD joined devices)**.
3. Select a remediation due date.
4. Add notes to give your IT administrator a context of your remediation request. For example, you can indicate urgency of the remediation request to avoid potential exposure to a recent exploit activity, or if the request is a part of compliance.
>[!NOTE]
>If your request involves remediating more than 10,000 machines, we will only send 10,000 machines for remediation to Intune.
If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
You can access the remediation page though the navigation menu, and top remediation activities in the dashboard.
### Navigation menu
1. Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization.
To see software which has reached end-of-support, select **Software uninstall** from the **Remediation type** filter. For specific software versions which have reached end-of-support, select **Software update** from the **Remediation type** filter. Select **In progress** then **Apply**.
![Screenshot of the remediation page filters for software update and uninstall](images/remediation_swupdatefilter.png)
2. Select the remediation activity that you want to view.
Go to the Threat & Vulnerability Management navigation menu and select **Remediation** to open up the list of remediation activities and exceptions found in your organization. Select the remediation activity that you want to view.
![Screenshot of the remediation page flyout for a software which reached end-of-support](images/remediation_flyouteolsw.png)
### Top remediation activities in the dashboard
1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top remediation activities** card. The list is sorted and prioritized based on what is listed in the **Top security recommendations**.
2. Select the remediation activity that you want to view.
View **Top remediation activities** in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). Select any of the entries to go to the **Remediation** page. You can mark the remediation activity as completed after the IT admin team remediates the task.
## Remediation activities
## Exception options
When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created which will be tracked in the Threat & Vulnerability Management **Remediation** page, and a remediation ticket is created in Microsoft Intune.
## Exceptions
You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md).
When you select a [security recommendation](tvm-security-recommendation.md), it opens a flyout screen with details and options for your next steps. Select **Exception options** to fill out the justification and context.
![Screenshot of exception flyout screen](images/tvm-exception-flyout.png)
[File for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md).
### Exception justification
@ -131,18 +102,14 @@ The exception impact shows on both the Security recommendations page column and
## Related topics
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendation](tvm-security-recommendation.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)

51
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -27,7 +27,7 @@ ms.topic: conceptual
[!include[Prerelease information](../../includes/prerelease.md)]
Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendation helps shorten the time to mitigate or remediate vulnerabilities and drive compliance.
Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance.
Each security recommendation includes an actionable remediation recommendation which can be pushed into the IT task queue through a built-in integration with Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment.
@ -43,7 +43,11 @@ Each machine in the organization is scored based on three important factors to h
## Navigate to security recommendations
You can access security recommendations from the Microsoft Defender ATP Threat & Vulnerability Management menu, dashboard, software page, and machine page.
You can access security recommendations from the Microsoft Defender ATP Threat & Vulnerability Management navigation menu, dashboard, software page, and machine page.
### Navigation menu
Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization.
### Top security recommendations in the Threat & Vulnerability Management dashboard
@ -53,21 +57,17 @@ In a given day as a Security Administrator, you can take a look at the [Threat &
The top security recommendations lists the improvement opportunities prioritized based on the important factors mentioned in the previous section - threat, likelihood to be breached, and value. Selecting a recommendation will take you to the security recommendations page with more details about the recommendation.
### Navigation menu
Go to the Threat & Vulnerability Management navigation menu and select **Security recommendations** to open the list of security recommendations for the threats and vulnerabilities found in your organization.
## Security recommendations overview
You will be able to view the recommendation, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags.
View recommendations, the number of weaknesses found, related components, threat insights, number of exposed machines, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags.
The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the amount of exposed machines, the color of the graph will change into green. This happens when the numbers on the right hand side is greater than what's on the left, which means an increase or decrease at the end of even a single machine will change the graph's color.
The color of the **Exposed machines** graph changes as the trend changes. If the number of exposed machines is on the rise, the color changes into red. If there's a decrease in the number of exposed machines, the color of the graph will change into green.
![Screenshot of security recommendations page](images/tvmsecrec-updated.png)
### Icons
Useful icons also quickly calls your attention to <ul><li> ![Possible active alert](images/tvm_alert_icon.png) possible active alerts</li><li>![Threat insight](images/tvm_bug_icon.png) associated public exploits</li><li>![Recommendation insight](images/tvm_insight_icon.png) recommendation insights</li></ul><br>
Useful icons also quickly calls your attention to: <ul><li> ![Possible active alert](images/tvm_alert_icon.png) possible active alerts</li><li>![Threat insight](images/tvm_bug_icon.png) associated public exploits</li><li>![Recommendation insight](images/tvm_insight_icon.png) recommendation insights</li></ul><br>
### Investigate
@ -77,22 +77,22 @@ Select the security recommendation that you want to investigate or process.
From the flyout, you can do any of the following:
- **Open software page** - Drill down and open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-life, and charts so you can see the exposure trend over time.
- **Open software page** - Open the software page to get more context of the software details, prevalence in the organization, weaknesses discovered, version distribution, software or software version end-of-support, and charts of the exposure trend over time.
- **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet due to specific business reasons, compensation controls, or if it is a false positive.
- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet.
>[!NOTE]
>When a change is made on a machine, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
## Request remediation
The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow. Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
### Enable Microsoft Intune connection
To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**.
See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
@ -106,16 +106,18 @@ See [Use Intune to remediate vulnerabilities identified by Microsoft Defender AT
4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.
If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
>[!NOTE]
>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
## File for exception
With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
As an alternative to a remediation request, you can create exceptions for recommendations.
There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
Exceptions can be created for both *Security update* and *Configuration change* recommendations.
Exceptions can be created for both Security update and Configuration change recommendations.
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
@ -127,10 +129,8 @@ When an exception is created for a recommendation, the recommendation is no long
> ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png)
3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
![Screenshot of exception confirmation message](images/tvm-exception-confirmation.png)
4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png)
4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and select the **Exceptions** tab to view all your exceptions (current and past).
## Report inaccuracy
@ -149,21 +149,16 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
## Related topics
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

