deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into doom

Browse Source
This commit is contained in:
Joey Caparas 2020-03-20 09:20:52 -07:00
commit a728567f41
15 changed files with 238 additions and 264 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
devices/hololens/hololens-provisioning.md
View File

@ -61,10 +61,9 @@ Provisioning packages can include management instructions and policies, custom n
## Steps for creating provisioning packages
### 1. Install Windows Configuration Designer on your PC.
You can do this in either of the following ways:
- **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22)
- **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). This includes HoloLens 2 capabilities.
2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configuration Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box. This option does not include HoloLens 2 capabilities.
### 2. Create the provisioning package

93
windows/deployment/update/media-dynamic-update.md
View File

@ -8,7 +8,7 @@ itproauthor: jaimeo
author: SteveDiAcetis
ms.localizationpriority: medium
ms.author: jaimeo
ms.reviewer:
ms.reviewer:
manager: laurawi
ms.collection: M365-modern-desktop
ms.topic: article
@ -88,7 +88,7 @@ The main operating system file (install.wim) contains multiple editions of Windo
### Additional languages and features
You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image.
Optional Components, along with the .Net feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .Net and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
@ -108,7 +108,7 @@ These examples are for illustration only, and therefore lack error handling. The
The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
```
function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) }
Write-Host "$(Get-TS): Starting media refresh"
@ -121,19 +121,19 @@ $LANG = "ja-jp"
$LANG_FONT_CAPABILITY = "jpan"
# Declare Dynamic Update packages
$LCU_PATH = “C:\mediaRefresh\packages\LCU.msu”
$SSU_PATH = “C:\mediaRefresh\packages\SSU_DU.msu”
$LCU_PATH = "C:\mediaRefresh\packages\LCU.msu"
$SSU_PATH = "C:\mediaRefresh\packages\SSU_DU.msu"
$SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab"
$SAFE_OS_DU_PATH = “C:\mediaRefresh\packages\SafeOS_DU.cab”
$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu
$SAFE_OS_DU_PATH = "C:\mediaRefresh\packages\SafeOS_DU.cab"
$DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu"
# Declare folders for mounted images and temp files
$WORKING_PATH = "C:\mediaRefresh\temp"
$MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
$MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount
$WINRE_MOUNT = $WORKING_PATH + "\WinREMount
$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount
$MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount"
$WINRE_MOUNT = $WORKING_PATH + "\WinREMount"
$WINPE_MOUNT = $WORKING_PATH + "\WinPEMount"
# Mount the language pack ISO
Write-Host "$(Get-TS): Mounting LP ISO"
@ -152,7 +152,7 @@ $OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "Microsoft-Windows-Cli
# Mount the Features on Demand ISO
Write-Host "$(Get-TS): Mounting FOD ISO"
$FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
$FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\"
# Create folders for mounting images and storing temporary files
New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
@ -162,7 +162,7 @@ New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Keep the original media, make a copy of it for the new, updateed media.
Write-Host "$(Get-TS): Copying original media to new media path"
Copy-Item -Path $MEDIA_OLD_PATH“\*” -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Copy-Item -Path $MEDIA_OLD_PATH"\*" -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
```
### Update WinRE
@ -177,14 +177,14 @@ It finishes by cleaning and exporting the image to reduce the image size.
```
# Mount the main operating system, used throughout the script
Write-Host "$(Get-TS): Mounting main OS"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim" -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null
#
# update Windows Recovery Environment (WinRE)
#
Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Destination $WORKING_PATH"\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null
Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Destination $WORKING_PATH"\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Mounting WinRE"
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update
Write-Host "$(Get-TS): Adding package $SSU_PATH"
@ -226,10 +226,10 @@ if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
# Add TTS support for the new language
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
}
@ -244,35 +244,35 @@ Write-Host "$(Get-TS): Performing image cleanup on WinRE"
DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# Dismount
Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
Dismount-WindowsImage -Path $WINRE_MOUNT -Save -ErrorAction stop | Out-Null
# Export
Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim
Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim” -ErrorAction stop | Out-Null
Move-Item -Path $WORKING_PATH"\winre2.wim” -Destination $WORKING_PATH"\winre.wim” -Force -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim"
Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim" -ErrorAction stop | Out-Null
Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim" -Force -ErrorAction stop | Out-Null
```
### Update WinPE
This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
```
#
#
# update Windows Preinstallation Environment (WinPE)
#
#
# Get the list of images contained within WinPE
$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim”
$WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim"
Foreach ($IMAGE in $WINPE_IMAGES) {
# update WinPE
Write-Host "$(Get-TS): Mounting WinPE"
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add SSU
Write-Host "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
