mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-14 06:17:22 +00:00
Merge remote-tracking branch 'refs/remotes/origin/master' into upgrade-readiness
This commit is contained in:
Greg Lindsay
commit
a54767fb8b
@ -1,4 +1,5 @@
|
||||
# [Deploy Windows 10](index.md)
|
||||
## [What's new in Windows 10 deployment](deploy-whats-new.md)
|
||||
## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
|
||||
## [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
|
||||
### [Upgrade Readiness architecture](upgrade-readiness-architecture.md)
|
||||
@ -26,6 +27,7 @@
|
||||
### [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
|
||||
### [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
|
||||
### [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
|
||||
### [Perform an in-place upgrade to Windows 10 with MDT](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
|
||||
### [Configure MDT settings](configure-mdt-settings.md)
|
||||
#### [Set up MDT for BitLocker](set-up-mdt-for-bitlocker.md)
|
||||
#### [Configure MDT deployment share rules](configure-mdt-deployment-share-rules.md)
|
||||
@ -48,8 +50,7 @@
|
||||
### [Monitor the Windows 10 deployment with Configuration Manager](monitor-windows-10-deployment-with-configuration-manager.md)
|
||||
### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
|
||||
### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)
|
||||
## [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md)
|
||||
## [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
|
||||
### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md)
|
||||
## [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md)
|
||||
## [Convert MBR partition to GPT](mbr-to-gpt.md)
|
||||
## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md)
|
||||
|
||||
@ -14,6 +14,9 @@ This topic lists new and updated topics in the [Deploy Windows 10](index.md) doc
|
||||
## March 2017
|
||||
| New or changed topic | Description |
|
||||
|----------------------|-------------|
|
||||
| [What's new in Windows 10 deployment](deploy-whats-new.md) | New |
|
||||
| [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) | Topic moved under [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) in the table of contents and title adjusted to clarify in-place upgrade. |
|
||||
| [Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) | Topic moved under [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) in the table of contents and title adjusted to clarify in-place upgrade. |
|
||||
| [Convert MBR partition to GPT](mbr-to-gpt.md) | New |
|
||||
|
||||
## February 2017
|
||||
|
||||
123
windows/deploy/deploy-whats-new.md
Normal file
123
windows/deploy/deploy-whats-new.md
Normal file
@ -0,0 +1,123 @@
|
||||
---
|
||||
title: What's new in Windows 10 deployment
|
||||
description: Changes and new features related to Windows 10 deployment
|
||||
keywords: deployment, automate, tools, configure, news
|
||||
ms.mktglfcycl: deploy
|
||||
localizationpriority: high
|
||||
ms.prod: w10
|
||||
ms.sitesec: library
|
||||
ms.pagetype: deploy
|
||||
author: greg-lindsay
|
||||
---
|
||||
|
||||
# What's new in Windows 10 deployment
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
|
||||
## In this topic
|
||||
|
||||
This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization.
|
||||
|
||||
- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index).
|
||||
- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history).
|
||||
|
||||
|
||||
## Windows 10 Enterprise upgrade
|
||||
|
||||
Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. With Windows 10 Enterprise E3 in CSP, small and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
|
||||
|
||||
For more information, see [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md)
|
||||
|
||||
|
||||
## Deployment solutions and tools
|
||||
|
||||
### Upgrade Readiness
|
||||
|
||||
The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017.
|
||||
|
||||
Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details.
|
||||
|
||||
The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled.
|
||||
|
||||
For more information about Upgrade Readiness, see the following topics:
|
||||
|
||||
- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/)
|
||||
- [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
|
||||
|
||||
|
||||
### Update Compliance
|
||||
|
||||
Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date.
|
||||
|
||||
Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
|
||||
|
||||
For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md).
|
||||
|
||||
|
||||
### MBR2GPT
|
||||
|
||||
MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. Previously, it was necessary to image, then wipe and reload a disk to change from MBR format to GPT.
|
||||
|
||||
There are many benefits to converting the partition style of a disk to GPT, including the use of larger disk partitions, added data reliability, and faster boot and shutdown speeds. The GPT format also enables you to use the Unified Extensible Firmware Interface (UEFI) which replaces the Basic Input/Output System (BIOS) firmware interface. Security features of Windows 10 that require UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
|
||||
|
||||
For more information, see [MBR2GPT.EXE](mbr-to-gpt.md).
|
||||
|
||||
|
||||
### Microsoft Deployment Toolkit (MDT)
|
||||
|
||||
MDT build 884 is available, including support for:
|
||||
- Deployment and upgrade of Windows 10, version 1607 (including Enterprise LTSB and Education editions) and Windows Server 2016.
|
||||
- The Windows ADK for Windows 10, version 1607.
|
||||
- Integration with Configuration Manager version 1606.
|
||||
|
||||
For more information about MDT, see the [MDT resource page](https://technet.microsoft.com/en-US/windows/dn475741).