4
windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
View File

@ -45,7 +45,8 @@ Some of the above prerequisites might be different from the [Minimum requirement
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Security recommendations](tvm-security-recommendation.md)
@ -53,4 +54,5 @@ Some of the above prerequisites might be different from the [Minimum requirement
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

118
windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
View File

@ -8,20 +8,20 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dolmont
author: DulceMontemayor
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 10/31/2019
---
# Weaknesses
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
@ -29,6 +29,13 @@ Threat & Vulnerability Management leverages the same signals in Microsoft Defend
The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization, their severity, Common Vulnerability Scoring System (CVSS) rating, its prevalence in your organization, corresponding breach, and threat insights.
You can access the list of vulnerabilities in a few places in the portal:
- Global search
- Weaknesses option in the navigation menu
- Top vulnerable software widget in the dashboard
- Discovered vulnerabilities page in the machine page
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network:
>- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
@ -36,80 +43,76 @@ The **Weaknesses** page lists down the vulnerabilities found in the infected sof
>- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
>- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
## Navigate to the Weaknesses page
## Navigate through your organization's weaknesses page
You can access the list of vulnerabilities in a few places in the portal:
- Global search
- Weaknesses option in the navigation menu
- Top vulnerable software widget in the dashboard
- Discovered vulnerabilities page in the machine page
When new vulnerabilities are released, you can find out how many of your assets are exposed in the **Weaknesses** page of the Threat & Vulnerability Management navigation menu. If the **Exposed Machines** column shows 0, that means you are not at risk. If exposed machines exist, the next step is to remediate the vulnerabilities in those machines to reduce the risk to your assets and organization.
*Vulnerabilities in global search*
1. Click the global search drop-down menu.
2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then click the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
![tvm-vuln-globalsearch](images/tvm-vuln-globalsearch.png)
3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
![tvm-breach-insights](images/tvm-weaknesses-overview.png)
> [!NOTE]
> To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
### Breach and threat insights
*Weaknesses page in the menu*
1. Go to the Threat & Vulnerability Management navigation menu and select **Weaknesses** to open up the list of vulnerabilities found in your organization.
2. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, dates when it was published and updated, related software, exploit kits available, vulnerability type, link to useful reference, and number of exposed machines which users can also export.
![Screenshot of the CVE details in the flyout pane in the Weaknesses page](images/tvm-weaknesses-page.png)
You can view the related breach and threat insights in the **Threat** column when the icons are colored red.
*Top vulnerable software widget in the dashboard*
1. Go to the Threat & Vulnerability Management dashboard and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
![tvm-top-vulnerable-software](images/tvm-top-vulnerable-software.png)
2. Click the software that you want to investigate and it takes you to the software page. You will see the weaknesses found in your machine per severity level, in which machines are they installed, version distribution, and the corresponding security recommendation.
3. Select the **Discovered vulnerabilities** tab.
4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
*Discovered vulnerabilities in the machine page*
1. Go to the left-hand navigation menu bar, then select the machine icon. The **Machines list** page opens.
<br>![Screenshot of Machines list page](images/tvm_machineslist.png)</br>
2. In the **Machines list** page, select the machine that you want to investigate.
<br>![Screenshot of machine list with selected machine to investigate](images/tvm_machinetoinvestigate.png)</br>
<br>A flyout pane opens with machine details and response action options.</br>
![Screenshot of the flyout pane with machine details and response options](images/tvm_machine_page_flyout.png)
3. In the flyout pane, select **Open machine page**. A page opens with details and response options for the machine you want to investigate.
<br>![Screenshot of the machine page with details and response options](images/tvm_machines_discoveredvuln.png)</br>
4. Select **Discovered vulnerabilities**.
5. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
## How it works
When new vulnerabilities are released, you would want to know how many of your assets are exposed. You can see the list of vulnerabilities and the details in the **Weaknesses** page.
If the **Exposed Machines** column shows 0, that means you are not at risk.
If exposed machines exist, that means you need to remediate the vulnerabilities in those machines because they put the rest of your assets and your organization at risk.
You can also see the related alert and threat insights in the **Threat** column.