# Install lp.cab cab
Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null
@ -287,7 +287,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
$INDEX = $PACKAGE.PackageName.IndexOf("-Package")
if ($INDEX -ge 0) {
$OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
$OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
@ -307,10 +307,10 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Add TTS support for the new language
if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
}
@ -321,7 +321,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
Write-Host "$(Get-TS): Updating lang.ini"
DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
}
# Add latest cumulative update
Write-Host "$(Get-TS): Adding package $LCU_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
@ -331,28 +331,28 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
# Dismount
Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null
Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null
#Export WinPE
Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
}
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH“\sources\boot.wim” -Force -ErrorAction stop | Out-Null
Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH"\sources\boot.wim" -Force -ErrorAction stop | Out-Null
```
### Update the main operating system
For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .Net), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
You can install Optional Components, along with the .Net feature, offline, but that will require the device to be restarted. This is why the script installs .Net and Optional Components after cleanup and before export.
```
#
#
# update Main OS
#
#
# Add servicing stack update
Write-Host "$(Get-TS): Adding package $SSU_PATH"
@ -385,20 +385,20 @@ Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOU
# Add latest cumulative update
Write-Host "$(Get-TS): Adding package $LCU_PATH"
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null
# Copy our updated recovery image from earlier into the main OS
# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file
# Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file
# into each edition to enable single instancing
Copy-Item -Path $WORKING_PATH"\winre.wim” -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null
Copy-Item -Path $WORKING_PATH"\winre.wim" -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim" -Force -Recurse -ErrorAction stop | Out-Null
# Perform image cleanup
Write-Host "$(Get-TS): Performing image cleanup on main OS"
DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
#
# Note: If I wanted to enable additional Optional Components, I'd add these here.
# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require
# Note: If I wanted to enable additional Optional Components, I'd add these here.
# In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require
# the image to be booted, and thus if we tried to cleanup after installation, it would fail.
#
@ -413,9 +413,9 @@ Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorActio
Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
# Export
Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\install.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim” -ErrorAction stop | Out-Null
Move-Item -Path $WORKING_PATH"\install2.wim” -Destination $MEDIA_NEW_PATH“\sources\install.wim” -Force -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim"
Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH"\sources\install.wim" -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim" -ErrorAction stop | Out-Null
Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sources\install.wim" -Force -ErrorAction stop | Out-Null
```
### Update remaining media files
@ -446,8 +446,7 @@ Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null
# Dismount ISO images
Write-Host "$(Get-TS): Dismounting ISO images"
Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null
Write-Host "$(Get-TS): Media refresh completed!"
```

25
windows/security/threat-protection/microsoft-defender-atp/configuration-score.md
View File

@ -49,14 +49,29 @@ The data in the configuration score card is the product of meticulous and ongoin
From the widget, you'd be able to see which security aspect requires attention. You can click the configuration score categories and it will take you to the **Security recommendations** page to see more details and understand the context of the issue. From there, you can act on them based on security benchmarks.
## Improve your configuration score
## Improve your security configuration
The goal is to remediate the issues in the security recommendations list to improve your configuration score. You can filter the view based on:
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
- **Related component****Accounts**, **Application**, **Network**, **OS**, or **Security controls**
- **Remediation type****Configuration change** or **Software update**
1. From the Configuration score card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md), select **Security controls**. The [**Security recommendations**](tvm-security-recommendation.md) page opens to shows the list of recommendations related to security controls.
See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details.
2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
![Security controls related security recommendations](images/tvm_security_controls.png)
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
>![Request remediation](images/tvm_request_remediation.png).
You will see a confirmation message that the remediation task has been created.
>![Remediation task creation confirmation](images/tvm_remediation_task_created.png)
4. Save your CSV file.
![Save csv file](images/tvm_save_csv_file.png)
5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
6. Review the machine **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:

5
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -23,10 +23,7 @@ ms.topic: article