|
||||
|
||||
|
||||
### Windows Assessment and Deployment Kit (ADK)
|
||||
|
||||
The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows. See the following topics:
|
||||
|
||||
- [What's new in ADK kits and tools](https://msdn.microsoft.com/windows/hardware/commercialize/what-s-new-in-kits-and-tools)
|
||||
- [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md)
|
||||
|
||||
|
||||
## Testing and validation guidance
|
||||
|
||||
### Windows 10 deployment proof of concept (PoC)
|
||||
|
||||
The Windows 10 PoC guide enables you to test Windows 10 deployment in a virtual environment and become familiar with deployment tools such as MDT and Configuration Manager. The PoC guide provides step-by-step instructions for installing and using Hyper-V to create a virtual lab environment. The guide makes extensive use of Windows PowerShell to streamline each phase of the installation and setup.
|
||||
|
||||
For more information, see the following guides:
|
||||
|
||||
- [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md)
|
||||
- [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md)
|
||||
- [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md)
|
||||
|
||||
|
||||
## Troubleshooting guidance
|
||||
|
||||
[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) was published in October of 2016 and will continue to be updated with new fixes. The topic provides a detailed explanation of the Windows 10 upgrade process and instructions on how to locate, interpret, and resolve specific errors that can be encountered during the upgrade process.
|
||||
|
||||
|
||||
## Online content change history
|
||||
|
||||
The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10.
|
||||
|
||||
[Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md)
|
||||
<BR>[Change history for Plan for Windows 10 deployment](../plan/change-history-for-plan-for-windows-10-deployment.md)
|
||||
<BR>[Change history for Manage and update Windows 10](../manage/change-history-for-manage-and-update-windows-10.md)
|
||||
<BR>[Change history for Keep Windows 10 secure](../keep-secure/change-history-for-keep-windows-10-secure.md)
|
||||
|
||||
|
||||
## Related topics
|
||||
|
||||
[Overview of Windows as a service](../manage/waas-overview.md)
|
||||
<BR>[Windows 10 deployment considerations](../plan/windows-10-deployment-considerations.md)
|
||||
<BR>[Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info.aspx)
|
||||
<BR>[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
|
||||
<BR>[Windows 10 upgrade paths](windows-10-upgrade-paths.md)
|
||||
<BR>[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
|
||||
|
||||
|
||||
@ -16,13 +16,12 @@ Learn about deploying Windows 10 for IT professionals.
|
||||
|
||||
|Topic |Description |
|
||||
|------|------------|
|
||||
|[What's new in Windows 10 deployment](deploy-whats-new.md) |See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization. |
|
||||
|[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) |To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task. |
|
||||
|[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md) |With Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With Windows telemetry enabled, Upgrade Readiness collects system, application, and driver data for analysis. We then identify compatibility issues that can block an upgrade and suggest fixes when they are known to Microsoft. The Upgrade Readiness workflow steps you through the discovery and rationalization process until you have a list of computers that are ready to be upgraded. |
|
||||
|[Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, see the following Windows 10 PoC deployment guides: [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md), [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md). |
|
||||
|[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). |
|
||||
|[Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) |If you have Microsoft System Center 2012 R2 Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. |
|
||||
|[Upgrade to Windows 10 with the Microsoft Deployment Toolkit](upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) |The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Deployment Toolkit (MDT) task sequence to completely automate the process. |
|
||||
|[Upgrade to Windows 10 with System Center Configuration Manager](upgrade-to-windows-10-with-system-center-configuraton-manager.md) |The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process. |
|
||||
|[Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) |This topic provides a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. |
|
||||
|[Convert MBR partition to GPT](mbr-to-gpt.md) |This topic provides detailed instructions for using the MBR2GPT partition conversion tool. |
|
||||
|[Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) |This guide describes how to configure a PXE server to load Windows PE by booting a client computer from the network. |
|
||||
|
||||
@ -378,7 +378,6 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is
|
||||
|
||||
## Related topics
|
||||
|
||||
[Using MBR2GPT with Configuration Manager OSD](https://miketerrill.net/tag/mbr2gpt/)
|
||||
<BR>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
|
||||
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx)
|
||||
<BR>[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
|
||||
<BR>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
|
||||
|
||||
@ -44,7 +44,7 @@ If you are already using OMS, you’ll find Upgrade Readiness in the Solutions G
|
||||
|
||||
If you are not using OMS:
|
||||
|
||||
1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **Sign up** to kick off the onboarding process.
|
||||
1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and click **New Customers >** to kick off the onboarding process.
|
||||
2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
|
||||
3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
|
||||
4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
|
||||
@ -130,4 +130,4 @@ To ensure that user computers are receiving the most up to date data from Micros
|
||||
|
||||
### Distribute the deployment script at scale
|
||||
|
||||
Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
|
||||
Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see the [Upgrade Readiness blog](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/).
