From d0a17958c923541d1da113479f5e0ca309242dd0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 9 Apr 2020 14:58:13 -0700 Subject: [PATCH 01/42] retire shadow protection article replace with article about EDR in block mode --- windows/security/threat-protection/TOC.md | 5 +-- .../edr-blocking.md} | 42 +++++++++---------- 2 files changed, 21 insertions(+), 26 deletions(-) rename windows/security/threat-protection/{windows-defender-antivirus/shadow-protection.md => microsoft-defender-atp/edr-blocking.md} (54%) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 17bf4fe48e..2cb8417e70 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -315,10 +315,7 @@ ##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md) - - - -##### [Shadow protection?](windows-defender-antivirus/shadow-protection.md) +##### [EDR in block mode](microsoft-defender-atp/edr-blocking.md) #### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md b/windows/security/threat-protection/microsoft-defender-atp/edr-blocking.md similarity index 54% rename from windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md rename to windows/security/threat-protection/microsoft-defender-atp/edr-blocking.md index 9fc1cbc630..21280aac82 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-blocking.md @@ -1,7 +1,7 @@ --- -title: Shadow protection in next-generation protection -description: Learn about shadow protection in next-generation protection -keywords: Windows Defender Antivirus, shadow protection, passive mode +title: Endpoint detection and response in block mode +description: Learn about endpoint detection and response in block mode +keywords: Microsoft Defender ATP, EDR blocking, passive mode blocking search.product: eADQiWindows 10XVcnh ms.pagetype: security author: denisebmsft @@ -16,46 +16,44 @@ ms.custom: next-gen ms.collection: --- -# Shadow protection in next-generation protection +# EDR in block mode **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -## What is shadow protection? +## What is EDR in block mode? -When enabled, shadow protection extends behavioral-based blocking and containment capabilities by blocking malicious artifacts or behaviors observed through post-breach protection. This is the case even if [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) is not your active antivirus protection. Shadow protection is useful if your organization has not fully transitioned to Windows Defender Antivirus and you are presently using a third-party antivirus solution. Shadow protection works behind the scenes by remediating malicious entities identified in post-breach protection that the existing third-party antivirus solution missed. +When enabled, endpoint detection and response (EDR) in block mode blocks malicious artifacts or behaviors observed through post-breach protection. EDR extends behavioral-based blocking and containment capabilities in Microsoft Defender ATP. EDR in block mode works behind the scenes to remediate malicious entities identified in post-breach. > [!NOTE] -> Shadow protection is currently in [limited private preview](#can-i-participate-in-the-private-preview-of-shadow-protection). - -To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). And see [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). +> EDR in block mode is currently in [limited private preview](#can-i-participate-in-the-private-preview-of-shadow-protection). To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). ## What happens when something is detected? -When shadow protection is turned on, and a malicious artifact is detected, the detection results in blocking and remediation actions. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#review-completed-actions). +When EDR blocking is turned on, and a malicious artifact is detected, the detection results in blocking and remediation actions. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#review-completed-actions). -The following images shows an instance of unwanted software that was detected and blocked through shadow protection: +The following images shows an instance of unwanted software that was detected and blocked through EDR blocking: -:::image type="content" source="images/shadow-protection-detection.jpg" alt-text="Malware detected by shadow protection"::: +:::image type="content" source="images/shadow-protection-detection.jpg" alt-text="Malware detected by EDR blocking"::: -## Turn on shadow protection +## Enable EDR in block mode > [!IMPORTANT] -> Make sure the [requirements](#requirements-for-shadow-protection) are met before turning shadow protection on. +> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning EDR blocking on. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. Choose **Settings** > **Advanced features**. - :::image type="content" source="images/turn-shadow-protection-on.jpg" alt-text="Turn shadow protection on"::: + :::image type="content" source="images/turn-shadow-protection-on.jpg" alt-text="Turn EDR blocking on"::: -3. Turn shadow protection on. +3. Turn on EDR in block mode. > [!NOTE] -> Shadow protection can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to turn shadow protection on or off. +> EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode. -## Requirements for shadow protection +## Requirements for EDR in block mode |Requirement |Details | |---------|---------| @@ -67,14 +65,14 @@ The following images shows an instance of unwanted software that was detected an |Windows Defender Antivirus engine |To make sure your engine is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | > [!IMPORTANT] -> To get the best protection value, make sure Windows Defender Antivirus is configured to receive regular updates and other essential features, such as behavioral monitoring, IOfficeAV, tamper protection, and more. See [Protect security settings with tamper protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection) +> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features. ## Frequently asked questions -### Will shadow protection have any impact on a user's antivirus protection? +### Will EDR in block mode have any impact on a user's antivirus protection? -No. Shadow protection does not affect third-party antivirus protection running on users' machines. Shadow protection kicks in if the primary antivirus solution misses something, or if there is post-breach detection. Shadow protection works just like Windows Defender Antivirus in passive mode with the additional steps of blocking and remediating malicious items detected. +No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR om block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Windows Defender Antivirus in passive mode, with the additional steps of blocking and remediating malicious items that are detected. ### Why do I need to keep Windows Defender Antivirus up to date? @@ -84,7 +82,7 @@ The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat- Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on the optics received, along with behavioral and machine learning models. -### Can I participate in the private preview of shadow protection? +### Can I participate in the private preview of EDR in block mode? If you would like to participate in our private preview program, please send email to `shwjha@microsoft.com`. From daebc9982356acbb0787f368dd303b22f251f3d3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 9 Apr 2020 15:30:36 -0700 Subject: [PATCH 02/42] fixing EDR in block mode --- .openpublishing.redirection.json | 5 +++++ windows/security/threat-protection/TOC.md | 2 +- .../{edr-blocking.md => edr-in-block-mode.md} | 0 3 files changed, 6 insertions(+), 1 deletion(-) rename windows/security/threat-protection/microsoft-defender-atp/{edr-blocking.md => edr-in-block-mode.md} (100%) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 3b8c2ce3db..285bbbb206 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15870,6 +15870,11 @@ "source_path": "windows/deployment/deploy-windows-sccm/deploy-windows-10-with-configuration-manager.md", "redirect_url": "https://docs.microsoft.com/windows/deployment/deploy-windows-cm/get-started-with-configuraton-manager", "redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode", +"redirect_document_id": true } ] } diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 2cb8417e70..1510e506d5 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -315,7 +315,7 @@ ##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md) -##### [EDR in block mode](microsoft-defender-atp/edr-blocking.md) +##### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md) #### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md similarity index 100% rename from windows/security/threat-protection/microsoft-defender-atp/edr-blocking.md rename to windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md From 126ef65b1a829f6ee886bbf227de3bba247a4f0d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 9 Apr 2020 15:45:32 -0700 Subject: [PATCH 03/42] Update TOC.md --- windows/security/threat-protection/TOC.md | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 1510e506d5..7847a4d06c 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -13,16 +13,12 @@ ## [Plan deployment](microsoft-defender-atp/deployment-strategy.md) - ## [Deployment guide]() ### [Deployment phases](microsoft-defender-atp/deployment-phases.md) ### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md) ### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md) ### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md) - - - ## [Security administration]() ### [Threat & Vulnerability Management]() #### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) @@ -42,7 +38,6 @@ #### [Attack surface reduction configuration settings](microsoft-defender-atp/configure-attack-surface-reduction.md) #### [Attack surface reduction FAQ](microsoft-defender-atp/attack-surface-reduction-faq.md) - #### [Attack surface reduction controls]() ##### [Attack surface reduction rules](microsoft-defender-atp/attack-surface-reduction.md) ##### [Enable attack surface reduction rules](microsoft-defender-atp/enable-attack-surface-reduction.md) @@ -256,8 +251,6 @@ ## [Security operations]() - - ### [Endpoint detection and response]() #### [Endpoint detection and response overview](microsoft-defender-atp/overview-endpoint-detection-response.md) #### [Security operations dashboard](microsoft-defender-atp/security-operations-dashboard.md) @@ -265,6 +258,8 @@ ##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md) ##### [Manage incidents](microsoft-defender-atp/manage-incidents.md) ##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md) +#### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md) + #### [Alerts queue]() ##### [View and organize the Alerts queue](microsoft-defender-atp/alerts-queue.md) @@ -315,7 +310,6 @@ ##### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md) -##### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md) #### [Use