deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 08:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #2854 from MicrosoftDocs/MDBranchMachineToDeviceChild

Browse Source 
Third set of doc updates - machine ----> device
This commit is contained in:
Manika Dhiman 2020-05-21 17:08:20 -07:00 committed by GitHub
commit a54e01386d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
65 changed files with 373 additions and 373 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/security/threat-protection/index.md
View File

@ -94,7 +94,7 @@ Endpoint detection and response capabilities are put in place to detect, investi
- [Alerts](microsoft-defender-atp/alerts-queue.md)
- [Historical endpoint data](microsoft-defender-atp/investigate-machines.md#timeline)
- [Response orchestration](microsoft-defender-atp/response-actions.md)
- [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-machines)
- [Forensic collection](microsoft-defender-atp/respond-machine-alerts.md#collect-investigation-package-from-devices)
- [Threat intelligence](microsoft-defender-atp/threat-indicator-concepts.md)
- [Advanced detonation and analysis service](microsoft-defender-atp/respond-file-alerts.md#deep-analysis)
- [Advanced hunting](microsoft-defender-atp/advanced-hunting-overview.md)

2
windows/security/threat-protection/microsoft-defender-atp/configure-siem.md
View File

@ -29,7 +29,7 @@ ms.topic: article
>[!Note]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
>-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment.

2
windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md
View File

@ -64,7 +64,7 @@ DeviceEvents
You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.

6
windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
View File

@ -28,7 +28,7 @@ Creates new [Alert](alerts.md) on top of **Event**.
<br>**Microsoft Defender ATP Event** is required for the alert creation.
<br>You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
<br>You can use an event found in Advanced Hunting API or Portal.
<br>If there existing an open alert on the same Machine with the same Title, the new created alert will be merged with it.
<br>If there existing an open alert on the same Device with the same Title, the new created alert will be merged with it.
<br>An automatic investigation starts automatically on alerts created via the API.
@ -48,7 +48,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
@ -71,7 +71,7 @@ Property | Type | Description
:---|:---|:---
eventTime | DateTime(UTC) | The precise time of the event as string, as obtained from advanced hunting. e.g. ```2018-08-03T16:45:21.7115183Z``` **Required**.
reportId | String | The reportId of the event, as obtained from advanced hunting. **Required**.
machineId | String | Id of the machine on which the event was identified. **Required**.
machineId | String | Id of the device on which the event was identified. **Required**.
severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**.
title | String | Title for the alert. **Required**.
description | String | Description of the alert. **Required**.

24
windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md
View File

@ -23,7 +23,7 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured machines. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
Custom detection rules built from [Advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
> [!NOTE]
> To create and manage custom detections, [your role](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) needs to have the **manage security settings** permission.
@ -36,9 +36,9 @@ In Microsoft Defender Security Center, go to **Advanced hunting** and select an
#### Required columns in the query results
To use a query for a custom detection rule, the query must return the `Timestamp`, `DeviceId`, and `ReportId` columns in the results. Simple queries, such as those that don't use the `project` or `summarize` operator to customize or aggregate results, typically return these common columns.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each machine.
There are various ways to ensure more complex queries return these columns. For example, if you prefer to aggregate and count by `DeviceId`, you can still return `Timestamp` and `ReportId` by getting them from the most recent event involving each device.
The sample query below counts the number of unique machines (`DeviceId`) with antivirus detections and uses this count to find only the machines with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
The sample query below counts the number of unique devices (`DeviceId`) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest `Timestamp` and the corresponding `ReportId`, it uses the `summarize` operator with the `arg_max` function.
```kusto
DeviceEvents
@ -72,19 +72,19 @@ When saved, a new or edited custom detection rule immediately runs and checks fo
Select the frequency that matches how closely you want to monitor detections, and consider your organization's capacity to respond to the alerts.
### 3. Specify actions on files or machines.
Your custom detection rule can automatically take actions on files or machines that are returned by the query.
### 3. Specify actions on files or devices.
Your custom detection rule can automatically take actions on files or devices that are returned by the query.
#### Actions on machines
These actions are applied to machines in the `DeviceId` column of the query results:
- **Isolate machine** — applies full network isolation, preventing the machine from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about machine isolation](respond-machine-alerts.md#isolate-machines-from-the-network)
- **Collect investigation package** — collects machine information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-machines)
- **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the machine
- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the machine
#### Actions on devices
These actions are applied to devices in the `DeviceId` column of the query results:
- **Isolate device** — applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network)
- **Collect investigation package** — collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices)
- **Run antivirus scan** — performs a full Windows Defender Antivirus scan on the device
- **Initiate investigation** — initiates an [automated investigation](automated-investigations.md) on the device
#### Actions on files
These actions are applied to files in the `SHA1` or the `InitiatingProcessSHA1` column of the query results:
- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected machine groups. This scope is independent of the scope of the rule.
- **Allow/Block** — automatically adds the file to your [custom indicator list](manage-indicators.md) so that it is always allowed to run or blocked from running. You can set the scope of this action so that it is taken only on selected device groups. This scope is independent of the scope of the rule.
- **Quarantine file** — deletes the file from its current location and places a copy in quarantine
### 4. Click **Create** to save and turn on the rule.

2
windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md
View File

@ -113,7 +113,7 @@ An allowed application or service only has write access to a controlled folder a
### Use Group Policy to allow specific apps
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.

6
windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md
View File

@ -25,7 +25,7 @@ manager: dansimp
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
You configure these settings using the Windows Security app on an individual device, and then export the configuration as an XML file that you can deploy to other devices. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
@ -136,7 +136,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or continue on to configure app-specific mitigations.
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
Exporting the configuration as an XML file allows you to copy the configuration from one device onto other devices.
## PowerShell reference
@ -145,7 +145,7 @@ Exporting the configuration as an XML file allows you to copy the configuration
The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
>[!IMPORTANT]
>Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden.
>Any changes that are deployed to a device through Group Policy will override the local configuration. When setting up an initial configuration, use a device that will not have a Group Policy configuration applied to ensure your changes aren't overridden.
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:

6
windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
View File

@ -30,16 +30,16 @@ This section covers some of the most frequently asked questions regarding privac
## What data does Microsoft Defender ATP collect?
Microsoft Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.
Microsoft Defender ATP will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes.
Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version).
Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and device details (such as device identifiers, names, and the operating system version).
Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578).
This data enables Microsoft Defender ATP to:
- Proactively identify indicators of attack (IOAs) in your organization
- Generate alerts if a possible attack was detected
- Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
- Provide your security operations with a view into devices, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.
Microsoft does not use your data for advertising.

6
windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md
View File

@ -35,12 +35,12 @@ The Microsoft Defender Advanced Threat Protection agent depends on Windows Defen
>[!IMPORTANT]
>Microsoft Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings.
You must configure Security intelligence updates on the Microsoft Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
If an onboarded machine is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
If an onboarded device is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
Windows Defender Antivirus will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
The Windows Defender Antivirus interface will be disabled, and users on the machine will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
The Windows Defender Antivirus interface will be disabled, and users on the device will not be able to use Windows Defender Antivirus to perform on-demand scans or configure most options.
For more information, see the [Windows Defender Antivirus and Microsoft Defender ATP compatibility topic](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).

2
windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md
View File

@ -33,7 +33,7 @@ There are three phases in deploying Microsoft Defender ATP:
The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP.
There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard machines to Microsoft Defender ATP](onboard-configure.md).
There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md).
## In Scope

6
windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
View File

@ -73,15 +73,15 @@ The following image shows an instance of unwanted software that was detected and
### Will EDR in block mode have any impact on a user's antivirus protection?
No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Windows Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
No. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Windows Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
### Why do I need to keep Windows Defender Antivirus up to date?
Because Windows Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date.
Because Windows Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date.
### Why do we need cloud protection on?
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models.
Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models.
## Related articles

4
windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md
View File

@ -34,7 +34,7 @@ You can enable controlled folder access by using any of these methods:
* [Group Policy](#group-policy)
* [PowerShell](#powershell)
[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
[Audit mode](evaluate-controlled-folder-access.md) allows you to test how the feature would work (and review events) without impacting the normal use of the device.
Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
@ -91,7 +91,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
## Group Policy
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.

6
windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md
View File

@ -41,9 +41,9 @@ You can enable each mitigation separately by using any of these methods:
Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options.
You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other machines.
You can [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) and deploy them to other devices.
You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the machine.
You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Audit mode allows you to test how the mitigations would work (and review events) without impacting the normal use of the device.
## Windows Security app
@ -132,7 +132,7 @@ Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](htt
## Group Policy
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**.

2
windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md
View File

@ -29,7 +29,7 @@ Enable security information and event management (SIEM) integration so you can p
>[!NOTE]
>- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections.
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Machine and its related Alert details.
>- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details.
>- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
## Prerequisites

14
windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md
View File

@ -1,5 +1,5 @@
---
title: Enable Microsoft Defender ATP Insider Machine
title: Enable Microsoft Defender ATP Insider Device
description: Install and use Microsoft Defender ATP for Mac.
keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra
search.product: eADQiWindows 10XVcnh
@ -17,9 +17,9 @@ ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Enable Microsoft Defender ATP Insider Machine
# Enable Microsoft Defender ATP Insider Device
Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac machine to be an "Insider" machine as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune).
>[!IMPORTANT]
>Make sure you have enabled [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md) and [manual deployment](mac-install-manually.md) instructions.
@ -125,7 +125,7 @@ h. Select **Manage > Assignments**. In the **Include** tab, select *
>[!WARNING]
>You must enter the correct custom configuration profile name, otherwise these preferences will not be recognized by the product.
## Enable the Insider program manually on a single machine
## Enable the Insider program manually on a single device
In terminal, run:
@ -145,16 +145,16 @@ For versions earlier than 100.78.0, run:
To get the latest version of the Microsoft Defender ATP for Mac, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate).
To verify you are running the correct version, run mdatp --health on the machine.
To verify you are running the correct version, run mdatp --health on the device.
* The required version is 100.72.15 or later.
* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running defaults read com.microsoft.autoupdate2 from terminal.
* To change update settings use documentation in [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1).
* If you are not using Office for Mac, download and run the AutoUpdate tool.
### A machine still does not appear on Microsoft Defender Security Center
### A device still does not appear on Microsoft Defender Security Center
After a successful deployment and onboarding of the correct version, check that the machine has connectivity to the cloud service by running mdatp --connectivity-test.
After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running mdatp --connectivity-test.
* Check that you enabled the early preview flag. In terminal run “mdatp health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”.

2
windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md
View File

@ -47,7 +47,7 @@ Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode
```
> [!TIP]
> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
> If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction.md).