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Upgrade to Windows 10 with System Center Configuration Manager (Windows 10)
|
||||
description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a System Center Configuration Manager task sequence to completely automate the process.
|
||||
title: Perform an in-place upgrade to Windows 10 using Configuration Manager (Windows 10)
|
||||
description: The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. Use a System Center Configuration Manager task sequence to completely automate the process.
|
||||
ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878
|
||||
keywords: upgrade, update, task sequence, deploy
|
||||
ms.prod: w10
|
||||
@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
|
||||
author: mtniehaus
|
||||
---
|
||||
|
||||
# Upgrade to Windows 10 with System Center Configuration Manager
|
||||
# Perform an in-place upgrade to Windows 10 using Configuration Manager
|
||||
|
||||
|
||||
**Applies to**
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Upgrade to Windows 10 with the Microsoft Deployment Toolkit (Windows 10)
|
||||
title: Perform an in-place upgrade to Windows 10 with MDT (Windows 10)
|
||||
description: The simplest path to upgrade PCs that are currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade.
|
||||
ms.assetid: B8993151-3C1E-4F22-93F4-2C5F2771A460
|
||||
keywords: upgrade, update, task sequence, deploy
|
||||
@ -11,7 +11,7 @@ ms.pagetype: mdt
|
||||
author: mtniehaus
|
||||
---
|
||||
|
||||
# Upgrade to Windows 10 with the Microsoft Deployment Toolkit
|
||||
# Perform an in-place upgrade to Windows 10 with MDT
|
||||
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
@ -5,6 +5,8 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: deploy
|
||||
keywords: deployment, automate, tools, configure, mdt
|
||||
localizationpriority: high
|
||||
author: greg-lindsay
|
||||
---
|
||||
|
||||
|
||||
@ -5,6 +5,8 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: deploy
|
||||
keywords: deployment, automate, tools, configure, sccm, configuration manager
|
||||
localizationpriority: high
|
||||
author: greg-lindsay
|
||||
---
|
||||
|
||||
|
||||
@ -5,6 +5,8 @@ ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: deploy
|
||||
keywords: deployment, automate, tools, configure, mdt, sccm
|
||||
localizationpriority: high
|
||||
author: greg-lindsay
|
||||
---
|
||||
|
||||
|
||||
@ -781,6 +781,7 @@
|
||||
##### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
|
||||
##### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
|
||||
##### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
|
||||
##### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
##### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
|
||||
#### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
|
||||
##### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
|
||||
@ -788,7 +789,7 @@
|
||||
###### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
|
||||
#### [Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md)
|
||||
##### [Update general settings](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
##### [Turn on advanced features](advanced-features-windows-defender-advacned-threat-protection.md)
|
||||
##### [Turn on advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
##### [Turn on preview experience](preview-settings-windows-defender-advanced-threat-protection.md)
|
||||
##### [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
#### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -71,3 +71,10 @@ Portal label | SIEM field name | Description
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
|
||||
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
60
windows/keep-secure/code/example-script.ps1
Normal file
60
windows/keep-secure/code/example-script.ps1
Normal file
@ -0,0 +1,60 @@
|
||||
$authUrl = 'Your Authorization URL'
|
||||
$clientId = 'Your Client ID'
|
||||
$clientSecret = 'Your Client Secret'
|
||||
|
||||
|
||||
Try
|
||||
{
|
||||
$tokenPayload = @{
|
||||
"resource" = 'https://graph.windows.net'
|
||||
"client_id" = $clientId
|
||||
"client_secret" = $clientSecret
|
||||
"grant_type"='client_credentials'}
|
||||
|
||||
"Fetching an access token"
|
||||
$response = Invoke-RestMethod $authUrl -Method Post -Body $tokenPayload
|
||||
$token = $response.access_token
|
||||
"Token fetched successfully"
|
||||
|
||||
$headers = @{
|
||||
"Content-Type" = "application/json"
|
||||
"Accept" = "application/json"
|
||||
"Authorization" = "Bearer {0}" -f $token }
|
||||
|
||||
$apiBaseUrl = "https://ti.securitycenter.windows.com/V1.0/"
|
||||
|
||||
$alertDefinitionPayload = @{
|
||||
"Name" = "Test Alert"
|
||||
"Severity" = "Medium"
|
||||
"InternalDescription" = "A test alert used to demonstrate the Windows Defender ATP TI API feature"
|
||||
"Title" = "Test alert."
|
||||
"UxDescription" = "This is a test alert based on a sample custom alert definition. This alert was triggered manually using a provided test command. It indicates that the Threat Intelligence API has been properly enabled."
|
||||
"RecommendedAction" = "No recommended action for this test alert."
|
||||
"Category" = "SuspiciousNetworkTraffic"
|
||||
"Enabled" = "true"}
|
||||
"Creating an Alert Definition"
|
||||
$alertDefinition =
|
||||
Invoke-RestMethod ("{0}AlertDefinitions" -f $apiBaseUrl) `
|
||||
-Method Post -Headers $headers -Body ($alertDefinitionPayload | ConvertTo-Json)
|
||||
"Alert Definition created successfully"
|
||||
$alertDefinitionId = $alertDefinition.Id
|
||||
|
||||
$iocPayload = @{
|
||||
"Type"="IpAddress"
|
||||
"Value"="52.184.197.12"
|
||||
"DetectionFunction"="Equals"
|
||||
"Enabled"="true"
|
||||
"AlertDefinition@odata.bind"="AlertDefinitions({0})" -f $alertDefinitionId }
|
||||
|
||||
"Creating an Indicator of Compromise"
|
||||
$ioc =
|
||||
Invoke-RestMethod ("{0}IndicatorsOfCompromise" -f $apiBaseUrl) `
|
||||
-Method Post -Headers $headers -Body ($iocPayload | ConvertTo-Json)
|
||||
"Indicator of Compromise created successfully"
|
||||
|
||||
"All done!"