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM]
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
When you get started with the lab, you'll be guided through a simple set-up process where you can specify the type of configuration that best suits your needs.

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secrec_sw_details.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 370 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tag.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-eos-tags-column.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm_config_score.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 25 KiB

8
windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md
View File

@ -33,7 +33,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
- The ```HTTPS_PROXY``` variable is defined in ```/etc/environment``` with the following line:
```bash
HTTPS_PROXY=”http://proxy.server:port/”
HTTPS_PROXY="http://proxy.server:port/"
```
- The `HTTPS_PROXY` variable is defined in the package manager global configuration. For example, in Ubuntu 18.04, you can add the following line to `/etc/apt/apt.conf.d/proxy.conf`:
@ -48,7 +48,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t
- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP:
```bash
$ HTTPS_PROXY=http://proxy.server:port/" apt install mdatp
$ HTTPS_PROXY="http://proxy.server:port/" apt install mdatp
```
> [!NOTE]
@ -62,12 +62,12 @@ Note that installation and uninstallation will not necessarily fail if a proxy i
After installation, the `HTTPS_PROXY` environment variable must be defined in the Microsoft Defender ATP service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways:
- Uncomment the line `#Environment=HTTPS_PROXY="http://address:port”` and specify your static proxy address.
- Uncomment the line `#Environment="HTTPS_PROXY=http://address:port"` and specify your static proxy address.
- Add a line `EnvironmentFile=/path/to/env/file`. This path can point to `/etc/environment` or a custom file, either of which needs to add the following line:
```bash
HTTPS_PROXY=”http://proxy.server:port/”
HTTPS_PROXY="http://proxy.server:port/"
```
After modifying the `mdatp.service` file, save and close it. Restart the service so the changes can be applied. In Ubuntu, this involves two commands:

23
windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
View File

@ -70,6 +70,29 @@ Microsoft Defender ATP's Threat & Vulnerability Management allows security admin
- Alternate mitigations. Threat & Vulnerability Management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization.
## Before you begin
Ensure that your machines:
- Are onboarded to Microsoft Defender Advanced Threat Protection
- Run with Windows 10 1709 (Fall Creators Update) or later
>[!NOTE]
>Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
> Release | Security update KB number and link
> :---|:---
> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
- Have at least one security recommendation that can be viewed in the machine page
- Are tagged or marked as co-managed
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)

177
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -27,155 +27,9 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
## Before you begin
Ensure that your machines:
- Are onboarded to Microsoft Defender Advanced Threat Protection
- Run with Windows 10 1709 (Fall Creators Update) or later
>[!NOTE]
>Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday.
- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates:
> Release | Security update KB number and link
> :---|:---
> RS3 customers | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071)
> RS4 customers| [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045)
> RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077)
> 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941)
- Are onboarded to Microsoft Intune and Microsoft Endpoint Configuration Manager. If you are using Configuration Manager, update your console to the latest version.
- Have at least one security recommendation that can be viewed in the machine page
- Are tagged or marked as co-managed
## Reduce your threat and vulnerability exposure
Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
- Weaknesses, such as vulnerabilities discovered on the device
- External and internal threats such as public exploit code and security alerts
- Likelihood of the device to get breached given its current security posture
- Value of the device to the organization given its role and content
The exposure score is broken down into the following levels:
- 029: low exposure score
- 3069: medium exposure score
- 70100: high exposure score
You can remediate the issues based on prioritized security recommendations to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
To lower down your threat and vulnerability exposure:
1. Review the **Top security recommendations** from your **Threat & Vulnerability Management dashboard**, and select the first item on the list. The **Security recommendation** page opens.
There are two types of recommendations:
- *Security update* which refers to recommendations that require a package installation
- *Configuration change* which refers to recommendations that require a registry or GPO modification
Always prioritize recommendations that are associated with ongoing threats:
- ![Threat insight](images/tvm_bug_icon.png) Threat insight icon
- ![Possible active alert](images/tvm_alert_icon.png) Active alert icon
>![Top security recommendations](images/tvm_security_recommendations.png)
2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. ![Details in security recommendations page](images/tvm_security_recommendations_page.png)
3. Click **Installed machines** and select the affected machine from the list to open the flyout panel with the relevant machine details, exposure and risk levels, alert and incident activities. ![Details in software page ](images/tvm_software_page_details.png)