2
windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md
View File

@ -45,7 +45,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
```
> [!TIP]
> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
> If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s).
You can also use Group Policy, Intune, MDM, or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md).
## Review controlled folder access events in Windows Event Viewer

80
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -21,9 +21,9 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and device configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM]
@ -31,7 +31,7 @@ With the simplified set-up experience, you can focus on running your own test sc
You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers.
You can add Windows 10 or Windows Server 2019 machines that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed.
You can add Windows 10 or Windows Server 2019 devices that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed.
You can also install threat simulators. Microsoft Defender ATP has partnered with industry leading threat simulation platforms to help you test out the Microsoft Defender ATP capabilities without having to leave the portal.
@ -43,7 +43,7 @@ You'll need to fulfill the [licensing requirements](minimum-requirements.md#lice
You must have **Manage security settings** permissions to:
- Create the lab
- Create machines
- Create devices
- Reset password
- Create simulations
@ -58,12 +58,12 @@ You can access the lab from the menu. In the navigation menu, select **Evaluatio
![Image of the evaluation lab on the menu](images/evaluation-lab-menu.png)
>[!NOTE]
>- Each environment is provisioned with a limited set of test machines.
>- Depending the type of environment structure you select, machines will be available for the specified number of hours from the day of activation.
>- When you've used up the provisioned machines, no new machines are provided. A deleted machine does not refresh the available test machine count.
>- Given the limited resources, its advisable to use the machines carefully.
>- Each environment is provisioned with a limited set of test devices.
>- Depending the type of environment structure you select, devices will be available for the specified number of hours from the day of activation.
>- When you've used up the provisioned devices, no new devices are provided. A deleted device does not refresh the available test device count.
>- Given the limited resources, its advisable to use the devices carefully.
Already have a lab? Make sure to enable the new threat simulators and have active machines.
Already have a lab? Make sure to enable the new threat simulators and have active devices.
## Setup the evaluation lab
@ -71,7 +71,7 @@ Already have a lab? Make sure to enable the new threat simulators and have activ
![Image of the evaluation lab welcome page](images/evaluation-lab-setup.png)
2. Depending on your evaluation needs, you can choose to setup an environment with fewer machines for a longer period or more machines for a shorter period. Select your preferred lab configuration then select **Next**.
2. Depending on your evaluation needs, you can choose to setup an environment with fewer devices for a longer period or more devices for a shorter period. Select your preferred lab configuration then select **Next**.
![Image of lab configuration options](images/lab-creation-page.png)
@ -83,28 +83,28 @@ Already have a lab? Make sure to enable the new threat simulators and have activ
>[!IMPORTANT]
>You'll first need to accept and provide consent to the terms and information sharing statements.
4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the machines you add.
4. Select the threat simulation agent you'd like to use and enter your details. You can also choose to install threat simulators at a later time. If you choose to install threat simulation agents during the lab setup, you'll enjoy the benefit of having them conveniently installed on the devices you add.
![Image of summary page](images/lab-setup-summary.png)
5. Review the summary and select **Setup lab**.
After the lab setup process is complete, you can add machines and run simulations.
After the lab setup process is complete, you can add devices and run simulations.
## Add machines
When you add a machine to your environment, Microsoft Defender ATP sets up a well-configured machine with connection details. You can add Windows 10 or Windows Server 2019 machines.
## Add devices
When you add a device to your environment, Microsoft Defender ATP sets up a well-configured device with connection details. You can add Windows 10 or Windows Server 2019 devices.
The machine will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
The device will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals.
>[!TIP]
> Need more machines in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team.
> Need more devices in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team.
If you chose to add a threat simulator during the lab setup, all machines will have the threat simulator agent installed in the machines that you add.
If you chose to add a threat simulator during the lab setup, all devices will have the threat simulator agent installed in the devices that you add.
The machine will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side.
The device will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side.
The following security components are pre-configured in the test machines:
The following security components are pre-configured in the test devices:
- [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
- [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)
@ -116,35 +116,35 @@ The machine will automatically be onboarded to your tenant with the recommended
- [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview)
>[!NOTE]
> Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
> Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the device through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus).
Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md).
>[!NOTE]
>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
>The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections.
1. From the dashboard, select **Add machine**.
1. From the dashboard, select **Add device**.
2. Choose the type of machine to add. You can choose to add Windows 10 or Windows Server 2019.
2. Choose the type of device to add. You can choose to add Windows 10 or Windows Server 2019.
![Image of lab setup with machine options](images/add-machine-options.png)
![Image of lab setup with device options](images/add-machine-options.png)
>[!NOTE]
>If something goes wrong with the machine creation process, you'll be notified and you'll need to submit a new request. If the machine creation fails, it will not be counted against the overall allowed quota.
>If something goes wrong with the device creation process, you'll be notified and you'll need to submit a new request. If the device creation fails, it will not be counted against the overall allowed quota.
3. The connection details are displayed. Select **Copy** to save the password for the machine.
3. The connection details are displayed. Select **Copy** to save the password for the device.
>[!NOTE]
>The password is only displayed once. Be sure to save it for later use.
![Image of machine added with connection details](images/add-machine-eval-lab.png)
![Image of device added with connection details](images/add-machine-eval-lab.png)
4. Machine set up begins. This can take up to approximately 30 minutes.
4. Device set up begins. This can take up to approximately 30 minutes.
5. See the status of test machines, the risk and exposure levels, and the status of simulator installations by selecting the **Machines** tab.
5. See the status of test devices, the risk and exposure levels, and the status of simulator installations by selecting the **Devices** tab.
![Image of machines tab](images/machines-tab.png)
![Image of devices tab](images/machines-tab.png)
>[!TIP]
@ -153,7 +153,7 @@ Automated investigation settings will be dependent on tenant settings. It will b
## Simulate attack scenarios
Use the test machines to run your own attack simulations by connecting to them.
Use the test devices to run your own attack simulations by connecting to them.
You can simulate attack scenarios using:
- The ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials)
@ -166,11 +166,11 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
>[!NOTE]
>The connection to the test machines is done using RDP. Make sure that your firewall settings allow RDP connections.
>The connection to the test devices is done using RDP. Make sure that your firewall settings allow RDP connections.
1. Connect to your machine and run an attack simulation by selecting **Connect**.
1. Connect to your device and run an attack simulation by selecting **Connect**.
![Image of the connect button for test machines](images/test-machine-table.png)
![Image of the connect button for test devices](images/test-machine-table.png)
2. Save the RDP file and launch it by selecting **Connect**.
@ -179,24 +179,24 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself"
>[!NOTE]
>If you don't have a copy of the password saved during the initial setup, you can reset the password by selecting **Reset password** from the menu:
> ![Image of reset password](images/reset-password-test-machine.png)<br>
> The machine will change its state to “Executing password reset", then youll be presented with your new password in a few minutes.
> The device will change its state to “Executing password reset", then youll be presented with your new password in a few minutes.
3. Enter the password that was displayed during the machine creation step.
3. Enter the password that was displayed during the device creation step.
![Image of window to enter credentials](images/enter-password.png)
4. Run Do-it-yourself attack simulations on the machine.
4. Run Do-it-yourself attack simulations on the device.
### Threat simulator scenarios
If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab machines.
If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab devices.
Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender ATP capabilities within the confines of a lab environment.
>[!NOTE]
>Before you can run simulations, ensure the following requirements are met:
>- Machines must be added to the evaluation lab
>- Devices must be added to the evaluation lab
>- Threat simulators must be installed in the evaluation lab
1. From the portal select **Create simulation**.
@ -249,7 +249,7 @@ Each simulation comes with an in-depth description of the attack scenario and re
## Evaluation report
The lab reports summarize the results of the simulations conducted on the machines.
The lab reports summarize the results of the simulations conducted on the devices.
![Image of the evaluation report](images/eval-report.png)

78
windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
View File

@ -29,12 +29,12 @@ ms.date: 05/21/2018
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual machines.
You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices.
For example, if machines are not appearing in the **Machines list**, you might need to look for event IDs on the machines. You can then use this table to determine further troubleshooting steps.
For example, if devices are not appearing in the **Devices list**, you might need to look for event IDs on the devices. You can then use this table to determine further troubleshooting steps.
> [!NOTE]
> It can take several days for machines to begin reporting to the Microsoft Defender ATP service.
> It can take several days for devices to begin reporting to the Microsoft Defender ATP service.
**Open Event Viewer and find the Microsoft Defender ATP service event log:**
@ -67,7 +67,7 @@ For example, if machines are not appearing in the **Machines list**, you might n
<tr>
<td>2</td>
<td>Microsoft Defender Advanced Threat Protection service shutdown.</td>
<td>Occurs when the machine is shut down or offboarded.</td>
<td>Occurs when the device is shut down or offboarded.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
@ -93,17 +93,17 @@ The service could not contact the external processing servers at that URL.</td>
<tr>
<td>6</td>
<td>Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.</td>
<td>The machine did not onboard correctly and will not be reporting to the portal.</td>
<td>The device did not onboard correctly and will not be reporting to the portal.</td>
<td>Onboarding must be run before starting the service.<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
</tr>
<tr>
<td>7</td>
<td>Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: <code>variable</code>.</td>
<td>Variable = detailed error description. The machine did not onboard correctly and will not be reporting to the portal.</td>
<td>Variable = detailed error description. The device did not onboard correctly and will not be reporting to the portal.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
</tr>
<tr>
<td>8</td>
@ -111,28 +111,28 @@ See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machin
<td><strong>During onboarding:</strong> The service failed to clean its configuration during the onboarding. The onboarding process continues. <br><br> <strong>During offboarding:</strong> The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.
</td>
<td><strong>Onboarding:</strong> No action required. <br><br> <strong>Offboarding:</strong> Reboot the system.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
</tr>
<tr>
<td>9</td>
<td>Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: <code>variable</code>.</td>
<td><strong>During onboarding:</strong> The machine did not onboard correctly and will not be reporting to the portal. <br><br><strong>During offboarding:</strong> Failed to change the service start type. The offboarding process continues. </td>
<td><strong>During onboarding:</strong> The device did not onboard correctly and will not be reporting to the portal. <br><br><strong>During offboarding:</strong> Failed to change the service start type. The offboarding process continues. </td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
</tr>
<tr>
<td>10</td>
<td>Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: <code>variable</code>.</td>
<td>The machine did not onboard correctly and will not be reporting to the portal.</td>
<td>The device did not onboard correctly and will not be reporting to the portal.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
</tr>
<tr>
<td>11</td>
<td>Onboarding or re-onboarding of Microsoft Defender Advanced Threat Protection service completed.</td>
<td>The machine onboarded correctly.</td>
<td>The device onboarded correctly.</td>
<td>Normal operating notification; no action required.<br>
It may take several hours for the machine to appear in the portal.</td>
It may take several hours for the device to appear in the portal.</td>
</tr>
<tr>
<td>12</td>
@ -142,7 +142,7 @@ It may take several hours for the machine to appear in the portal.</td>
</tr>
<tr>
<td>13</td>
<td>Microsoft Defender Advanced Threat Protection machine ID calculated: <code>variable</code>.</td>
<td>Microsoft Defender Advanced Threat Protection device ID calculated: <code>variable</code>.</td>
<td>Normal operating process.</td>
<td>Normal operating notification; no action required.</td>
</tr>
@ -159,7 +159,7 @@ The service could not contact the external processing servers at that URL.</td>
<td>An error occurred with the Windows telemetry service.</td>
<td><a href="troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy" data-raw-source="[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled</a>.<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