|
||||
}
|
||||
Catch
|
||||
{
|
||||
'Something went wrong! Got the following exception message: {0}' -f $_.Exception.Message
|
||||
}
|
||||
@ -1,8 +1,6 @@
|
||||
$tenantId = '{Your Tenant ID}'
|
||||
$clientId = '{Your Client ID}'
|
||||
$clientSecret = '{Your Client Secret}'
|
||||
|
||||
$authUrl = "https://login.windows.net/{0}/oauth2/token" -f $tenantId
|
||||
$authUrl = 'Your Authorization URL'
|
||||
$clientId = 'Your Client ID'
|
||||
$clientSecret = 'Your Client Secret'
|
||||
|
||||
$tokenPayload = @{
|
||||
"resource"='https://graph.windows.net'
|
||||
|
||||
@ -2,11 +2,9 @@ import json
|
||||
import requests
|
||||
from pprint import pprint
|
||||
|
||||
tenant_id="{your tenant ID}"
|
||||
client_id="{your client ID}"
|
||||
client_secret="{your client secret}"
|
||||
|
||||
auth_url = "https://login.windows.net/{0}/oauth2/token".format(tenant_id)
|
||||
auth_url="Your Authorization URL"
|
||||
client_id="Your Client ID"
|
||||
client_secret="Your Client Secret"
|
||||
|
||||
payload = {"resource": "https://graph.windows.net",
|
||||
"client_id": client_id,
|
||||
|
||||
@ -68,8 +68,9 @@ The following steps assume that you have completed all the required steps in [Be
|
||||
|
||||
- WDATP-connector.properties: C:\\*folder_location*\current\user\agent\flexagent\
|
||||
|
||||
>[!NOTE]
|
||||
>You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
|
||||
NOTE:
|
||||
You must put the configuration files in this location, where *folder_location* represents the location where you installed the tool.
|
||||
|
||||
4. After the installation of the core connector completes, the Connector Setup window opens. In the Connector Setup window, select **Add a Connector**.
|
||||
|
||||
5. Select Type: **ArcSight FlexConnector REST** and click **Next**.
|
||||
@ -174,10 +175,11 @@ Windows Defender ATP alerts will appear as discrete events, with "Microsoft” a
|
||||
|
||||
A browser window appears. Allow it to run, it should disappear, and the connector should now be running.
|
||||
|
||||
> [!NOTE]
|
||||
> Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear.
|
||||
> [!NOTE]
|
||||
> Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear.
|
||||
|
||||
## Related topics
|
||||
- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
|
||||
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
|
||||
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -64,5 +64,5 @@ This section lists various issues that you may encounter when using email notifi
|
||||
|
||||
## Related topics
|
||||
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
|
||||
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
- [Turn on the preview experience in Windows Defender ATP](preview-settings-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -42,14 +42,16 @@ You'll need to configure Splunk so that it can pull Windows Defender ATP alerts.
|
||||
2. Click **Search & Reporting**, then **Settings** > **Data inputs**.
|
||||
|
||||
3. Click **REST** under **Local inputs**.
|
||||
> [!NOTE]
|
||||
> This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
|
||||
|
||||
NOTE:
|
||||
This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/).
|
||||
|
||||
4. Click **New**.
|
||||
|
||||
5. Type the following values in the required fields, then click **Save**:
|
||||
> [!NOTE]
|
||||
>All other values in the form are optional and can be left blank.
|
||||
|
||||
NOTE:
|
||||
All other values in the form are optional and can be left blank.
|
||||
|
||||
<table>
|
||||
<tbody style="vertical-align:top;">
|
||||
@ -132,6 +134,7 @@ Use the solution explorer to view alerts in Splunk.