4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. ![Details in machine page](images/tvm_machine_page_details.png)
5. Allow a few hours for the changes to propagate in the system.
6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
## Improve your security configuration
>[!NOTE]
> Secure score is now part of Threat & Vulnerability Management as [Configuration score](configuration-score.md).
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
1. From the Configuration score widget, select **Security controls**. The **Security recommendations** page opens and shows the list of issues related to security controls.
>![Configuration score widget](images/tvm_config_score.png)
2. Select the first item on the list. The flyout panel will open with a description of the security controls issue, a short description of the potential risk, insights, configuration ID, exposed machines, and business impact. Click **Remediation options**.
![Security controls related security recommendations](images/tvm_security_controls.png)
3. Read the description to understand the context of the issue and what to do next. Select a due date, add notes, and select **Export all remediation activity data to CSV** so you can attach it to the email that you can send to your IT Administrator for follow-up.
>![Request remediation](images/tvm_request_remediation.png).
You will see a confirmation message that the remediation task has been created.
>![Remediation task creation confirmation](images/tvm_remediation_task_created.png)
4. Save your CSV file.
![Save csv file](images/tvm_save_csv_file.png)
5. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
6. Review the machine **Configuration score** widget again. The number of the security controls issues will decrease. When you click **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
## Request a remediation
>[!NOTE]
>To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow.
Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
1. Click a security recommendation you would like to request remediation for, and then click **Remediation options**.
2. Select **Open a ticket in Intune (for AAD joined devices)**, select a due date, and add optional notes for the IT Administrator. Click **Submit request**.
3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
4. Go to the **Remediation** page to view the status of your remediation request.
See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
>[!NOTE]
>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
## File for exception
With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
Exceptions can be created for both *Security update* and *Configuration change* recommendations.
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
1. Navigate to the **Security recommendations** page under the **Threat & Vulnerability Management** section menu.
2. Click the top-most recommendation. A flyout panel opens with the recommendation details.
3. Click **Exception options**.
![Screenshot of the exception option in the remediation flyout pane](images/tvm-exception-option.png)
4. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
> ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png)
5. Click **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
![Screenshot of exception confirmation message](images/tvm-exception-confirmation.png)
6. Navigate to the **Remediation** page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png)
## Use advanced hunting query to search for machines with High active alerts or critical CVE public exploit
1. Go to **Advanced hunting** from the left-hand navigation pane.
1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center.
2. Scroll down to the TVM advanced hunting schemas to familiarize yourself with the column names.
@ -196,22 +50,22 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
```
## Conduct an inventory of software or software versions which have reached end-of-support (EOS)
## Find and remediate software or software versions which have reached end-of-support (EOS)
End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem.
To conduct an inventory of software or software versions which have reached end-of-support:
To find software or software versions which have reached end-of-support:
1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**.
2. Go to the **Filters** panel and select **Software uninstall** from **Remediation Type** options to see the list of software recommendations associated with software which have reached end of support (tagged as **EOS software**).
3. Select **Software update** from **Remediation Type** options to see the list of software recommendations associated with software and software versions which have reached end-of-support (tagged as **EOS versions installed**).
4. Select software that you'd like to investigate. A fly-out screen opens where you can select **Open software page**.
![Screenshot of Security recommendation for a software that reached its end of life page](images/secrec_flyout.png)
2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**.
5. In the **Software page** select the **Version distribution** tab to know which versions of the software have reached their end-of-support, and how many vulnerabilities were discovered in it.
![Screenshot of software details for a software that reached its end of support](images/secrec_sw_details.png)
![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png)
3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png)
After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
@ -228,10 +82,9 @@ After you have identified which software and software versions are vulnerable du
- [Weaknesses](tvm-weaknesses.md)
- [Advanced hunting overview](overview-hunting.md)
- [All advanced hunting tables](advanced-hunting-reference.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Machine APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)