</tr>
<tr>
<td>18</td>
@ -183,25 +183,25 @@ If this error persists after a system restart, ensure all Windows updates have f
<tr>
<td>25</td>
<td>Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: <code>variable</code>.</td>
<td>The machine did not onboard correctly.
<td>The device did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
</tr>
<tr>
<td>26</td>
<td>Microsoft Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: <code>variable</code>.</td>
<td>The machine did not onboard correctly.<br>
<td>The device did not onboard correctly.<br>
It will report to the portal, however the service may not appear as registered in SCCM or the registry.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
</tr>
<tr>
<td>27</td>
<td>Microsoft Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender Antivirus. Onboarding process failed. Failure code: <code>variable</code>.</td>
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP.</td>
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Microsoft Defender ATP.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.<br>
Ensure real-time antimalware protection is running properly.</td>
</tr>
<tr>
@ -210,20 +210,20 @@ Ensure real-time antimalware protection is running properly.</td>
<td>An error occurred with the Windows telemetry service.</td>
<td><a href="troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy" data-raw-source="[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled</a>.<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
</tr>
<tr>
<td>29</td>
<td>Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 </td>
<td>This event occurs when the system can&#39;t read the offboarding parameters.</td>
<td>Ensure the machine has Internet access, then run the entire offboarding process again. Ensure the offboarding package has not expired.</td>
<td>Ensure the device has Internet access, then run the entire offboarding process again. Ensure the offboarding package has not expired.</td>
</tr>
<tr>
<td>30</td>
<td>Microsoft Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender Antivirus. Failure code: <code>variable</code>.</td>
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the machine, and the machine is reporting to Microsoft Defender ATP.</td>
<td>Normally, Windows Defender Antivirus will enter a special passive state if another real-time antimalware product is running properly on the device, and the device is reporting to Microsoft Defender ATP.</td>
<td>Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a><br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a><br>
Ensure real-time antimalware protection is running properly.</td>
</tr>
<tr>
@ -236,14 +236,14 @@ Ensure real-time antimalware protection is running properly.</td>
<td>32</td>
<td>Microsoft Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1</td>
<td>An error occurred during offboarding.</td>
<td>Reboot the machine.</td>
<td>Reboot the device.</td>
</tr>
<tr>
<td>33</td>
<td>Microsoft Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: <code>variable</code>.</td>
<td>A unique identifier is used to represent each machine that is reporting to the portal.<br>
If the identifier does not persist, the same machine might appear twice in the portal.</td>
<td>Check registry permissions on the machine to ensure the service can update the registry.</td>
<td>A unique identifier is used to represent each device that is reporting to the portal.<br>
If the identifier does not persist, the same device might appear twice in the portal.</td>
<td>Check registry permissions on the device to ensure the service can update the registry.</td>
</tr>
<tr>
<td>34</td>
@ -251,7 +251,7 @@ If the identifier does not persist, the same machine might appear twice in the p
<td>An error occurred with the Windows telemetry service.</td>
<td><a href="troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy" data-raw-source="[Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)">Ensure the diagnostic data service is enabled</a>.<br>
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.<br>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machines](configure-endpoints.md)">Onboard Windows 10 machines</a>.</td>
See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 devices](configure-endpoints.md)">Onboard Windows 10 devices</a>.</td>
</tr>
<tr>
<td>35</td>
@ -269,31 +269,31 @@ See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machin
<tr>
<td>37</td>
<td>Microsoft Defender Advanced Threat Protection A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.</td>
<td>The machine has almost used its allocated quota of the current 24-hour window. Its about to be throttled.</td>
<td>The device has almost used its allocated quota of the current 24-hour window. Its about to be throttled.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>38</td>
<td>Network connection is identified as low. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
<td>The machine is using a metered/paid network and will be contacting the server less frequently.</td>
<td>The device is using a metered/paid network and will be contacting the server less frequently.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>39</td>
<td>Network connection is identified as normal. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
<td>The machine is not using a metered/paid connection and will contact the server as usual.</td>
<td>The device is not using a metered/paid connection and will contact the server as usual.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>40</td>
<td>Battery state is identified as low. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
<td>The machine has low battery level and will contact the server less frequently.</td>
<td>The device has low battery level and will contact the server less frequently.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>41</td>
<td>Battery state is identified as normal. Microsoft Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
<td>The machine doesnt have low battery level and will contact the server as usual.</td>
<td>The device doesnt have low battery level and will contact the server as usual.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
@ -345,6 +345,6 @@ See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machin
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-eventerrorcodes-belowfoldlink)
## Related topics
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md)
- [Onboard Windows 10 devices](configure-endpoints.md)
- [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md)
- [Troubleshoot Microsoft Defender ATP](troubleshoot-onboarding.md)

4
windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md
View File

@ -31,9 +31,9 @@ Exploit protection automatically applies a number of exploit mitigation techniqu
Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
You can [enable exploit protection](enable-exploit-protection.md) on an individual machine, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once.
You can [enable exploit protection](enable-exploit-protection.md) on an individual device, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once.
When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use [audit mode](evaluate-exploit-protection.md) to evaluate how exploit protection would impact your organization if it were enabled.

4
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md
View File

@ -2,7 +2,7 @@
title: Use Microsoft Defender Advanced Threat Protection APIs
ms.reviewer:
description: Learn how to design a native Windows app to get programmatic access to Microsoft Defender ATP without a user.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -77,7 +77,7 @@ This page explains how to create an AAD application, get an access token to Micr
For instance,
- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
- To [isolate a device](isolate-machine.md), select 'Isolate device' permission
- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
- Click **Grant consent**

4
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md
View File

@ -2,7 +2,7 @@
title: Create an Application to access Microsoft Defender ATP without a user
ms.reviewer:
description: Learn how to design a web app to get programmatic access to Microsoft Defender ATP without a user.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -68,7 +68,7 @@ The following steps with guide you how to create an AAD application, get an acce
- To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission
- To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission
- To [isolate a device](isolate-machine.md), select 'Isolate device' permission
In the following example we will use **'Read all alerts'** permission:

4
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md
View File

@ -2,7 +2,7 @@
title: Create an app to access Microsoft Defender ATP without a user
ms.reviewer:
description: Learn how to design a web app to get programmatic access to Microsoft Defender ATP without a user.
keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query
keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -58,7 +58,7 @@ This article explains how to create an Azure AD application, get an access token
Note that you need to select the relevant permissions. 'Read All Alerts' is only an example. For instance:
- To [run advanced queries](run-advanced-query-api.md), select the 'Run advanced queries' permission.
- To [isolate a machine](isolate-machine.md), select the 'Isolate machine' permission.
- To [isolate a device](isolate-machine.md), select the 'Isolate device' permission.
- To determine which permission you need, please look at the **Permissions** section in the API you are interested to call.
5. Select **Grant consent**.

2
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md
View File

@ -28,7 +28,7 @@ Full scenario using multiple APIs from Microsoft Defender ATP.
In this section we share PowerShell samples to
- Retrieve a token
- Use token to retrieve the latest alerts in Microsoft Defender ATP
- For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL.
- For each alert, if the alert has medium or high priority and is still in progress, check how many times the device has connected to suspicious URL.
**Prerequisite**: You first need to [create an app](apis-intro.md).

12
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md
View File

@ -2,7 +2,7 @@
title: Supported Microsoft Defender Advanced Threat Protection APIs
ms.reviewer:
description: Learn about the specific supported Microsoft Defender Advanced Threat Protection entities where you can create API calls to.
keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting
keywords: apis, supported apis, actor, alerts, device, user, domain, ip, file, advanced queries, advanced hunting
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -50,16 +50,16 @@ Topic | Description
:---|:---
Advanced Hunting | Run queries from API.
Alerts | Run API calls such as get alerts, create alert, update alert and more.
Domains | Run API calls such as get domain related machines, domain statistics and more.
Files | Run API calls such as get file information, file related alerts, file related machines, and file statistics.
Domains | Run API calls such as get domain related devices, domain statistics and more.
Files | Run API calls such as get file information, file related alerts, file related devices, and file statistics.
IPs | Run API calls such as get IP related alerts and get IP statistics.
Machines | Run API calls such as get machines, get machines by ID, information about logged on users, edit tags and more.
Machines | Run API calls such as get devices, get devices by ID, information about logged on users, edit tags and more.
Machine Actions | Run API call such as Isolation, Run anti-virus scan and more.
Indicators | Run API call such as create Indicator, get Indicators and delete Indicators.
Users | Run API calls such as get user related alerts and user related machines.
Users | Run API calls such as get user related alerts and user related devices.
Score | Run API calls such as get exposure score or get device secure score.
Software | Run API calls such as list vulnerabilities by software.
Vulnerability | Run API calls such as list machines by vulnerability.
Vulnerability | Run API calls such as list devices by vulnerability.
Recommendation | Run API calls such as Get recommendation by Id.
## Related topic

10
windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md
View File

@ -35,7 +35,7 @@ Not all properties are filterable.
### Example 1
Get all the machines with the tag 'ExampleTag'
Get all the devices with the tag 'ExampleTag'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag')
@ -126,7 +126,7 @@ Content-type: application/json
### Example 3
Get all the machines with 'High' 'RiskScore'
Get all the devices with 'High' 'RiskScore'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High'
@ -167,7 +167,7 @@ Content-type: application/json
### Example 4
Get top 100 machines with 'HealthStatus' not equals to 'Active'
Get top 100 devices with 'HealthStatus' not equals to 'Active'
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100
@ -208,7 +208,7 @@ Content-type: application/json
### Example 5
Get all the machines that last seen after 2018-10-20
Get all the devices that last seen after 2018-10-20
```
HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z
@ -283,7 +283,7 @@ Content-type: application/json
### Example 7
Get the count of open alerts for a specific machine:
Get the count of open alerts for a specific device:
```
HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved'

2
windows/security/threat-protection/microsoft-defender-atp/files.md
View File

@ -29,7 +29,7 @@ Method|Return Type |Description
:---|:---|:---
[Get file](get-file-information.md) | [file](files.md) | Get a single file
[List file related alerts](get-file-related-alerts.md) | [alert](alerts.md) collection | Get the [alert](alerts.md) entities that are associated with the file.
[List file related machines](get-file-related-machines.md) | [machine](machine.md) collection | Get the [machine](machine.md) entities associated with the alert.
[List file related devices](get-file-related-machines.md) | [machine](machine.md) collection | Get the [device](machine.md) entities associated with the alert.
[file statistics](get-file-statistics.md) | Statistics summary | Retrieves the prevalence for the given file.

12
windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md
View File

@ -1,7 +1,7 @@
---
title: Find machine information by internal IP API
description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP.
keywords: ip, apis, graph api, supported apis, find machine, machine information
title: Find device information by internal IP API
description: Use this API to create calls related to finding a device entry around a specific timestamp by internal IP.
keywords: ip, apis, graph api, supported apis, find device, device information
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -16,13 +16,13 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Find machine information by internal IP API
# Find device information by internal IP API
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Find a machine by internal IP.
Find a device by internal IP.
>[!NOTE]
>The timestamp must be within the last 30 days.
@ -70,7 +70,7 @@ Content-type: application/json
Here is an example of the response.
The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp.
The response will return a list of all devices that reported this IP address within sixteen minutes prior and after the timestamp.
```
HTTP/1.1 200 OK