The breach insights icon is highlighted if there is a vulnerability found in your organization. Prioritize an investigation because it means there might be a breach in your organization.
>[!NOTE]
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and breach insight ![possible active alert](images/tvm_alert_icon.png) icon.
The breach insights icon is highlighted if there is a vulnerability found in your organization.
![tvm-breach-insights](images/tvm-breach-insights.png)
The threat insights icons are highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit, connected to specific advanced persistent campaigns or activity groups for which, Threat Analytics report links are provided that you can read, has zero-day exploitation news, disclosures, or related security advisories.
The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. It also shows whether the threat is a part of an exploit kit or connected to specific advanced persistent campaigns or activity groups. Threat Analytics report links are provided that you can read with zero-day exploitation news, disclosures, or related security advisories.
![tvm-threat-insights](images/tvm-threat-insights.png)
>[!NOTE]
> Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight ![threat insight](images/tvm_bug_icon.png) icon and breach insight ![possible active alert](images/tvm_alert_icon.png) icon.
## Vulnerabilities in global search
1. Go to the global search drop-down menu.
2. Select **Vulnerability** and key-in the Common Vulnerabilities and Exposures (CVE) ID that you are looking for, then select the search icon. The **Weaknesses** page opens with the CVE information that you are looking for.
![tvm-vuln-globalsearch](images/tvm-vuln-globalsearch.png)
3. Select the CVE and a flyout panel opens up with more information - the vulnerability description, exploits available, severity level, CVSS v3 rating, publishing and update dates.
To see the rest of the vulnerabilities in the **Weaknesses** page, type CVE, then click search.
## Top vulnerable software in the dashboard
1. Go to the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) and scroll down to the **Top vulnerable software** widget. You will see the number of vulnerabilities found in each software along with threat information and a high-level view of the device exposure trend over time.
![top vulnerable software card](images/tvm-top-vulnerable-software500.png)
2. Select the software that you want to investigate to go a drill down page.
3. Select the **Discovered vulnerabilities** tab.
4. Select the vulnerability that you want to investigate to open up a flyout panel with the vulnerability details, such as: CVE description, CVE ID, exploits available, CVSS V3 rating, severity, publish, and update dates.
![Windows server drill down overview](images/windows-server-drilldown.png)
## Discover vulnerabilities in the machine page
1. Go to the left-hand navigation menu bar, then select the machine icon. The **Machines list** page opens.
2. In the **Machines list** page, select the machine name that you want to investigate.
<br>![Screenshot of machine list with selected machine to investigate](images/tvm_machinetoinvestigate.png)</br>
3. The machine page will open with details and response options for the machine you want to investigate.
4. Select **Discovered vulnerabilities**.
<br>![Screenshot of the machine page with details and response options](images/tvm-discovered-vulnerabilities.png)</br>
5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic.
### CVE Detection logic
Similar to the software evidence, we now show the detection logic we applied on a machine in order to state that it's vulnerable. This is a new section called "Detection Logic" (in any discovered vulnerability in the machine page) that shows the detection logic and source.
![Screenshot of the machine page with details and response options](images/cve-detection-logic.png)
## Report inaccuracy
You can report a false positive when you see any vague, inaccurate, missing, or already remediated vulnerability information in the machine page.
1. Select the **Discovered vulnerabilities** tab.
1. Select the **Discovered vulnerabilities** tab.
2. Click **:** beside the vulnerability that you want to report about, and then select **Report inaccuracy**.
2. Click **:** beside the vulnerability that you want to report about, and then select **Report inaccuracy**.
![Screenshot of Report inaccuracy control from the machine page in the Discovered vulnerabilities tab](images/tvm_report_inaccuracy_vuln.png)
<br>A flyout pane opens.</br>
![Screenshot of Report inaccuracy flyout pane](images/tvm_report_inaccuracy_vulnflyout.png)
3. From the flyout pane, select the inaccuracy category from the **Discovered vulnerability inaccuracy reason** drop-down menu.
3. From the flyout pane, select the inaccuracy category from the **Discovered vulnerability inaccuracy reason** drop-down menu.
<br>![Screenshot of discovered vulnerability inaccuracy reason drop-down menu](images/tvm_report_inaccuracy_vulnoptions.png)</br>
4. Include your email address so Microsoft can send you feedback regarding the inaccuracy you reported.
@ -117,11 +120,10 @@ You can report a false positive when you see any vague, inaccurate, missing, or
5. Include your machine name for investigation context.
> [!NOTE]
> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
> You can also provide details regarding the inaccuracy you reported in the **Tell us more (optional)** field to give the threat and vulnerability management investigators context.
6. Click **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts with its context.
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)