sensitivity labels to prioritize incident response](microsoft-defender-atp/information-protection-investigation.md) From 79cdca349c09f3a4459d2e75d770b42bca1a5cb4 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 9 Apr 2020 15:48:55 -0700 Subject: [PATCH 04/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 21280aac82..4ea8c3eb47 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -1,7 +1,7 @@ --- title: Endpoint detection and response in block mode description: Learn about endpoint detection and response in block mode -keywords: Microsoft Defender ATP, EDR blocking, passive mode blocking +keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking search.product: eADQiWindows 10XVcnh ms.pagetype: security author: denisebmsft @@ -31,22 +31,22 @@ When enabled, endpoint detection and response (EDR) in block mode blocks malicio ## What happens when something is detected? -When EDR blocking is turned on, and a malicious artifact is detected, the detection results in blocking and remediation actions. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#review-completed-actions). +When EDR in block mode is turned on, and a malicious artifact is detected, the detection results in blocking and remediation actions. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#review-completed-actions). -The following images shows an instance of unwanted software that was detected and blocked through EDR blocking: +The following images shows an instance of unwanted software that was detected and blocked through EDR in block mode: -:::image type="content" source="images/shadow-protection-detection.jpg" alt-text="Malware detected by EDR blocking"::: +:::image type="content" source="images/shadow-protection-detection.jpg" alt-text="Malware detected by EDR in block mode"::: ## Enable EDR in block mode > [!IMPORTANT] -> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning EDR blocking on. +> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning EDR in block mode on. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. 2. Choose **Settings** > **Advanced features**. - :::image type="content" source="images/turn-shadow-protection-on.jpg" alt-text="Turn EDR blocking on"::: + :::image type="content" source="images/turn-shadow-protection-on.jpg" alt-text="Turn EDR in block mode on"::: 3. Turn on EDR in block mode. From 5283f31c9469e80058dcb1ea9bbd27458aedae48 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 9 Apr 2020 16:37:04 -0700 Subject: [PATCH 05/42] EDR in block mode images --- .../microsoft-defender-atp/edr-in-block-mode.md | 8 +++++--- .../images/edr-in-block-mode.jpg} | Bin .../images/turn-edr-in-block-mode-on.jpg} | Bin 3 files changed, 5 insertions(+), 3 deletions(-) rename windows/security/threat-protection/{windows-defender-antivirus/images/shadow-protection-detection.jpg => microsoft-defender-atp/images/edr-in-block-mode.jpg} (100%) rename windows/security/threat-protection/{windows-defender-antivirus/images/turn-shadow-protection-on.jpg => microsoft-defender-atp/images/turn-edr-in-block-mode-on.jpg} (100%) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 4ea8c3eb47..abbeebefbb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -27,7 +27,7 @@ ms.collection: When enabled, endpoint detection and response (EDR) in block mode blocks malicious artifacts or behaviors observed through post-breach protection. EDR extends behavioral-based blocking and containment capabilities in Microsoft Defender ATP. EDR in block mode works behind the scenes to remediate malicious entities identified in post-breach. > [!NOTE] -> EDR in block mode is currently in [limited private preview](#can-i-participate-in-the-private-preview-of-shadow-protection). To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). +> EDR in block mode is currently in [limited private preview](#can-i-participate-in-the-private-preview-of-edr-in-block-mode). To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). ## What happens when something is detected? @@ -35,7 +35,9 @@ When EDR in block mode is turned on, and a malicious artifact is detected, the d The following images shows an instance of unwanted software that was detected and blocked through EDR in block mode: -:::image type="content" source="images/shadow-protection-detection.jpg" alt-text="Malware detected by EDR in block mode"::: +:::image type="content" source="images/edr-in-block-mode.jpg" alt-text="Malware detected by EDR in block mode"::: + + ## Enable EDR in block mode @@ -46,7 +48,7 @@ The following images shows an instance of unwanted software that was detected an 2. Choose **Settings** > **Advanced features**. - :::image type="content" source="images/turn-shadow-protection-on.jpg" alt-text="Turn EDR in block mode on"::: + :::image type="content" source="images/turn-edr-in-block-mode-on.jpg" alt-text="Turn EDR in block mode on"::: 3. Turn on EDR in block mode. diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg rename to windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode.jpg diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/turn-edr-in-block-mode-on.