12
windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
View File

@ -1,7 +1,7 @@
---
title: Find machines by internal IP API
description: Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp
keywords: apis, graph api, supported apis, get, machine, IP, find, find machine, by ip, ip
title: Find devices by internal IP API
description: Find devices seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp
keywords: apis, graph api, supported apis, get, device, IP, find, find device, by ip, ip
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Find machines by internal IP API
# Find devices by internal IP API
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -44,9 +44,9 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
> - Response will include only machines that the user have access to based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
> - Response will include only machines that the user have access to based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

50
windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md
View File

@ -1,6 +1,6 @@
---
title: Fix unhealthy sensors in Microsoft Defender ATP
description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine.
description: Fix device sensors that are reporting as misconfigured or inactive so that the service receives data from the device.
keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -29,63 +29,63 @@ ms.date: 10/23/2017
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-fixsensor-abovefoldlink)
Machines that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a machine to be categorized as inactive or misconfigured.
Devices that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a device to be categorized as inactive or misconfigured.
## Inactive machines
## Inactive devices
An inactive machine is not necessarily flagged due to an issue. The following actions taken on a machine can cause a machine to be categorized as inactive:
An inactive device is not necessarily flagged due to an issue. The following actions taken on a device can cause a device to be categorized as inactive:
**Machine is not in use**</br>
If the machine has not been in use for more than 7 days for any reason, it will remain in an Inactive status in the portal.
**Device is not in use**</br>
If the device has not been in use for more than 7 days for any reason, it will remain in an Inactive status in the portal.
**Machine was reinstalled or renamed**</br>
A reinstalled or renamed machine will generate a new machine entity in Microsoft Defender Security Center. The previous machine entity will remain with an Inactive status in the portal. If you reinstalled a machine and deployed the Microsoft Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
**Device was reinstalled or renamed**</br>
A reinstalled or renamed device will generate a new device entity in Microsoft Defender Security Center. The previous device entity will remain with an Inactive status in the portal. If you reinstalled a device and deployed the Microsoft Defender ATP package, search for the new device name to verify that the device is reporting normally.
**Machine was offboarded**</br>
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive.
**Device was offboarded**</br>
If the device was offboarded it will still appear in devices list. After 7 days, the device health state should change to inactive.
**Machine is not sending signals**
If the machine is not sending any signals for more than 7 days to any of the Microsoft Defender ATP channels for any reason including conditions that fall under misconfigured machines classification, a machine can be considered inactive.
**Device is not sending signals**
If the device is not sending any signals for more than 7 days to any of the Microsoft Defender ATP channels for any reason including conditions that fall under misconfigured devices classification, a device can be considered inactive.
Do you expect a machine to be in Active status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
Do you expect a device to be in Active status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561).
## Misconfigured machines
Misconfigured machines can further be classified to:
## Misconfigured devices
Misconfigured devices can further be classified to:
- Impaired communications
- No sensor data
### Impaired communications
This status indicates that there's limited communication between the machine and the service.
This status indicates that there's limited communication between the device and the service.
The following suggested actions can help fix issues related to a misconfigured machine with impaired communications:
The following suggested actions can help fix issues related to a misconfigured device with impaired communications:
- [Ensure the machine has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-machine)</br>
- [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)</br>
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls)</br>
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
If you took corrective actions and the machine status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
If you took corrective actions and the device status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
### No sensor data
A misconfigured machine with status No sensor data has communication with the service but can only report partial sensor data.
Follow theses actions to correct known issues related to a misconfigured machine with status No sensor data:
A misconfigured device with status No sensor data has communication with the service but can only report partial sensor data.
Follow theses actions to correct known issues related to a misconfigured device with status No sensor data:
- [Ensure the machine has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-machine)</br>
- [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)</br>
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls)</br>
Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs.
- [Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled)</br>
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint.
If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint.
- [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)</br>
If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
If your devices are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled.
If you took corrective actions and the machine status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
If you took corrective actions and the device status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409).
## Related topic
- [Check sensor health state in Microsoft Defender ATP](check-sensor-status.md)