3
windows/security/threat-protection/microsoft-defender-atp/user-roles.md
View File

@ -79,7 +79,8 @@ The following steps guide you on how to create roles in Microsoft Defender Secur
7. Apply the configuration settings.
After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created.
> [!IMPORTANT]
> After creating roles, you'll need to create a machine group and provide access to the machine group by assigning it to a role that you just created.
## Edit roles

3
windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
View File

@ -28,6 +28,9 @@ Describes the best practices, location, values, management, and security conside
Beginning with Windows Server 2012 and Windows 8, Windows detects user-input inactivity of a sign-in (logon) session by using the security policy setting **Interactive logon: Machine inactivity limit**. If the amount of inactive time exceeds the inactivity limit set by this policy, then the users session locks by invoking the screen saver (screen saver should be active on the destination machine). You can activate the screen saver by enabling the Group Policy **User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver**. This policy setting allows you to control the locking time by using Group Policy.
> [!NOTE]
> If the **Interactive logon: Machine inactivity limit** security policy setting is configured, the device locks not only when inactive time exceeds the inactivity limit, but also when the screensaver activates or when the display turns off because of power settings.
### Possible values
The automatic lock of the device is set in elapsed seconds of inactivity, which can range from zero (0) to 599,940 seconds (166.65 hours).

4
windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
View File

@ -36,7 +36,7 @@ This article describes how to configure exclusion lists for the files and folde
Exclusion | Examples | Exclusion list
---|---|---
Any file with a specific extension | All files with the `.test` extension, anywhere on the machine | Extension exclusions
Any file with a specific extension | All files with the specified extension, anywhere on the machine.<br/>Valid syntax: `.test` and `test` | Extension exclusions
Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions
A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions
A specific process | The executable file `c:\test\process.exe` | File and folder exclusions
@ -292,4 +292,4 @@ You can also copy the string into a blank text file and attempt to save it with
- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)

3
windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
View File

@ -11,7 +11,6 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 01/09/2020
ms.reviewer:
manager: dansimp
ms.custom: nextgen
@ -40,7 +39,7 @@ This article describes how to specify from where updates should be downloaded (t
## Fallback order
Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used.
Typically, you configure endpoints to individually download updates from a primary source followed by other sources in order of priority, based on your network configuration. Updates are obtained from sources in the order you specify. If a source is not available, the next source in the list is used immediately.
When updates are published, some logic is applied to minimize the size of the update. In most cases, only the differences between the latest update and the update that is currently installed (this is referred to as the delta) on the device is downloaded and applied. However, the size of the delta depends on two main factors:
- The age of the last update on the device; and

1
windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
View File

@ -50,6 +50,7 @@ Only the main version is listed in the following table as reference information:
Month | Platform/Client | Engine
---|---|---
Mar-2020 | 4.18.2003.x| 1.1.16900.x
Feb-2020 | - | 1.1.16800.x
Jan-2020 | 4.18.2001.x | 1.1.16700.x
Dec-2019 | - | - |

36
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
ms.reviewer:
manager: dansimp
---
@ -25,13 +25,13 @@ manager: dansimp
## Overview
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode.
- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and and threats are not remediated by Windows Defender Antivirus.)
- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode.
- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and threats are not remediated by Windows Defender Antivirus.)
- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
## Antivirus and Microsoft Defender ATP
The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP.
The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP.
| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state |
@ -47,19 +47,19 @@ The following table summarizes what happens with Windows Defender Antivirus when
(<a id="fn1">1</a>) On Windows Server 2016 or 2019, Windows Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Windows Defender Antivirus on Windows Server 2016 or 2019](windows-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-windows-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine.
If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- Name: ForceDefenderPassiveMode
If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
- Name: ForceDefenderPassiveMode
- Value: 1
See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
>[!IMPORTANT]
>Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
>
>In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
>
>Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
> [!IMPORTANT]
> Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
>
> In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through Microsoft Endpoint Configuration Manager.
>
> Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
## Functionality and features available in each state
@ -79,17 +79,17 @@ The following table summarizes the functionality and features that are available
## Keep the following points in mind
If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
When Windows Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md); however, you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode.
>[!WARNING]
>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
> [!WARNING]
> You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
## Related topics

3
windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
View File

@ -81,6 +81,9 @@ The following are examples of scenarios in which AppLocker can be used:
- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
- In addition to other measures, you need to control the access to sensitive data through app usage.
> [!NOTE]
> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
## Installing AppLocker

4
windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
View File

@ -27,7 +27,7 @@ ms.date: 02/28/2018
- Windows 10
- Windows Server 2016
As you deploy Windows Defender Application Control (WDAC) (also part of Windows Defender Device Guard), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md).
If you have an internal CA, complete these steps to create a code signing certificate.
Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded.
@ -98,7 +98,7 @@ Now that the template is available to be issued, you must request one from the c
>[!NOTE]
>If a certificate manager is required to approve any issued certificates and you selected to require management approval on the template, the request will need to be approved in the CA before it will be issued to the client.
This certificate must be installed in the users personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
This certificate must be installed in the user's personal store on the computer that will be signing the catalog files and code integrity policies. If the signing is going to be taking place on the computer on which you just requested the certificate, exporting the certificate to a .pfx file will not be required because it already exists in your personal store. If you are signing on another computer, you will need to export the .pfx certificate with the necessary keys and properties. To do so, complete the following steps:
1. Right-click the certificate, point to **All Tasks**, and then click **Export**.