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg rename to windows/security/threat-protection/microsoft-defender-atp/images/turn-edr-in-block-mode-on.jpg From e7ebaa99a4df36fa8a23575f7305c33e0c19450b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 9 Apr 2020 16:41:23 -0700 Subject: [PATCH 06/42] Update TOC.md --- windows/security/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 7847a4d06c..aaedc6d2cf 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -258,7 +258,6 @@ ##### [View and organize the Incidents queue](microsoft-defender-atp/view-incidents-queue.md) ##### [Manage incidents](microsoft-defender-atp/manage-incidents.md) ##### [Investigate incidents](microsoft-defender-atp/investigate-incidents.md) -#### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md) #### [Alerts queue]() @@ -324,6 +323,7 @@ ##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md) ##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md) +#### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md) From e473c91ea37bde9c821d0365ca5e2593c1ad7d99 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 14 Apr 2020 17:24:10 -0700 Subject: [PATCH 07/42] Update windows-defender-antivirus-compatibility.md --- .../windows-defender-antivirus-compatibility.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index e09392cea5..9a92a41391 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -27,7 +27,7 @@ manager: dansimp Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. - When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode. - If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and threats are not remediated by Windows Defender Antivirus.) -- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. +- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. ## Antivirus and Microsoft Defender ATP @@ -69,12 +69,12 @@ The following table summarizes the functionality and features that are available |--|--|--|--|--|--| |Active mode

|Yes |No |Yes |Yes |Yes | |Passive mode |No |No |Yes |No |Yes | -|[Shadow protection enabled](shadow-protection.md) |No |No |Yes |Yes |Yes | +|[EDR in block mode enabled](shadow-protection.md) |No |No |Yes |Yes |Yes | |Automatic disabled mode |No |Yes |No |No |No | - In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). - In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. -- When [shadow protection (currently in private preview)](shadow-protection.md) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. +- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. - In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. ## Keep the following points in mind @@ -95,4 +95,4 @@ If you uninstall the other product, and choose to use Windows Defender Antivirus - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) -- [Shadow protection in next-generation protection](shadow-protection.md) +- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) From 097a8a285635579df37875e20d3b3e634eaab8d2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 14 Apr 2020 17:30:20 -0700 Subject: [PATCH 08/42] EDR in block mode fixes Some typos instances of "shadow protection" replaced --- .../microsoft-defender-atp/edr-in-block-mode.md | 9 ++++----- .../windows-defender-antivirus-compatibility.md | 6 +++--- 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index abbeebefbb..a3d8b02382 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -33,16 +33,15 @@ When enabled, endpoint detection and response (EDR) in block mode blocks malicio When EDR in block mode is turned on, and a malicious artifact is detected, the detection results in blocking and remediation actions. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#review-completed-actions). -The following images shows an instance of unwanted software that was detected and blocked through EDR in block mode: +The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode: :::image type="content" source="images/edr-in-block-mode.jpg" alt-text="Malware detected by EDR in block mode"::: - ## Enable EDR in block mode > [!IMPORTANT] -> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning EDR in block mode on. +> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning on EDR in block mode. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. @@ -74,11 +73,11 @@ The following images shows an instance of unwanted software that was detected an ### Will EDR in block mode have any impact on a user's antivirus protection? -No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR om block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Windows Defender Antivirus in passive mode, with the additional steps of blocking and remediating malicious items that are detected. +No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Windows Defender Antivirus in passive mode, with the additional steps of blocking and remediating malicious items that are detected. ### Why do I need to keep Windows Defender Antivirus up to date? -The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack works in integration, and to get best protection value, you should keep Windows Defender Antivirus up to date. +The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack works in integration. To get best protection value, you should keep Windows Defender Antivirus up to date. ### Why do we need cloud protection on? diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 9a92a41391..c758cea607 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -25,9 +25,9 @@ manager: dansimp ## Overview Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. -- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode. -- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and threats are not remediated by Windows Defender