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Configure security information and events management (SIEM) tools to pull alerts](configure-siem-windows-defender-advanced-threat-protection.md)
|
||||
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
|
||||
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
|
||||
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -55,14 +55,14 @@ This tile shows you a list of machines with the highest number of active alerts.
|
||||
|
||||
Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
|
||||
You can also click **Machines list** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Users at risk
|
||||
The tile shows you a list of user accounts with the most active alerts. The total number of alerts for each user is shown in a circle next to the user account, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label).
|
||||
|
||||
|
||||
|
||||
Click the user account to see details about the user account. For more information see [Investigate a user entity in Windows Defender Advanced Threat Protection]
|
||||
Click the user account to see details about the user account. For more information see [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Machines with active malware detections
|
||||
The **Machines with active malware detections** tile will only appear if your endpoints are using Windows Defender.
|
||||
@ -97,7 +97,7 @@ There are two status indicators that provide information on the number of machin
|
||||
- **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month.
|
||||
- **Misconfigured** – These machines might partially be reporting telemetry to the Windows Defender ATP service and might have configuration errors that need to be corrected.
|
||||
|
||||
When you click any of the groups, you’ll be directed to machines view, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
|
||||
When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
## Service health
|
||||
The **Service health** tile informs you if the service is active or if there are issues.
|
||||
|
||||
@ -27,13 +27,15 @@ Before you can create custom threat intelligence (TI) using REST API, you'll nee
|
||||
|
||||
1. In the navigation pane, select **Preference Setup** > **Threat intel API**.
|
||||
|
||||
|
||||
|
||||
2. Select **Enable threat intel API**. This activates the **Azure Active Directory application** setup sections with pre-populated values.
|
||||
|
||||
3. Copy the individual values or select **Save details to file** to download a file that contains all the values.
|
||||
|
||||
>[!WARNING]
|
||||
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
|
||||
>For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
|
||||
WARNING:<br>
|
||||
The client secret is only displayed once. Make sure you keep a copy of it in a safe place. <br>
|
||||
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
|
||||
|
||||
4. Select **Generate tokens** to get an access and refresh token.
|
||||
|
||||
|
||||
@ -29,16 +29,18 @@ Enable security information and event management (SIEM) integration so you can p
|
||||
|
||||
2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant.
|
||||
|
||||
>[!WARNING]
|
||||
>The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
|
||||
>For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
|
||||
WARNING:<br>
|
||||
The client secret is only displayed once. Make sure you keep a copy of it in a safe place.<br>
|
||||
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret).
|
||||
|
||||
3. Choose the SIEM type you use in your organization.
|
||||
>[!NOTE]
|
||||
>If you select HP ArcSight, you'll need to save these two configuration files:
|
||||
> - WDATP-connector.jsonparser.properties
|
||||
> - WDATP-connector.properties
|
||||
> If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**.
|
||||
|
||||
NOTE:<br>
|
||||
If you select HP ArcSight, you'll need to save these two configuration files:<br>
|
||||
- WDATP-connector.jsonparser.properties
|
||||
- WDATP-connector.properties <br>
|
||||
|
||||
If you want to connect directly to the alerts REST API through programmatic access, choose **Generic API**.
|
||||
|
||||
4. Copy the individual values or select **Save details to file** to download a file that contains all the values.
|
||||
|
||||
@ -47,5 +49,7 @@ Enable security information and event management (SIEM) integration so you can p
|
||||
You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.
|
||||
|
||||
## Related topics
|
||||
- [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
|
||||
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
|
||||
- [Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -25,7 +25,7 @@ localizationpriority: high
|
||||
|
||||
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual endpoints.
|
||||
|
||||
For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
|
||||
For example, if endpoints are not appearing in the **Machines list** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps.
|
||||
|
||||
> [!NOTE]
|
||||
> It can take several days for endpoints to begin reporting to the Windows Defender ATP service.
|
||||
|
||||
@ -0,0 +1,85 @@
|
||||
---
|
||||
title: Experiment with custom threat intelligence alerts
|
||||
description: Use this end-to-end guide to start using the Windows Defender ATP threat intelligence API.
|
||||
keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
author: mjcaparas
|
||||
localizationpriority: high
|
||||
---
|
||||
|
||||
# Experiment with custom threat intelligence (TI) alerts
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise
|
||||
- Windows 10 Education
|
||||
- Windows 10 Pro
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
|
||||
|
||||
With the Windows Defender ATP threat intelligence API, you can create custom threat intelligence alerts that can help you keep track of possible attack activities in your organization.
|
||||
|
||||
For more information about threat intelligence concepts, see [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API.
|
||||
|
||||
You'll be guided through sample steps so you can experience how the threat intelligence API feature works. Sample steps include creating alerts definitions and indicators of compromise (IOCs), and examples of how triggered custom TI alerts look like.
|
||||
|
||||
## Step 1: Enable the threat intelligence API and obtain authentication details
|
||||
To use the threat intelligence API feature, you'll need to enable the feature. For more information, see [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md).
|
||||
|
||||
This step is required to generate security credentials that you need to use while working with the API.
|
||||
|
||||
## Step 2: Create a sample alert definition and IOCs
|
||||
This step will guide you in creating an alert definition and an IOC for a malicious IP.
|
||||
|
||||
1. Open a Windows PowerShell ISE.
|
||||
|
||||
2. Copy and paste the following PowerShell script. This script will upload a sample alert definition and IOC to Windows Defender ATP which you can use to generate an alert.
|
||||
|
||||
NOTE:<br>
|
||||
Make sure you replace the `authUrl`, `clientId`, and `clientSecret` values with your details which you saved in when you enabled the threat intelligence application.