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md
View File

@ -45,7 +45,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
View File

@ -43,7 +43,7 @@ Delegated (work or school account) | URL.Read.All | 'Read URLs'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
View File

@ -43,7 +43,7 @@ Delegated (work or school account) | File.Read.All | 'Read file profiles'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
View File

@ -43,7 +43,7 @@ Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

10
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
View File

@ -1,7 +1,7 @@
---
title: Get alert related machine information
description: Retrieve all machines related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get alert information, alert information, related machine
description: Retrieve all devices related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP).
keywords: apis, graph api, supported apis, get alert information, alert information, related device
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -24,7 +24,7 @@ ms.topic: article
## API description
Retrieves [Machine](machine.md) related to a specific alert.
Retrieves [Device](machine.md) related to a specific alert.
## Limitations
@ -45,7 +45,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```
@ -63,7 +63,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and alert and machine exist - 200 OK. If alert not found or machine not found - 404 Not Found.
If successful and alert and device exist - 200 OK. If alert not found or device not found - 404 Not Found.
## Example

2
windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
View File

@ -43,7 +43,7 @@ Delegated (work or school account) | User.Read.All | 'Read user profiles'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

2
windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
View File

@ -49,7 +49,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- The response will include only alerts that are associated with machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The response will include only alerts that are associated with devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

2
windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
View File

@ -1,6 +1,6 @@
---
title: Get Machine Secure score
description: Retrieves the organizational machine secure score.
description: Retrieves the organizational device secure score.
keywords: apis, graph api, supported apis, get, alerts, recent
search.product: eADQiWindows 10XVcnh
ms.prod: w10

4
windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
View File

@ -1,6 +1,6 @@
---
title: Get discovered vulnerabilities
description: Retrieves a collection of discovered vulnerabilities related to a given machine ID.
description: Retrieves a collection of discovered vulnerabilities related to a given device ID.
keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -22,7 +22,7 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a collection of discovered vulnerabilities related to a given machine ID.
Retrieves a collection of discovered vulnerabilities related to a given device ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)

2
windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md
View File

@ -45,7 +45,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

8
windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md
View File

@ -1,7 +1,7 @@
---
title: Get domain related machines API
description: Retrieves a collection of machines related to a given domain address.
keywords: apis, graph api, supported apis, get, domain, related, machines
description: Retrieves a collection of devices related to a given domain address.
keywords: apis, graph api, supported apis, get, domain, related, devices
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -28,7 +28,7 @@ Retrieves a collection of [Machines](machine.md) that have communicated to or fr
## Limitations
1. You can query on machines last seen in the past 30 days.
1. You can query on devices last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@ -45,7 +45,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

2
windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
View File

@ -1,7 +1,7 @@
---
title: Get domain statistics API
description: Retrieves the prevalence for the given domain.
keywords: apis, graph api, supported apis, get, domain, domain related machines
keywords: apis, graph api, supported apis, get, domain, domain related devices
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy

2
windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
View File

@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

6
windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
View File

@ -1,7 +1,7 @@
---
title: Get file related machines API
description: Retrieves a collection of machines related to a given file hash.
keywords: apis, graph api, supported apis, get, machines, hash
description: Retrieves a collection of devices related to a given file hash.
keywords: apis, graph api, supported apis, get, devices, hash
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

6
windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
View File

@ -1,7 +1,7 @@
---
title: Get installed software
description: Retrieves a collection of installed software related to a given machine ID.
keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per machine, threat & vulnerability management api, mdatp tvm api
description: Retrieves a collection of installed software related to a given device ID.
keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -22,7 +22,7 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a collection of installed software related to a given machine ID.
Retrieves a collection of installed software related to a given device ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)

2
windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
View File

@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

12
windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
View File

@ -1,7 +1,7 @@
---
title: Get machine by ID API
description: Retrieves a machine entity by ID.
keywords: apis, graph api, supported apis, get, machines, entity, id
description: Retrieves a device entity by ID.
keywords: apis, graph api, supported apis, get, devices, entity, id
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -24,11 +24,11 @@ ms.topic: article
## API description
Retrieves specific [Machine](machine.md) by its machine ID or computer name.
Retrieves specific [Machine](machine.md) by its device ID or computer name.
## Limitations
1. You can get machines last seen in the past 30 days.
1. You can get devices last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@ -45,7 +45,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- User needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
@ -64,7 +64,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and machine exists - 200 OK with the [machine](machine.md) entity in the body.
If successful and device exists - 200 OK with the [machine](machine.md) entity in the body.
If machine with the specified id was not found - 404 Not Found.

10
windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
View File

@ -1,7 +1,7 @@
---
title: List exposure score by machine group
description: Retrieves a list of exposure scores by machine group.
keywords: apis, graph api, supported apis, get, exposure score, machine group, machine group exposure score
title: List exposure score by device group
description: Retrieves a list of exposure scores by device group.
keywords: apis, graph api, supported apis, get, exposure score, device group, device group exposure score
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# List exposure score by machine group
# List exposure score by device group
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -49,7 +49,7 @@ GET /api/exposureScore/ByMachineGroups
Empty
## Response
If successful, this method returns 200 OK, with a list of exposure score per machine group data in the response body.
If successful, this method returns 200 OK, with a list of exposure score per device group data in the response body.
## Example

12
windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
View File

@ -1,7 +1,7 @@
---
title: Get machine log on users API
description: Retrieve a collection of logged on users on a specific machine using Microsoft Defender ATP APIs.
keywords: apis, graph api, supported apis, get, machine, log on, users
description: Retrieve a collection of logged on users on a specific device using Microsoft Defender ATP APIs.
keywords: apis, graph api, supported apis, get, device, log on, users
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -24,11 +24,11 @@ ms.topic: article
## API description
Retrieves a collection of logged on users on a specific machine.
Retrieves a collection of logged on users on a specific device.
## Limitations
1. You can query on machines last seen in the past 30 days.
1. You can query on devices last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@ -43,7 +43,7 @@ Delegated (work or school account) | User.Read.All | 'Read user profiles'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- Response will include users only if the device is visible to the user, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```
@ -61,7 +61,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and machine exist - 200 OK with list of [user](user.md) entities in the body. If machine was not found - 404 Not Found.
If successful and device exist - 200 OK with list of [user](user.md) entities in the body. If device was not found - 404 Not Found.
## Example

12
windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md
View File

@ -1,7 +1,7 @@
---
title: Get machine related alerts API
description: Retrieves a collection of alerts related to a given machine ID.
keywords: apis, graph api, supported apis, get, machines, related, alerts
description: Retrieves a collection of alerts related to a given device ID.
keywords: apis, graph api, supported apis, get, devices, related, alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -24,11 +24,11 @@ ms.topic: article
## API description
Retrieves all [Alerts](alerts.md) related to a specific machine.
Retrieves all [Alerts](alerts.md) related to a specific device.
## Limitations
1. You can query on machines last seen in the past 30 days.
1. You can query on devices last seen in the past 30 days.
2. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@ -42,7 +42,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- User needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```
@ -60,4 +60,4 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful and machine exists - 200 OK with list of [alert](alerts.md) entities in the body. If machine was not found - 404 Not Found.
If successful and device exists - 200 OK with list of [alert](alerts.md) entities in the body. If device was not found - 404 Not Found.