12
windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
View File

@ -81,7 +81,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
`PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
>[!NOTE]
>Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries hash values.
>Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values.
When finished, the files will be saved to your desktop. You can double-click the \*.cat file to see its contents, and you can view the \*.cdf file with a text editor.
@ -95,16 +95,16 @@ Packages can fail for the following reasons:
- To diagnose whether USN journal size is the issue, after running through Package Inspector, click Start > install app > PackageInspector stop
- Get the value of the reg key at HKEY\_CURRENT\_USER/PackageInspectorRegistryKey/c: (this was the most recent USN when you ran PackageInspector start)
- `fsutil usn readjournal C: startusn=RegKeyValue > inspectedusn.txt`
- ReadJournal command should throw an error if the older USNs dont exist anymore due to overflow
- ReadJournal command should throw an error if the older USNs don't exist anymore due to overflow
- For USN Journal, log size can be expanded using: `fsutil usn createjournal` command with a new size and alloc delta. `Fsutil usn queryjournal` will give the current size and allocation delta, so using a multiple of that may help
- To diagnose whether Eventlog size is the issue, look at the Microsoft/Windows/CodeIntegrity/Operational log under Applications and Services logs in Event Viewer and ensure that there are entries present from when you began Package Inspector (You can use write time as a justification; if you started the install 2 hours ago and there are only entries from 30 minutes prior, the log is definitely too small)
- To increase Eventlog size, in Event Viewer you can right click the operational log, click properties, and then set new values (some multiple of what it was previously)
- Package files that change hash each time the package is installed
- Package Inspector is completely incompatible if files in the package (temporary or otherwise) change hash each time the package is installed. You can diagnose this by looking at the hash field in the 3077 block events when the package is failing in enforcement. If each time you attempt to run the package you get a new block event with a different hash, the package will not work with Package Inspector
- Files with an invalid signature blob or otherwise unhashable files
- Files with an invalid signature blob or otherwise "unhashable" files
- This issue arises when a file that has been signed is modified post signing in a way that invalidates the PE header and renders the file unable to be hashed by the Authenticode Spec.
- WDAC uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file cant be allowed by hash due to authenticode hashing algorithm rejecting it)
- Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this unhashable state and renders the file unable to be allowed by Device Guard (regardless of if you try to allow directly by policy or resign with Package Inspector)
- WDAC uses Authenticode Hashes to validate files when they are running. If the file is unhashable via the authenticode SIP, there is no way to identify the file to allow it, regardless of if you attempt to add the file to the policy directly, or re-sign the file with a Package Inspector catalog (the signature is invalidated due to file being edited, file can't be allowed by hash due to authenticode hashing algorithm rejecting it)
- Recent versions of InstallShield packages that use custom actions can hit this. If the DLL input to the custom action was signed before being put through InstallShield, InstallShield adds tracking markers to the file (editing it post signature) which leaves the file in this "unhashable" state and renders the file unable to be allowed by Windows Defender (regardless of if you try to allow directly by policy or resign with Package Inspector)
## Catalog signing with SignTool.exe
@ -124,7 +124,7 @@ To sign the existing catalog file, copy each of the following commands into an e
`$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing users personal store.
2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store.
3. Sign the catalog file with Signtool.exe:

2
windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
View File

@ -24,7 +24,7 @@ ms.date: 02/28/2018
- Windows 10
- Windows Server 2016
WDAC policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
WDAC policies can easily be deployed and managed with Group Policy. Windows Defender allows you to simplify deployment Windows Defender hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
> [!NOTE]
> This walkthrough requires that you have previously created a WDAC policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a WDAC policy, see [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md), earlier in this topic.

2
windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
View File

@ -35,7 +35,7 @@ You should consider using WDAC as part of your organization's application contro
- You have deployed or plan to deploy the supported versions of Windows in your organization.
- You need improved control over the access to your organization's applications and the data your users access.
- Your organization has a well-defined process for application management and deployed.
- Your organization has a well-defined process for application management and deployment.
- You have resources to test policies against the organization's requirements.
- You have resources to involve Help Desk or to build a self-help process for end-user application access issues.
- The group's requirements for productivity, manageability, and security can be controlled by restrictive policies.