|
||||
|
||||
[!code[ExampleScript](./code/example-script.ps1#L1-L60)]
|
||||
|
||||
3. Run the script and verify that the operation succeeded in the results the window. Wait up to 20 minutes until the new or updated alert definition propagates to the detection engines.
|
||||
|
||||
|
||||
|
||||
NOTE:<br>
|
||||
If you get the exception “The remote server returned an error: (407) Proxy Authentication Required", you need to add the proxy configuration by adding the following code to the PowerShell script:
|
||||
|
||||
```syntax
|
||||
$webclient=New-Object System.Net.WebClient
|
||||
$creds=Get-Credential
|
||||
$webclient.Proxy.Credentials=$creds
|
||||
```
|
||||
|
||||
## Step 3: Simulate a custom TI alert
|
||||
This step will guide you in simulating an event in connection to a malicious IP that will trigger the Windows Defender ATP custom TI alert.
|
||||
|
||||
1. Open a Windows PowerShell ISE in the machine you onboarded to Windows Defender ATP.
|
||||
|
||||
2. Type `Invoke-WebRequest 52.184.197.12` in the editor and click **Run**. This call will generate a network communication event to a Microsoft's dedicated demo server that will raise an alert based on the custom alert definition.
|
||||
|
||||
|
||||
|
||||
## Step 4: Explore the custom alert in the portal
|
||||
This step will guide you in exploring the custom alert in the portal.
|
||||
|
||||
1. Open the [Windows Defender ATP portal](http: /securitycenter.windows.com/) on a browser.
|
||||
|
||||
2. Log in with your Windows Defender ATP credentials.
|
||||
|
||||
3. The dashboard should display the custom TI alert for the victim machine resulting from the simulated attack.
|
||||
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> It can take up to 15 minutes for the alert to appear in the portal.
|
||||
@ -36,7 +36,7 @@ If the machine has not been in use for more than 7 days for any reason, it will
|
||||
A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
|
||||
|
||||
**Machine was offboarded**</br>
|
||||
If the machine was offboarded it will still appear in machines view. After 7 days, the machine health state should change to inactive.
|
||||
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive.
|
||||
|
||||
Do you expect a machine to be in ‘Active’ status? [Open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
|
||||
|
||||
|
||||
@ -23,14 +23,16 @@ localizationpriority: high
|
||||
During the onboarding process, a wizard takes you through the general settings of Windows Defender ATP. After onboarding, you might want to update some settings which you'll be able to do through the **Preferences setup** menu.
|
||||
|
||||
1. In the navigation pane, select **Preferences setup** > **General**.
|
||||
|
||||
2. Modify settings such as data retention policy or the industry that best describes your organization.
|
||||
|
||||
>[!NOTE]
|
||||
>Other settings are not editable.
|
||||
> [!NOTE]
|
||||
> Other settings are not editable.
|
||||
|
||||
3. Click **Save preferences**.
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
|
||||
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
- [Turn on the preview experience in Windows Defender ATP ](preview-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 34 KiB After Width: | Height: | Size: 38 KiB |
BIN
windows/keep-secure/images/atp-running-script.png
Normal file
BIN
windows/keep-secure/images/atp-running-script.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 9.3 KiB |
BIN
windows/keep-secure/images/atp-sample-custom-ti-alert.png
Normal file
BIN
windows/keep-secure/images/atp-sample-custom-ti-alert.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 18 KiB |
BIN
windows/keep-secure/images/atp-simulate-custom-ti.png
Normal file
BIN
windows/keep-secure/images/atp-simulate-custom-ti.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 142 KiB |
BIN
windows/keep-secure/images/atp-threat-intel-api.png
Normal file
BIN
windows/keep-secure/images/atp-threat-intel-api.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 215 KiB |
Binary file not shown.
|
Before Width: | Height: | Size: 104 KiB After Width: | Height: | Size: 75 KiB |
@ -43,10 +43,10 @@ The following table lists the actual and effective default values for this polic
|
||||
| - | - |
|
||||
| Default Domain Policy| Not defined|
|
||||
| Default Domain Controller Policy | Not defined|
|
||||
| Stand-Alone Server Default Settings | 14 days|
|
||||
| DC Effective Default Settings | 14 days |
|
||||
| Member Server Effective Default Settings| 14 days |
|
||||
| Client Computer Effective Default Settings | 14 days|
|
||||
| Stand-Alone Server Default Settings | 5 days|
|
||||
| DC Effective Default Settings | 5 days |
|
||||
| Member Server Effective Default Settings| 5 days |
|
||||
| Client Computer Effective Default Settings | 5 days|
|
||||
|
||||
## Policy management
|
||||
|
||||
@ -74,11 +74,11 @@ If user passwords are configured to expire periodically in your organization, us
|
||||
|
||||
### Countermeasure
|
||||
|
||||
Configure the **Interactive logon: Prompt user to change password before expiration** setting to 14 days.
|
||||
Configure the **Interactive logon: Prompt user to change password before expiration** setting to 5 days.
|
||||
|
||||
### Potential impact
|
||||
|
||||
Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 14 or fewer days.