55
windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
View File

@ -30,14 +30,46 @@ The card gives you a high-level view of your exposure score trend over time. Any
## How it works
Several factors affect your organization exposure score:
Threat & Vulnerability Management introduces a new exposure score metric, which visually represents how exposed your machines are to imminent threats.
- Weakness discovered on the device
- Likelihood of a device getting breached
- Value of the device to the organization
- Relevant alert discovered on the device
The exposure score is continuously calculated on each device in the organization and influenced by the following factors:
- Weaknesses, such as vulnerabilities discovered on the device
- External and internal threats such as public exploit code and security alerts
- Likelihood of the device to get breached given its current security posture
- Value of the device to the organization given its role and content
The exposure score is broken down into the following levels:
- 029: low exposure score
- 3069: medium exposure score
- 70100: high exposure score
You can remediate the issues based on prioritized [security recommendations](tvm-security-recommendation.md) to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization.
## Reduce your threat and vulnerability exposure
To lower your threat and vulnerability exposure, follow these steps.
1. Review the **Top security recommendations** from your [**Threat & Vulnerability Management dashboard**](tvm-dashboard-insights.md) , and select the first item on the list. The **Security recommendation** page opens.
Always prioritize recommendations that are associated with ongoing threats:
- ![Threat insight](images/tvm_bug_icon.png) Threat insight icon
- ![Possible active alert](images/tvm_alert_icon.png) Active alert icon
![Screenshot of security recommendations page](images/top-security-recommendations350.png)
2. The **Security recommendations** page shows the list of items to remediate. Select the security recommendation that you need to investigate. When you select a recommendation from the list, a fly-out panel will display a description of what you need to remediate, number of vulnerabilities, associated exploits in machines, number of exposed machines and their machine names, business impact, and a list of CVEs. Click **Open software page** option from the flyout panel. ![Details in security recommendations page](images/tvm_security_recommendations_page.png)
3. Select **Installed machines** and then the affected machine from the list. A flyout panel will open with the relevant machine details, exposure and risk levels, alert and incident activities. ![Details in software page ](images/tvm_software_page_details.png)
4. Click **Open machine page** to connect to the machine and apply the selected recommendation. See [Investigate machines in the Microsoft Defender ATP Machines list](investigate-machines.md) for details. ![Details in machine page](images/tvm_machine_page_details.png)
5. Allow a few hours for the changes to propagate in the system.
6. Review the machine **Security recommendation** tab again. The recommendation you've chosen to remediate is removed from the security recommendation list, and the exposure score decreases.
Reduce the exposure score by addressing what needs to be remediated based on the prioritized security recommendations. See [Security recommendations](tvm-security-recommendation.md) for details.
## Related topics
@ -50,8 +82,9 @@ Reduce the exposure score by addressing what needs to be remediated based on the
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Score APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/score)
- [Software APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/software)
- [Vulnerability APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Recommendation APIs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/vulnerability)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Recommendation APIs](vulnerability.md)
- [Machine APIs](machine.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)

48
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -80,6 +80,52 @@ From the flyout, you can do any of the following:
>[!NOTE]
>When a change is made on a machine, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
## Request remediation
The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT Administrators through the remediation request workflow. Security Administrators like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
### Enable Microsoft Intune connection
To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on.
See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details.
### Remediation request steps
1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**.
2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within Threat & Vulnerability Management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to machines.
3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment.
4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request.
>[!NOTE]
>If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune.
## File for exception
With Threat & Vulnerability Management, you can create exceptions for recommendations, as an alternative to a remediation request.
There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
Exceptions can be created for both *Security update* and *Configuration change* recommendations.
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
1. Select a security recommendation you would like create an exception for, and then **Exception options**.
![Screenshot of the exception option in the remediation flyout pane](images/tvm-exception-option.png)
2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration.
> ![Screenshot of exception flyout page which details justification and context](images/tvm-exception-flyout.png)
3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created.
![Screenshot of exception confirmation message](images/tvm-exception-confirmation.png)
4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat & Vulnerability Management** menu and click the **Exceptions** tab to view all your exceptions (current and past).
![Screenshot of exception list of exceptions in the Remediation page](images/tvm-exception-list.png)
## Report inaccuracy
You can report a false positive when you see any vague, inaccurate, incomplete, or already remediated security recommendation information.
@ -96,6 +142,8 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)