8
windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md
View File

@ -1,6 +1,6 @@
---
title: Get RBAC machine groups collection API
description: Retrieves a collection of RBAC machine groups.
description: Retrieves a collection of RBAC device groups.
keywords: apis, graph api, supported apis, get, RBAC, group
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -24,7 +24,7 @@ ms.date: 10/07/2018
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Retrieves a collection of RBAC machine groups.
Retrieves a collection of RBAC device groups.
## Permissions
User needs read permissions.
@ -61,8 +61,8 @@ Content-type: application/json
**Response**
Here is an example of the response.
Field id contains machine group **id** and equal to field **rbacGroupId** in machines info.
Field **ungrouped** is true only for one group for all machines that have not been assigned to any group. This group as usual has name "UnassignedGroup".
Field id contains device group **id** and equal to field **rbacGroupId** in devices info.
Field **ungrouped** is true only for one group for all devices that have not been assigned to any group. This group as usual has name "UnassignedGroup".
```
HTTP/1.1 200 OK

12
windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
View File

@ -1,7 +1,7 @@
---
title: List machines by software
description: Retrieve a list of machines that has this software installed.
keywords: apis, graph api, supported apis, get, list machines, machines list, list machines by software, mdatp tvm api
title: List devices by software
description: Retrieve a list of devices that has this software installed.
keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# List machines by software
# List devices by software
**Applies to:**
@ -24,7 +24,7 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieve a list of machine references that has this software installed.
Retrieve a list of device references that has this software installed.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
@ -49,7 +49,7 @@ GET /api/Software/{Id}/machineReferences
Empty
## Response
If successful, this method returns 200 OK and a list of machines with the software installed in the body.
If successful, this method returns 200 OK and a list of devices with the software installed in the body.
## Example

10
windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
View File

@ -1,7 +1,7 @@
---
title: List machines by vulnerability
description: Retrieves a list of machines affected by a vulnerability.
keywords: apis, graph api, supported apis, get, machines list, vulnerable machines, mdatp tvm api
title: List devices by vulnerability
description: Retrieves a list of devices affected by a vulnerability.
keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -16,13 +16,13 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# List machines by vulnerability
# List devices by vulnerability
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of machines affected by a vulnerability.
Retrieves a list of devices affected by a vulnerability.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.

8
windows/security/threat-protection/microsoft-defender-atp/get-machines.md
View File

@ -1,7 +1,7 @@
---
title: List machines API
description: Retrieves a collection of recently seen machines.
keywords: apis, graph api, supported apis, get, machines
description: Retrieves a collection of recently seen devices.
keywords: apis, graph api, supported apis, get, devices
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -31,7 +31,7 @@ Retrieves a collection of [Machines](machine.md) that have communicated with Mi
## Limitations
1. You can get machines last seen in the past 30 days.
1. You can get devices last seen in the past 30 days.
2. Maximum page size is 10,000.
3. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@ -48,7 +48,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

8
windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
View File

@ -1,7 +1,7 @@
---
title: Get machines security states collection API
description: Retrieve a collection of machine security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP.
keywords: apis, graph api, supported apis, get, machine, security, state
description: Retrieve a collection of device security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP.
keywords: apis, graph api, supported apis, get, device, security, state
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -23,7 +23,7 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Retrieves a collection of machines security states.
Retrieves a collection of devices security states.
## Permissions
User needs read permissions.
@ -60,7 +60,7 @@ Content-type: application/json
**Response**
Here is an example of the response.
Field *id* contains machine id and equal to the field *id** in machines info.
Field *id* contains device id and equal to the field *id** in devices info.
```
HTTP/1.1 200 OK

12
windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
View File

@ -1,7 +1,7 @@
---
title: Get missing KBs by machine ID
description: Retrieves missing KBs by machine Id
keywords: apis, graph api, supported apis, get, list, file, information, machine id, threat & vulnerability management api, mdatp tvm api
title: Get missing KBs by device ID
description: Retrieves missing KBs by device Id
keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -16,13 +16,13 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Get missing KBs by machine ID
# Get missing KBs by device ID
**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink)
Retrieves missing KBs by machine Id
Retrieves missing KBs by device Id
## HTTP request
@ -42,7 +42,7 @@ Empty
## Response
If successful, this method returns 200 OK, with the specified machine missing kb data in the body.
If successful, this method returns 200 OK, with the specified device missing kb data in the body.
## Example

2
windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
View File

@ -38,7 +38,7 @@ Delegated (work or school account) | Machine.CollectForensics | 'Collect forensi
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles.md) for more information)
>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- The user needs to have access to the device, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

12
windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
View File

@ -1,7 +1,7 @@
---
title: List machines by recommendation
description: Retrieves a list of machines associated with the security recommendation.
keywords: apis, graph api, supported apis, get, security recommendation for vulnerable machines, threat and vulnerability management, threat and vulnerability management api
title: List devices by recommendation
description: Retrieves a list of devices associated with the security recommendation.
keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -16,13 +16,13 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# List machines by recommendation
# List devices by recommendation
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a list of machines associated with the security recommendation.
Retrieves a list of devices associated with the security recommendation.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details.
@ -48,7 +48,7 @@ Authorization | String | Bearer {token}. **Required**.
Empty
## Response
If successful, this method returns 200 OK with the list of machines associated with the security recommendation.
If successful, this method returns 200 OK with the list of devices associated with the security recommendation.
## Example

6
windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
View File

@ -1,7 +1,7 @@
---
title: Get security recommendations
description: Retrieves a collection of security recommendations related to a given machine ID.
keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per machine, threat & vulnerability management api, mdatp tvm api
description: Retrieves a collection of security recommendations related to a given device ID.
keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -22,7 +22,7 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
Retrieves a collection of security recommendations related to a given machine ID.
Retrieves a collection of security recommendations related to a given device ID.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md)

2
windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
View File

@ -1,6 +1,6 @@
---
title: Get software by Id
description: Retrieves a list of exposure scores by machine group.
description: Retrieves a list of exposure scores by device group.
keywords: apis, graph api, supported apis, get, software, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
View File

@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts'
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