8
windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
View File

@ -31,7 +31,7 @@ This topic covers guidelines for using code signing control classic Windows apps
## Reviewing your applications: application signing and catalog files
Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a catalog file from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your WDAC policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing).
@ -45,7 +45,7 @@ To obtain signed applications or embed signatures in your in-house applications,
To use catalog signing, you can choose from the following options:
- Use the Windows Defender Device Guard signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
- Use the Windows Defender signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications.
- Create your own catalog files, which are described in the next section.
@ -53,12 +53,12 @@ To use catalog signing, you can choose from the following options:
Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application.
Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries hash values are updated each time an application is updated, which requires the catalog file to be updated also.
Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also.
After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files.
> [!NOTE]
> Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
> Package Inspector only works on operating systems that support Windows Defender, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).

8
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
View File

@ -29,20 +29,20 @@ This topic provides a roadmap for planning and getting started on the Windows De
1. Review requirements, especially hardware requirements for VBS.
2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?<br>Deployment is simpler if everything is locked down in the same way, but meeting individual departments needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?<br>Deployment is simpler if everything is locked down in the same way, but meeting individual departments' needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
3. Review how much variety in software and hardware is needed by roles or departments. The following questions can help you clarify how many WDAC policies to create:
- How standardized is the hardware?<br>This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
- What software does each department or role need? Should they be able to install and run other departments software?<br>If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.
- What software does each department or role need? Should they be able to install and run other departments' software?<br>If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.
- Are there departments or roles where unique, restricted software is used?<br>If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy.
- Is there already a list of accepted applications?<br>A list of accepted applications can be used to help create a baseline WDAC policy.<br>As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
- As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts?
In day-to-day operations, your organizations security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies.
In day-to-day operations, your organization's security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies.
Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.
@ -70,7 +70,7 @@ This topic provides a roadmap for planning and getting started on the Windows De
## Known issues
This section covers known issues with WDAC and Device Guard. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error).
This section covers known issues with WDAC. Virtualization-based protection of code integrity may be incompatible with some devices and applications, which might cause unexpected failures, data loss, or a blue screen error (also called a stop error).
Test this configuration in your lab before enabling it in production.
### MSI Installations are blocked by WDAC

8
windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md
View File

@ -1,6 +1,6 @@
---
title: Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10)
description: A list of all available setttings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
description: A list of all available settings for Windows Defender SmartScreen using Group Policy and mobile device management (MDM) settings.
keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen
ms.prod: w10
ms.mktglfcycl: explore
@ -40,7 +40,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
<tr>
<td>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
<td>Windows 10, version 1703</td>
<td>This setting helps protect PCs by allowing users to install apps only from the Microsoft Store. Windows Defender SmartScreen must be enabled for this feature to work properly.<p>If you enable this setting, your employees can only install apps from the Microsoft Store.<p>If you disable this setting, your employees can install apps from anywhere, including as a download from the Internet.<p>If you don't configure this setting, your employees can choose whether they can install from anywhere or only from Microsoft Store.</td>
<td>This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.<p>This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.<p><strong>Important:</strong> Using a trustworthy browser helps ensure that these protections work as expected.</td>
</tr>
<tr>
<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><strong>Windows 10, Version 1607 and earlier:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td>
@ -176,7 +176,7 @@ To better help you protect your organization, we recommend turning on and using
</tr>
<tr>
<td>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files</td>
<td><strong>Enable.</strong> Stops employees from ingnoring warning messages and continuing to download potentially malicious files.</td>
<td><strong>Enable.</strong> Stops employees from ignoring warning messages and continuing to download potentially malicious files.</td>
</tr>
<tr>
<td>Administrative Templates\Windows Components\File Explorer\Configure Windows Defender SmartScreen</td>
@ -199,7 +199,7 @@ To better help you protect your organization, we recommend turning on and using
</tr>
<tr>
<td>Browser/PreventSmartScreenPromptOverrideForFiles</td>
<td><strong>1.</strong> Stops employees from ingnoring warning messages and continuing to download potentially malicious files.</td>
<td><strong>1.</strong> Stops employees from ignoring warning messages and continuing to download potentially malicious files.</td>
</tr>
<tr>
<td>SmartScreen/EnableSmartScreenInShell</td>

BIN
windows/security/threat-protection/windows-sandbox/images/1-dynamic-host.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/security/threat-protection/windows-sandbox/images/2-dynamic-working.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/security/threat-protection/windows-sandbox/images/3-memory-sharing.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/security/threat-protection/windows-sandbox/images/4-integrated-kernal.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/security/threat-protection/windows-sandbox/images/5-wddm-gpu-virtualization.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/security/threat-protection/windows-sandbox/images/6-wddm-gpu-virtualization-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

62
windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md Normal file
View File