2
windows/security/threat-protection/security-compliance-toolkit-10.md
View File

@ -44,7 +44,7 @@ The Security Compliance Toolkit consists of:
- Office 365 ProPlus (Sept 2019)
- Microsoft Edge security baseline
- Version 79
- Version 80
- Tools
- Policy Analyzer tool

59
windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
View File

@ -12,7 +12,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 02/25/2020
ms.reviewer:
manager: dansimp
---
@ -23,21 +22,24 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10.
## Overview
However, on endpoints and devices that are protected with a non-Microsoft antivirus or antimalware app, Windows Defender Antivirus will automatically disable itself.
Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection.
- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode.
- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and and threats are not remediated by Windows Defender Antivirus.)
- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack.
If you are also using Microsoft Defender Advanced Threat Protection, then Windows Defender Antivirus will enter a passive mode. Important: Real time protection and and threats will not be remediated by Windows Defender Antivirus.
## Antivirus and Microsoft Defender ATP
The following matrix illustrates the states that Windows Defender Antivirus will enter when third-party antivirus products or Microsoft Defender ATP are also used.
The following table summarizes what happens with Windows Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP.
| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state |
|---------------------|---------------------------------------------------------------------|-------------------------------------------------|-----------------------------------|
| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode |
| Windows 10 | Windows Defender Antivirus | Yes | Active mode |
| Windows 10 | Windows Defender Antivirus | No | Active mode |
| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Windows Defender Antivirus state |
|------|------|-------|-------|
| Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode |
| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode |
| Windows 10 | Windows Defender Antivirus | Yes | Active mode |
| Windows 10 | Windows Defender Antivirus | No | Active mode |
| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode<sup>[[1](#fn1)]</sup> |
| Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | No | Active mode<sup>[[1](#fn1)]<sup> |
| Windows Server 2016 or 2019 | Windows Defender Antivirus | Yes | Active mode |
@ -52,7 +54,6 @@ If you are Using Windows Server, version 1803 and Windows 2019, you can enable p
See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) for key differences and management options for Windows Server installations.
>[!IMPORTANT]
>Windows Defender Antivirus is only available on endpoints running Windows 10, Windows Server 2016, and Windows Server 2019.
>
@ -60,32 +61,38 @@ See [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defende
>
>Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations).
## Functionality and features available in each state
This table indicates the functionality and features that are available in each state:
The following table summarizes the functionality and features that are available in each state:
State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Security intelligence updates](manage-updates-baselines-windows-defender-antivirus.md)
:-|:-|:-:|:-:|:-:|:-:|:-:
Passive mode | Windows Defender Antivirus will not be used as the antivirus app, and threats will not be remediated by Windows Defender Antivirus. Files will be scanned and reports will be provided for threat detections which are shared with the Microsoft Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
Automatic disabled mode | Windows Defender Antivirus will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Active mode | Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)]
|State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) |
|--|--|--|--|--|--|
|Active mode <br/><br/> |Yes |No |Yes |Yes |Yes |
|Passive mode |No |No |Yes |No |Yes |
|[Shadow protection enabled](shadow-protection.md) |No |No |Yes |Yes |Yes |
|Automatic disabled mode |No |Yes |No |No |No |
- In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself).
- In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service.
- When [shadow protection (currently in private preview)](shadow-protection.md) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items.
- In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated.
## Keep the following points in mind
If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Windows Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks.
Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender Antivirus will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
When Windows Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
In passive and automatic disabled mode, you can still [manage updates for Windows Defender Antivirus](manage-updates-baselines-windows-defender-antivirus.md); however, you can't move Windows Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode.
If you uninstall the other product, and choose to use Windows Defender Antivirus to provide protection to your endpoints, Windows Defender Antivirus will automatically return to its normal active mode.
>[!WARNING]
>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app.
>
>This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.
>
>It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
## Related topics
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
- [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md)
- [Shadow protection in next-generation protection](shadow-protection.md)