6
windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
View File

@ -1,6 +1,6 @@
---
title: Get user related machines API
description: Retrieves a collection of machines related to a given user ID.
description: Retrieves a collection of devices related to a given user ID.
keywords: apis, graph api, supported apis, get, user, user related alerts
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -24,7 +24,7 @@ ms.topic: article
## API description
Retrieves a collection of machines related to a given user ID.
Retrieves a collection of devices related to a given user ID.
## Limitations
@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
>- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information)
## HTTP request
```

2
windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
View File

@ -69,7 +69,7 @@ IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'S
**IsolationType** controls the type of isolation to perform and can be one of the following:
- Full Full isolation
- Selective Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details)
- Selective Restrict only limited set of applications from accessing the network (see [Isolate devices from the network](respond-machine-alerts.md#isolate-devices-from-the-network) for more details)
## Response

102
windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md
View File

@ -1,7 +1,7 @@
---
title: Take response actions on a machine in Microsoft Defender ATP
description: Take response actions on a machine such as isolating machines, collecting an investigation package, managing tags, running av scan, and restricting app execution.
keywords: respond, isolate, isolate machine, collect investigation package, action center, restrict, manage tags, av scan, restrict app
title: Take response actions on a device in Microsoft Defender ATP
description: Take response actions on a device such as isolating devices, collecting an investigation package, managing tags, running av scan, and restricting app execution.
keywords: respond, isolate, isolate device, collect investigation package, action center, restrict, manage tags, av scan, restrict app
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -17,16 +17,16 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Take response actions on a machine
# Take response actions on a device
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-respondmachine-abovefoldlink)
Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center.
Quickly respond to detected attacks by isolating devices or collecting an investigation package. After taking action on devices, you can check activity details on the Action center.
Response actions run along the top of a specific machine page and include:
Response actions run along the top of a specific device page and include:
- Manage tags
- Initiate Automated Investigation
@ -34,56 +34,56 @@ Response actions run along the top of a specific machine page and include:
- Collect investigation package
- Run antivirus scan
- Restrict app execution
- Isolate machine
- Isolate device
- Consult a threat expert
- Action center
![Image of response actions](images/response-actions.png)
You can find machine pages from any of the following views:
You can find device pages from any of the following views:
- **Security operations dashboard** - Select a machine name from the Machines at risk card.
- **Alerts queue** - Select the machine name beside the machine icon from the alerts queue.
- **Machines list** - Select the heading of the machine name from the machines list.
- **Search box** - Select Machine from the drop-down menu and enter the machine name.
- **Security operations dashboard** - Select a device name from the Devices at risk card.
- **Alerts queue** - Select the device name beside the device icon from the alerts queue.
- **Devices list** - Select the heading of the device name from the devices list.
- **Search box** - Select Device from the drop-down menu and enter the device name.
>[!IMPORTANT]
> - These response actions are only available for machines on Windows 10, version 1703 or later.
> - For non-Windows platforms, response capabilities (such as Machine isolation) are dependent on the third-party capabilities.
> - These response actions are only available for devices on Windows 10, version 1703 or later.
> - For non-Windows platforms, response capabilities (such as Device isolation) are dependent on the third-party capabilities.
## Manage tags
Add or manage tags to create a logical group affiliation. Machine tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
Add or manage tags to create a logical group affiliation. Device tags support proper mapping of the network, enabling you to attach different tags to capture context and to enable dynamic list creation as part of an incident.
For more information on machine tagging, see [Create and manage machine tags](machine-tags.md).
For more information on device tagging, see [Create and manage device tags](machine-tags.md).
## Initiate Automated Investigation
You can start a new general purpose automated investigation on the machine if needed. While an investigation is running, any other alert generated from the machine will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other machines, those machines are added to the investigation.
You can start a new general purpose automated investigation on the device if needed. While an investigation is running, any other alert generated from the device will be added to an ongoing Automated investigation until that investigation is completed. In addition, if the same threat is seen on other devices, those devices are added to the investigation.
For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
## Initiate Live Response Session
Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats real-time.
Live response is a capability that gives you instantaneous access to a device using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats real-time.
Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
For more information on live response, see [Investigate entities on machines using live response](live-response.md)
For more information on live response, see [Investigate entities on devices using live response](live-response.md)
## Collect investigation package from machines
## Collect investigation package from devices
As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker.
As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker.
To download the package (Zip file) and investigate the events that occurred on a machine
To download the package (Zip file) and investigate the events that occurred on a device
1. Select **Collect investigation package** from the row of response actions at the top of the machine page.
1. Select **Collect investigation package** from the row of response actions at the top of the device page.
2. Specify in the text box why you want to perform this action. Select **Confirm**.
3. The zip file will download
Alternate way:
1. Select **Action center** from the response actions section of the machine page.
1. Select **Action center** from the response actions section of the device page.
![Image of action center button](images/action-center-package-collection.png)
@ -95,12 +95,12 @@ The package contains the following folders:
| Folder | Description |
|:---|:---------|
|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attackers persistency on the machine. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” |
|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). |
|Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attackers persistency on the device. </br></br> NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” |
|Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the device. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). |
|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attackers command and control (C&C) infrastructure, any lateral movement, or remote connections.</br></br> - ActiveNetConnections.txt Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process. </br></br> - Arp.txt Displays the current address resolution protocol (ARP) cache tables for all interfaces. </br></br> ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.</br></br> - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections. </br></br> - IpConfig.txt Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. </br></br> - FirewallExecutionLog.txt and pfirewall.log |
| Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list. </br></br> - Prefetch folder Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files. </br></br> - PrefetchFilesList.txt Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. |
| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. |
| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. |
| Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the device. This can be useful when identifying a suspicious process and its state. |
| Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen device to look for suspicious code which was set to run automatically. |
| Security event log| Contains the security event log which contains records of login or logout activity, or other security-related events specified by the system's audit policy. </br></br>NOTE: Open the event log file using Event viewer. |
| Services| Contains a .CSV file which lists services and their states. |
| Windows Server Message Block (SMB) sessions | Lists shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. This can help identify data exfiltration or lateral movement. </br></br> Contains files for SMBInboundSessions and SMBOutboundSession. </br></br> NOTE: If there are no sessions (inbound or outbound), you'll get a text file which tell you that there are no SMB sessions found. |
@ -110,85 +110,85 @@ The package contains the following folders:
|WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab |
| CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. |
## Run Windows Defender Antivirus scan on machines
## Run Windows Defender Antivirus scan on devices
As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine.
As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device.
>[!IMPORTANT]
>- This action is available for machines on Windows 10, version 1709 or later.
>- This action is available for devices on Windows 10, version 1709 or later.
>- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
One you have selected **Run antivirus scan**, select the scan type that you'd like to run (quick or full) and add a comment before confirming the scan.
![Image of notification to select quick scan or full scan and add comment](images/run-antivirus.png)
The Action center will show the scan information and the machine timeline will include a new event, reflecting that a scan action was submitted on the machine. Windows Defender AV alerts will reflect any detections that surfaced during the scan.
The Action center will show the scan information and the device timeline will include a new event, reflecting that a scan action was submitted on the device. Windows Defender AV alerts will reflect any detections that surfaced during the scan.
## Restrict app execution
In addition to containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running.
>[!IMPORTANT]
> - This action is available for machines on Windows 10, version 1709 or later.
> - This action is available for devices on Windows 10, version 1709 or later.
> - This feature is available if your organization uses Windows Defender Antivirus.
> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing).
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities.
To restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised devices and performing further malicious activities.
>[!NOTE]
>Youll be able to reverse the restriction of applications from running at any time. The button on the machine page will change to say **Remove app restrictions**, and then you take the same steps as restricting app execution.
>Youll be able to reverse the restriction of applications from running at any time. The button on the device page will change to say **Remove app restrictions**, and then you take the same steps as restricting app execution.
Once you have selected **Restrict app execution** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event.
Once you have selected **Restrict app execution** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event.
![Image of app restriction notification](images/restrict-app-execution.png)
**Notification on machine user**:</br>
**Notification on device user**:</br>
When an app is restricted, the following notification is displayed to inform the user that an app is being restricted from running:
![Image of app restriction](images/atp-app-restriction.png)
## Isolate machines from the network
## Isolate devices from the network
Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement.
Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement.
>[!IMPORTANT]
>- Full isolation is available for machines on Windows 10, version 1703.
>- Selective isolation is available for machines on Windows 10, version 1709 or later.
>- Full isolation is available for devices on Windows 10, version 1703.
>- Selective isolation is available for devices on Windows 10, version 1709 or later.
This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the machine.
This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Microsoft Defender ATP service, which continues to monitor the device.
On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').
>[!NOTE]
>Youll be able to reconnect the machine back to the network at any time. The button on the machine page will change to say **Release from isolation**, and then you take the same steps as isolating the machine.
>Youll be able to reconnect the device back to the network at any time. The button on the device page will change to say **Release from isolation**, and then you take the same steps as isolating the device.
Once you have selected **Isolate machine** on the machine page, type a comment and select **Confirm**. The Action center will show the scan information and the machine timeline will include a new event.
Once you have selected **Isolate device** on the device page, type a comment and select **Confirm**. The Action center will show the scan information and the device timeline will include a new event.
![Image of isolate machine](images/isolate-machine.png)
![Image of isolate device](images/isolate-machine.png)
>[!NOTE]
>The machine will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the machine is isolated.
>The device will remain connected to the Microsoft Defender ATP service even if it is isolated from the network. If you've chosen to enable Outlook and Skype for Business communication, then you'll be able to communicate to the user while the device is isolated.
**Notification on machine user**:</br>
When a machine is being isolated, the following notification is displayed to inform the user that the machine is being isolated from the network:
**Notification on device user**:</br>
When a device is being isolated, the following notification is displayed to inform the user that the device is being isolated from the network:
![Image of no network connection](images/atp-notification-isolate.png)
## Consult a threat expert
You can consult a Microsoft threat expert for more insights regarding a potentially compromised machine or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised machine, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
You can consult a Microsoft threat expert for more insights regarding a potentially compromised device or already compromised ones. Microsoft Threat Experts can be engaged directly from within the Microsoft Defender Security Center for timely and accurate response. Experts provide insights not just regarding a potentially compromised device, but also to better understand complex threats, targeted attack notifications that you get, or if you need more information about the alerts, or a threat intelligence context that you see on your portal dashboard.
See [Consult a Microsoft Threat Expert](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts#consult-a-microsoft-threat-expert-about-suspicious-cybersecurity-activities-in-your-organization) for details.
## Check activity details in Action center
The **Action center** provides information on actions that were taken on a machine or file. Youll be able to view the following details:
The **Action center** provides information on actions that were taken on a device or file. Youll be able to view the following details:
- Investigation package collection
- Antivirus scan
- App restriction
- Machine isolation
- Device isolation
All other related details are also shown, for example, submission date/time, submitting user, and if the action succeeded or failed.

84