@ -0,0 +1,62 @@
---
title: Windows Sandbox architecture
description:
ms.prod: w10
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection:
ms.topic: article
ms.localizationpriority:
ms.date:
ms.reviewer:
---
# Windows Sandbox architecture
Windows Sandbox benefits from new container technology in Windows to achieve a combination of security, density, and performance that isn't available in traditional VMs.
## Dynamically generated image
Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Base Image technology leverages the copy of Windows already installed on the host.
Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and cannot be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. By using this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an additional copy of Windows.
Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space.
![A chart compares scale of dynamic image of files and links with the host file system.](images/1-dynamic-host.png)
## Memory management
Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process.
![A chart compares memory sharing in Windows Sandbox versus a traditional VM.](images/2-dynamic-working.png)
## Memory sharing
Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
![A chart compares the memory footprint in Windows Sandbox versus a traditional VM.](images/3-memory-sharing.png)
## Integrated kernel scheduler
With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
![A chart compares the scheduling in Windows Sandbox versus a traditional VM.](images/4-integrated-kernal.png)
Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This means that the most important work will be prioritized, whether it's on the host or in the container.
## WDDM GPU virtualization
Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.
This allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host.
![A chart illustrates graphics kernel use in Sandbox managed alongside apps on the host.](images/5-wddm-gpu-virtualization.png)
To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP).
## Battery pass-through
Windows Sandbox is also aware of the host's battery state, which allows it to optimize its power consumption. This functionality is critical for technology that is used on laptops, where battery life is often critical.

216
windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md Normal file
View File

@ -0,0 +1,216 @@
---
title: Windows Sandbox configuration
description:
ms.prod: w10
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection:
ms.topic: article
ms.localizationpriority:
ms.date:
ms.reviewer:
---
# Windows Sandbox configuration
Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later.
Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension. To use a configuration file, double-click it to open it in the sandbox. You can also invoke it via the command line as shown here:
**C:\Temp> MyConfigFile.wsb**
A configuration file enables the user to control the following aspects of Windows Sandbox:
- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
- **Networking**: Enable or disable network access within the sandbox.
- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data.
- **Logon command**: A command that's executed when Windows Sandbox starts.
- **Audio input**: Shares the host's microphone input into the sandbox.
- **Video input**: Shares the host's webcam input into the sandbox.
- **Protected client**: Places increased security settings on the RDP session to the sandbox.
- **Printer redirection**: Shares printers from the host into the sandbox.
- **Clipboard redirection**: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
- **Memory in MB**: The amount of memory, in megabytes, to assign to the sandbox.
**Keywords, values, and limits**
**vGPU**: Enables or disables GPU sharing.
`<vGPU>value</vGPU>`
Supported values:
- *Enable*: Enables vGPU support in the sandbox.
- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU.
- *Default* This is the default value for vGPU support. Currently this means vGPU is disabled.
> [!NOTE]
> Enabling virtualized GPU can potentially increase the attack surface of the sandbox.
**Networking**: Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.
`<Networking>value</Networking>`
Supported values:
- *Disable*: Disables networking in the sandbox.
- *Default*: This is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
> [!NOTE]
> Enabling networking can expose untrusted applications to the internal network.
**Mapped folders**: An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to the container user's desktop.
```xml
<MappedFolders>
<MappedFolder>
<HostFolder>absolute path to the host folder</HostFolder>
<SandboxFolder>absolute path to the sandbox folder</SandboxFolder>
<ReadOnly>value</ReadOnly>
</MappedFolder>
<MappedFolder>
...
</MappedFolder>
</MappedFolders>
```
*HostFolder*: Specifies the folder on the host machine to share into the sandbox. Note that the folder must already exist on the host, or the container will fail to start.
*SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it will be created. If no sandbox folder is specified, the folder will be mapped to the container desktop.
*ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
> [!NOTE]
> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
**Logon command**: Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account.
```xml
<LogonCommand>
<Command>command to be invoked</Command>
</LogonCommand>
```
*Command*: A path to an executable or script inside the container that will be executed after login.
> [!NOTE]
> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive.
**Audio input**: Enables or disables audio input to the sandbox.
`<AudioInput>value</AudioInput>`
Supported values:
- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability.
- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
- *Default*: This is the default value for audio input support. Currently this means audio input is enabled.
> [!NOTE]
> There may be security implications of exposing host audio input to the container.
**Video input**: Enables or disables video input to the sandbox.
`<VideoInput>value</VideoInput>`
Supported values:
- *Enable*: Enables video input in the sandbox.
- *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
- *Default*: This is the default value for video input support. Currently this means video input is disabled. Applications that use video input may not function properly in the sandbox.
> [!NOTE]
> There may be security implications of exposing host video input to the container.
**Protected client**: Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface.
`<ProtectedClient>value</ProtectedClient>`
Supported values:
- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled.
- *Disable*: Runs the sandbox in standard mode without extra security mitigations.
- *Default*: This is the default value for Protected Client mode. Currently, this means the sandbox doesn't run in Protected Client mode.
> [!NOTE]
> This setting may restrict the user's ability to copy/paste files in and out of the sandbox.
**Printer redirection**: Enables or disables printer sharing from the host into the sandbox.
`<PrinterRedirection>value</PrinterRedirection>`
Supported values:
- *Enable*: Enables sharing of host printers into the sandbox.
- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
- *Default*: This is the default value for printer redirection support. Currently this means printer redirection is disabled.
**Clipboard redirection**: Enables or disables sharing of the host clipboard with the sandbox.
`<ClipboardRedirection>value</ClipboardRedirection>`
Supported values:
- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
- *Default*: This is the default value for clipboard redirection. Currently copy/paste between the host and sandbox are permitted under *Default*.
**Memory in MB**: Specifies the amount of memory that the sandbox can use in megabytes (MB).
`<MemoryInMB>value</MemoryInMB>`
If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.
***Example 1***
The following config file can be used to easily test downloaded files inside the sandbox. To achieve this, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
*Downloads.wsb*
```xml
<Configuration>
<VGpu>Disable</VGpu>
<Networking>Disable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\Public\Downloads</HostFolder>
<SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Downloads</Command>
</LogonCommand>
</Configuration>
```
***Example 2***
The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install and run Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.
*VSCodeInstall.cmd*
```console
REM Download Visual Studio Code
curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe
REM Install and run Visual Studio Code
C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
```
*VSCode.wsb*
```xml
<Configuration>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\SandboxScripts</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
<MappedFolder>
<HostFolder>C:\CodingProjects</HostFolder>
<ReadOnly>false</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd</Command>
</LogonCommand>
</Configuration>
```