|
||||
Users see a dialog-box prompt to change their password each time that they log on to the domain when their password is configured to expire in 5 or fewer days.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: View and organize the Windows Defender ATP machines view
|
||||
description: Learn about the available features that you can use from the Machines view such as sorting, filtering, and exporting the machine list which can enhance investigations.
|
||||
title: View and organize the Windows Defender ATP machines list
|
||||
description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the machine list which can enhance investigations.
|
||||
keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
@ -11,7 +11,7 @@ author: mjcaparas
|
||||
localizationpriority: high
|
||||
---
|
||||
|
||||
# View and organize the Windows Defender ATP Machines view
|
||||
# View and organize the Windows Defender ATP Machines list
|
||||
|
||||
**Applies to:**
|
||||
|
||||
@ -21,23 +21,23 @@ localizationpriority: high
|
||||
- Windows 10 Pro Education
|
||||
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
|
||||
|
||||
The **Machines view** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
|
||||
The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network.
|
||||
|
||||
Use the Machines view in these main scenarios:
|
||||
|
||||
- **During onboarding**</br>
|
||||
During the onboarding process, the **Machines view** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
|
||||
During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis.
|
||||
- **Day-to-day work**
|
||||
The **Machines view** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
|
||||
The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them.
|
||||
|
||||
## Sort, filter, and download the list of machines from the Machines view
|
||||
You can sort the **Machines view** by clicking on any column header to sort the view in ascending or descending order.
|
||||
You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order.
|
||||
|
||||
Filter the **Machines view** by time period, **Active malware categories**, or **Sensor health state** to focus on certain sets of machines, according to the desired criteria.
|
||||
Filter the **Machines list** by time period, **Active malware categories**, or **Sensor health state** to focus on certain sets of machines, according to the desired criteria.
|
||||
|
||||
You can also download the entire list in CSV format using the **Export to CSV** feature.
|
||||
|
||||
|
||||
|
||||
|
||||
You can use the following filters to limit the list of machines displayed during an investigation:
|
||||
|
||||
@ -71,7 +71,7 @@ You can download a full list of all the machines in your organization, in CSV f
|
||||
Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself.
|
||||
|
||||
## Sort the Machines view
|
||||
You can sort the **Machines view** by the following columns:
|
||||
You can sort the **Machines list** by the following columns:
|
||||
|
||||
- **Machine name** - Name or GUID of the machine
|
||||
- **Last seen** - Date and time when the machine last reported sensor data
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
title: Windows Defender Advanced Threat Protection portal overview
|
||||
description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
|
||||
keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines view, preferences setup, endpoint management, advanced attacks
|
||||
keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, preferences setup, endpoint management, advanced attacks
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: deploy
|
||||
|
||||
@ -36,7 +36,7 @@ These code examples demonstrate the following tasks:
|
||||
## Step 1: Obtain an Azure AD access token
|
||||
The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
|
||||
|
||||
Replace the *tenantid*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal:
|
||||
Replace the *authUrl*, *clientid*, and *clientSecret* values with the ones you got from **Preferences settings** page in the portal:
|
||||
|
||||
[!code[CustomTIAPI](./code/example.ps1#L1-L14)]
|
||||
|
||||
|
||||
@ -27,6 +27,6 @@ Use the **Preferences setup** menu to modify general settings, advanced features
|
||||
Topic | Description
|
||||
:---|:---
|
||||
[Update general settings](general-settings-windows-defender-advanced-threat-protection.md) | Modify your general settings that were previously defined as part of the onboarding process.
|
||||
[Enable advanced features](advanced-features-windows-defender-advacned-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products.
|
||||
[Enable advanced features](advanced-features-windows-defender-advanced-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products.
|
||||
[Enable the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) | Allows you to turn on preview features so you can try upcoming features.
|
||||
[Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications.
|
||||
|
||||
@ -27,5 +27,5 @@ Turn on the preview experience setting to be among the first to try upcoming fea
|
||||
|
||||
## Related topics
|
||||
- [Update general settings in Windows Defender ATP](general-settings-windows-defender-advanced-threat-protection.md)
|
||||
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advacned-threat-protection.md)
|
||||
- [Turn on advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure email notifications in Windows Defender ATP](configure-email-notifications-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -187,3 +187,9 @@ HTTP error code | Description
|
||||
401 | Malformed request or invalid token.
|
||||
403 | Unauthorized exception - any of the domains is not managed by the tenant administrator or tenant state is deleted.
|
||||
500 | Error in the service.
|
||||
|
||||
## Related topics
|
||||
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)
|
||||
- [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)
|
||||
- [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
|
||||
|
||||
@ -37,7 +37,7 @@ These code examples demonstrate the following tasks:
|
||||
## Step 1: Obtain an Azure AD access token
|
||||
The following example demonstrates how to obtain an Azure AD access token that you can use to call methods in the custom threat intelligence API. After you obtain a token, you have 60 minutes to use this token in calls to the custom threat intelligence API before the token expires. After the token expires, you can generate a new token.