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
View File

@ -1,6 +1,6 @@
---
title: Troubleshoot Microsoft Defender ATP onboarding issues
description: Troubleshoot issues that might arise during the onboarding of machines or to the Microsoft Defender ATP service.
description: Troubleshoot issues that might arise during the onboarding of devices or to the Microsoft Defender ATP service.
keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics
search.product: eADQiWindows 10XVcnh
search.appverid: met150
@ -26,36 +26,36 @@ ms.topic: troubleshooting
You might need to troubleshoot the Microsoft Defender ATP onboarding process if you encounter issues.
This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the machines.
This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the devices.
## Troubleshoot issues with onboarding tools
If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem.
If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, it might indicate an onboarding or connectivity problem.
### Troubleshoot onboarding when deploying with Group Policy
Deployment with Group Policy is done by running the onboarding script on the machines. The Group Policy console does not indicate if the deployment has succeeded or not.
Deployment with Group Policy is done by running the onboarding script on the devices. The Group Policy console does not indicate if the deployment has succeeded or not.
If you have completed the onboarding process and don't see machines in the [Machines list](investigate-machines.md) after an hour, you can check the output of the script on the machines. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script).
If you have completed the onboarding process and don't see devices in the [Devices list](investigate-machines.md) after an hour, you can check the output of the script on the devices. For more information, see [Troubleshoot onboarding when deploying with a script](#troubleshoot-onboarding-when-deploying-with-a-script).
If the script completes successfully, see [Troubleshoot onboarding issues on the machines](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur.
If the script completes successfully, see [Troubleshoot onboarding issues on the devices](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.
### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager
When onboarding machines using the following versions of Configuration Manager:
When onboarding devices using the following versions of Configuration Manager:
- Microsoft Endpoint Configuration Manager
- System Center 2012 Configuration Manager
- System Center 2012 R2 Configuration Manager
Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the machines. You can track the deployment in the Configuration Manager Console.
Deployment with the above-mentioned versions of Configuration Manager is done by running the onboarding script on the devices. You can track the deployment in the Configuration Manager Console.
If the deployment fails, you can check the output of the script on the machines.
If the deployment fails, you can check the output of the script on the devices.
If the onboarding completed successfully but the machines are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine) for additional errors that might occur.
If the onboarding completed successfully but the devices are not showing up in the **Devices list** after an hour, see [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device) for additional errors that might occur.
### Troubleshoot onboarding when deploying with a script
**Check the result of the script on the machine**:
**Check the result of the script on the device**:
1. Click **Start**, type **Event Viewer**, and press **Enter**.
2. Go to **Windows Logs** > **Application**.
@ -70,7 +70,7 @@ Event ID | Error Type | Resolution steps
:---|:---|:---
5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically<br> ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.<br>Verify that the script has been run as an administrator.
15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). <br> <br> If the machine is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again.
15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). <br> <br> If the device is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the device. If rebooting the device doesn't address the issue, upgrade to KB4015217 and try onboarding again.
15 | Failed to start SENSE service | If the message of the error is: System error 577 or error 1058 has occurred. You need to enable the Windows Defender Antivirus ELAM driver, see [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy) for instructions.
30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location<br>```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.<br>The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors using Event viewer](event-error-codes.md).
@ -80,7 +80,7 @@ Event ID | Error Type | Resolution steps
### Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment.
If you have configured policies in Intune and they are not propagated on devices, you might need to configure automatic MDM enrollment.
Use the following tables to understand the possible causes of issues while onboarding:
@ -95,9 +95,9 @@ If none of the event logs and troubleshooting steps work, download the Local scr
Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps
:---|:---|:---|:---|:---
0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding <br> Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields. <br><br> **Troubleshooting steps:** <br> Check the event IDs in the [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log) section. <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | | Onboarding <br> Offboarding <br> SampleSharing | **Possible cause:** Microsoft Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it. <br><br> **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection``` <br> <br> If it doesn't exist, open an elevated command and add the key.
| | | | SenseIsRunning <br> OnboardingState <br> OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <br><br> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the machine](#troubleshoot-onboarding-issues-on-the-machine). <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
| | | | SenseIsRunning <br> OnboardingState <br> OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed. <br><br> **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot onboarding issues on the device](#troubleshoot-onboarding-issues-on-the-device). <br><br> Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx).
|| | | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms: Enterprise, Education, and Professional. <br> Server is not supported.
0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Microsoft Defender ATP on non-supported SKU/Platform, particularly Holographic SKU. <br><br> Currently is supported platforms: Enterprise, Education, and Professional.
@ -108,9 +108,9 @@ The following table provides information on issues with non-compliance and how y
Case | Symptoms | Possible cause and troubleshooting steps
:---|:---|:---
1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already. <br><br> **Troubleshooting steps:** Wait for OOBE to complete.
2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start. <br><br> **Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time.
1 | Device is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already. <br><br> **Troubleshooting steps:** Wait for OOBE to complete.
2 | Device is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the device as non-compliant by SenseIsRunning when DM session occurs on system start. <br><br> **Troubleshooting steps:** The issue should automatically be fixed within 24 hours.
3 | Device is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same device at same time.
<br>
<strong>Mobile Device Management (MDM) event logs</strong>
@ -125,16 +125,16 @@ ID | Severity | Event description | Troubleshooting steps
:---|:---|:---|:---
1819 | Error | Microsoft Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Download the [Cumulative Update for Windows 10, 1607](https://go.microsoft.com/fwlink/?linkid=829760).
## Troubleshoot onboarding issues on the machine
If the deployment tools used does not indicate an error in the onboarding process, but machines are still not appearing in the machines list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent:
- [View agent onboarding errors in the machine event log](#view-agent-onboarding-errors-in-the-machine-event-log)
## Troubleshoot onboarding issues on the device
If the deployment tools used does not indicate an error in the onboarding process, but devices are still not appearing in the devices list in an hour, go through the following verification topics to check if an error occurred with the Microsoft Defender ATP agent:
- [View agent onboarding errors in the device event log](#view-agent-onboarding-errors-in-the-device-event-log)
- [Ensure the diagnostic data service is enabled](#ensure-the-diagnostics-service-is-enabled)
- [Ensure the service is set to start](#ensure-the-service-is-set-to-start)
- [Ensure the machine has an Internet connection](#ensure-the-machine-has-an-internet-connection)
- [Ensure the device has an Internet connection](#ensure-the-device-has-an-internet-connection)
- [Ensure that Windows Defender Antivirus is not disabled by a policy](#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy)
### View agent onboarding errors in the machine event log
### View agent onboarding errors in the device event log
1. Click **Start**, type **Event Viewer**, and press **Enter**.
@ -155,31 +155,31 @@ If the deployment tools used does not indicate an error in the onboarding proces
Event ID | Message | Resolution steps
:---|:---|:---
5 | Microsoft Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection).
5 | Microsoft Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection).
6 | Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-script.md).
7 | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection), then run the entire onboarding process again.
7 | Microsoft Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection), then run the entire onboarding process again.
9 | Microsoft Defender Advanced Threat Protection service failed to change its start type. Failure code: variable | If the event happened during onboarding, reboot and re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md). <br><br>If the event happened during offboarding, contact support.
10 | Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable | If the event happened during onboarding, re-attempt running the onboarding script. For more information, see [Run the onboarding script again](configure-endpoints-script.md). <br><br>If the problem persists, contact support.
15 | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the machine has Internet access](#ensure-the-machine-has-an-internet-connection).
15 | Microsoft Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the device has Internet access](#ensure-the-device-has-an-internet-connection).
17 | Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable | [Run the onboarding script again](configure-endpoints-script.md). If the problem persists, contact support.
25 | Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support.
27 | Failed to enable Microsoft Defender Advanced Threat Protection mode in Windows Defender. Onboarding process failed. Failure code: variable | Contact support.
29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the machine has Internet access, then run the entire offboarding process again.
29 | Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 | Ensure the device has Internet access, then run the entire offboarding process again.
30 | Failed to disable $(build.sense.productDisplayName) mode in Microsoft Defender Advanced Threat Protection. Failure code: %1 | Contact support.
32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the machine.
55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the machine.
32 | $(build.sense.productDisplayName) service failed to request to stop itself after offboarding process. Failure code: %1 | Verify that the service start type is manual and reboot the device.
55 | Failed to create the Secure ETW autologger. Failure code: %1 | Reboot the device.
63 | Updating the start type of external service. Name: %1, actual start type: %2, expected start type: %3, exit code: %4 | Identify what is causing changes in start type of mentioned service. If the exit code is not 0, fix the start type manually to expected start type.
64 | Starting stopped external service. Name: %1, exit code: %2 | Contact support if the event keeps re-appearing.
68 | The start type of the service is unexpected. Service name: %1, actual start type: %2, expected start type: %3 | Identify what is causing changes in start type. Fix mentioned service start type.
69 | The service is stopped. Service name: %1 | Start the mentioned service. Contact support if persists.
<br>
There are additional components on the machine that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
There are additional components on the device that the Microsoft Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Microsoft Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly.
<span id="ensure-the-diagnostics-service-is-enabled" />
### Ensure the diagnostic data service is enabled
If the machines aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the machine. The service might have been disabled by other programs or user configuration changes.
If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the device. The service might have been disabled by other programs or user configuration changes.
First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't).
@ -187,7 +187,7 @@ First, you should check that the service is set to start automatically when Wind
**Use the command line to check the Windows 10 diagnostic data service startup type**:
1. Open an elevated command-line prompt on the machine:
1. Open an elevated command-line prompt on the device:
a. Click **Start**, type **cmd**, and press **Enter**.
@ -208,7 +208,7 @@ First, you should check that the service is set to start automatically when Wind
**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the machine:
1. Open an elevated command-line prompt on the device:
a. Click **Start**, type **cmd**, and press **Enter**.
@ -234,7 +234,7 @@ First, you should check that the service is set to start automatically when Wind
sc start diagtrack
```
### Ensure the machine has an Internet connection
### Ensure the device has an Internet connection
The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
@ -249,7 +249,7 @@ If the verification fails and your environment is using a proxy to connect to th
**Symptom**: Onboarding successfully completes, but you see error 577 or error 1058 when trying to start the service.
**Solution**: If your machines are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
**Solution**: If your devices are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. You must ensure that it's not disabled in system policy.
- Depending on the tool that you use to implement policies, you'll need to verify that the following Windows Defender policies are cleared:
@ -291,15 +291,15 @@ You might also need to check the following:
![Image of Microsoft Monitoring Agent Properties](images/atp-mma-properties.png)
- Check to see that machines are reflected in the **Machines list** in the portal.
- Check to see that devices are reflected in the **Devices list** in the portal.
## Confirming onboarding of newly built machines
There may be instances when onboarding is deployed on a newly built machine but not completed.
## Confirming onboarding of newly built devices
There may be instances when onboarding is deployed on a newly built device but not completed.
The steps below provide guidance for the following scenario:
- Onboarding package is deployed to newly built machines
- Onboarding package is deployed to newly built devices
- Sensor does not start because the Out-of-box experience (OOBE) or first user logon has not been completed
- Machine is turned off or restarted before the end user performs a first logon
- Device is turned off or restarted before the end user performs a first logon
- In this scenario, the SENSE service will not start automatically even though onboarding package was deployed
>[!NOTE]
@ -406,6 +406,6 @@ The steps below provide guidance for the following scenario:
## Related topics
- [Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md)
- [Onboard machines](onboard-configure.md)
- [Configure machine proxy and Internet connectivity settings](configure-proxy-internet.md)
- [Onboard devices](onboard-configure.md)
- [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md)