61
windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md Normal file
View File

@ -0,0 +1,61 @@
---
title: Windows Sandbox
description:
ms.prod: w10
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection:
ms.topic: article
ms.localizationpriority:
ms.date:
ms.reviewer:
---
# Windows Sandbox
Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.
A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application.
Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
Windows Sandbox has the following properties:
- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
- **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
The following video provides an overview of Windows Sandbox.
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4rFAo]
## Prerequisites
- Windows 10 Pro or Enterprise build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*)
- AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4 GB of RAM (8 GB recommended)
- At least 1 GB of free disk space (SSD recommended)
- At least two CPU cores (four cores with hyperthreading recommended)
## Installation
1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or later.
2. Enable virtualization on the machine.
- If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
- If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:<br/> **Set -VMProcessor -VMName \<VMName> -ExposeVirtualizationExtensions $true**
1. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
- If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.
1. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
## Usage
1. Copy an executable file (and any other files needed to run the application) from the host into the Windows Sandbox window.
2. Run the executable file or installer inside the sandbox.
3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **ok**.
4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.

4
windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
View File

@ -55,8 +55,8 @@ No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new
**Client Versions**
| Name | Build | Baseline Release Date | Security Tools |
|---|---|---|---|
|Windows 10 | [1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/) <p> [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) <p>[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) <p>[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) <p>[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2017 <p>August 2017 <p>October 2016 <p>January 2016<p> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| ---- | ----- | --------------------- | -------------- |
| Windows 10 | [1809 (October 2018)](https://docs.microsoft.com/archive/blogs/secguide/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019) <br>[1803 (RS4)](https://docs.microsoft.com/archive/blogs/secguide/security-baseline-for-windows-10-v1803-redstone-4-draft) <br>[1709 (RS3)](https://blogs.technet.microsoft.com/secguide/2017/09/27/security-baseline-for-windows-10-fall-creators-update-v1709-draft/) <br> [1703 (RS2)](https://blogs.technet.microsoft.com/secguide/2017/08/30/security-baseline-for-windows-10-creators-update-v1703-final/) <br>[1607 (RS1)](https://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/) <br>[1511 (TH2)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/) <br>[1507 (TH1)](https://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update/)| October 2018 <br>March 2018 <br>October 2017 <br>August 2017 <br>October 2016 <br>January 2016<br> January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](https://blogs.technet.microsoft.com/secguide/2014/08/13/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final/)| October 2013| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |
Windows 8 |[9200](https://technet.microsoft.com/library/jj916413.aspx) |October 2012| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx)|
Windows 7 |[7601 (SP1)](https://technet.microsoft.com/library/ee712767.aspx)| October 2009| [SCM 4.0](https://technet.microsoft.com/solutionaccelerators/cc835245.aspx) |

6
windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
View File

@ -27,6 +27,8 @@ The SCT enables administrators to effectively manage their enterprises Group
The Security Compliance Toolkit consists of:
- Windows 10 security baselines
- Windows 10 Version 1909 (November 2019 Update)
- Windows 10 Version 1903 (April 2019 Update)
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- Windows 10 Version 1709 (Fall Creators Update)
@ -41,7 +43,11 @@ The Security Compliance Toolkit consists of:
- Windows Server 2012 R2
- Microsoft Office security baseline
- Office 365 Pro Plus
- Office 2016
- Microsoft Edge security baseline
- Edge Browser Version 80
- Tools
- Policy Analyzer tool