|
||||
|
||||
Replace the *tenant\_id*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
|
||||
Replace the *auth_url*, *client_id*, and *client_secret* values with the ones you got from **Preferences settings** page in the portal:
|
||||
|
||||
[!code[CustomTIAPI](./code/example.py#L1-L17)]
|
||||
|
||||
|
||||
@ -130,7 +130,7 @@ For prevalent files in the organization, a warning is shown before an action is
|
||||
1. Select the file you want to remove from the blocked list. You can select a file from any of the following views or use the Search box:
|
||||
|
||||
– **Alerts** - Click the file links from the Description or Details in the Alert timeline
|
||||
– **Machines view** - Click the file links in the Description or Details columns in the Observed on machine section
|
||||
– **Machines list** - Click the file links in the Description or Details columns in the Observed on machine section
|
||||
– **Search box** - Select File from the drop–down menu and enter the file name
|
||||
|
||||
2. Open the **Actions** menu and select **Remove file from blocked list**.
|
||||
@ -175,7 +175,7 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure
|
||||
|
||||
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
|
||||
– Alerts - click the file links from the **Description** or **Details** in the Alert timeline
|
||||
– **Machines View** - click the file links from the **Description** or **Details** in the **Machine in organization** section
|
||||
– **Machines list** - click the file links from the **Description** or **Details** in the **Machine in organization** section
|
||||
– Search box - select **File** from the drop–down menu and enter the file name
|
||||
2. In the **Deep analysis** section of the file view, click **Submit**.
|
||||
|
||||
|
||||
@ -40,7 +40,7 @@ This machine isolation feature disconnects the compromised machine from the netw
|
||||
|
||||
- **Dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
|
||||
- **Machines view** - Select the machine name from the list of machines.
|
||||
- **Machines list** - Select the machine name from the list of machines.
|
||||
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
|
||||
|
||||
2. Open the **Actions** menu and select **Isolate machine**.
|
||||
@ -102,7 +102,7 @@ CollectionSummaryReport.xls | This file is a summary of the investigation packag
|
||||
|
||||
- **Dashboard** - Select the machine name from the Top machines with active alerts section.
|
||||
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
|
||||
- **Machines view** - Select the heading of the machine name from the machines view.
|
||||
- **Machines list** - Select the heading of the machine name from the machines list.
|
||||
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
|
||||
|
||||
2. Open the **Actions** menu and select **Collect investigation package**.
|
||||
|
||||
@ -45,7 +45,7 @@ Deployment with the above-mentioned versions of System Center Configuration Mana
|
||||
|
||||
If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint).
|
||||
|
||||
If the onboarding completed successfully but the endpoints are not showing up in the **Machines view** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
|
||||
If the onboarding completed successfully but the endpoints are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur.
|
||||
|
||||
## Troubleshoot onboarding when deploying with a script on the endpoint
|
||||
|
||||
@ -119,7 +119,7 @@ ID | Severity | Event description | Troubleshooting steps
|
||||
1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
|
||||
|
||||
## Troubleshoot onboarding issues on the endpoint
|
||||
If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
|
||||
If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent:
|
||||
- [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log)
|
||||
- [Ensure the telemetry and diagnostics service is enabled](#ensure-the-telemetry-and-diagnostics-service-is-enabled)
|
||||
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
|
||||
|
||||
@ -45,7 +45,7 @@ Topic | Description
|
||||
[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses.
|
||||
[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
|
||||
[View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list.
|
||||
[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
|
||||
[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines list** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
|
||||
[Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts.
|
||||
[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.
|
||||
[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks.
|
||||
|
||||
@ -18,12 +18,12 @@ localizationpriority: high
|
||||
- Windows 10
|
||||
- Windows 10 Mobile
|
||||
|
||||
With the new Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
|
||||
With Windows Store for Business, organizations can make volume purchases of Windows apps. The Store for Business provides app purchases based on organizational identity, flexible distribution options, and the ability to reclaim or re-use licenses. Organizations can also use the Store for Business to create a private store for their employees that includes apps from the Store, as well private Line-of-Business (LOB) apps.
|
||||
|
||||
## Features
|
||||
|
||||
|
||||
Organizations of any size can benefit from using the Store for Business provides:
|
||||
Organizations of any size can benefit from using the Store for Business:
|
||||
|
||||
- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate the Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
|
||||
|
||||
@ -47,7 +47,6 @@ Organizations of any size can benefit from using the Store for Business provides
|
||||
|
||||
## Prerequisites
|
||||
|
||||
|
||||
You'll need this software to work with the Store for Business.
|
||||
|
||||
### Required
|
||||
@ -78,7 +77,6 @@ While not required, you can use a management tool to distribute and manage apps.
|
||||
|
||||
## How does the Store for Business work?
|
||||
|
||||
|
||||
### Sign up!
|
||||
|
||||
The first step for getting your organization started with the Store for Business is signing up. To sign up for the Business store, you need an Azure AD account and you must be a Global Administrator for your organization.
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user