Antivirus.) -- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. +- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Windows Defender Antivirus automatically goes into disabled mode. +- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Windows Defender Antivirus.) +- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. ## Antivirus and Microsoft Defender ATP From 2e128b41e458ac7e2368b3fa27a8ccfb32033732 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 14 Apr 2020 17:41:31 -0700 Subject: [PATCH 09/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index a3d8b02382..bbfc7898cc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -16,7 +16,7 @@ ms.custom: next-gen ms.collection: --- -# EDR in block mode +# Endpoint detection adn response (EDR) in block mode **Applies to:** @@ -31,7 +31,7 @@ When enabled, endpoint detection and response (EDR) in block mode blocks malicio ## What happens when something is detected? -When EDR in block mode is turned on, and a malicious artifact is detected, the detection results in blocking and remediation actions. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#review-completed-actions). +When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#review-completed-actions). The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode: @@ -59,8 +59,8 @@ The following image shows an instance of unwanted software that was detected and |Requirement |Details | |---------|---------| |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | -|Operating system |One of the following:
- Windows 10 (all releases)
- Windows Server 2016 or later | -|Windows E5 enrollment |This is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [Features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | +|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later | +|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [Features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | |Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled.
See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). | |Windows Defender Antivirus antimalware client |To make sure your client is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | |Windows Defender Antivirus engine |To make sure your engine is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | @@ -73,7 +73,7 @@ The following image shows an instance of unwanted software that was detected and ### Will EDR in block mode have any impact on a user's antivirus protection? -No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Windows Defender Antivirus in passive mode, with the additional steps of blocking and remediating malicious items that are detected. +No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Windows Defender Antivirus in passive mode, with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. ### Why do I need to keep Windows Defender Antivirus up to date? From 7c90255ef56403858b1728a37d7fe1540139c398 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Apr 2020 13:04:05 -0700 Subject: [PATCH 10/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index bbfc7898cc..81152a7e06 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -24,18 +24,18 @@ ms.collection: ## What is EDR in block mode? -When enabled, endpoint detection and response (EDR) in block mode blocks malicious artifacts or behaviors observed through post-breach protection. EDR extends behavioral-based blocking and containment capabilities in Microsoft Defender ATP. EDR in block mode works behind the scenes to remediate malicious entities identified in post-breach. +When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious entities that are detected post-breach. > [!NOTE] > EDR in block mode is currently in [limited private preview](#can-i-participate-in-the-private-preview-of-edr-in-block-mode). To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). ## What happens when something is detected? -When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#review-completed-actions). +When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center). The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode: -:::image type="content" source="images/edr-in-block-mode.jpg" alt-text="Malware detected by EDR in block mode"::: +:::image type="content" source="images/edr-in-block-mode.jpg" alt-text="EDR in block mode detected something"::: ## Enable EDR in block mode From 69cd71ae95cf1c81380e6872c75aad19e4cfebff Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Apr 2020 13:10:45 -0700 Subject: [PATCH 11/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 81152a7e06..9fcc057786 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -27,7 +27,7 @@ ms.collection: When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious entities that are detected post-breach. > [!NOTE] -> EDR in block mode is currently in [limited private preview](#can-i-participate-in-the-private-preview-of-edr-in-block-mode). To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). +> EDR in block mode is currently in **[limited private preview](#can-i-participate-in-the-private-preview-of-edr-in-block-mode)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. ## What happens when something is detected? @@ -49,7 +49,7 @@ The following image shows an instance of unwanted software that was detected and :::image type="content" source="images/turn-edr-in-block-mode-on.jpg" alt-text="Turn EDR in block mode on"::: -3. Turn on EDR in block mode. +3. Turn on **EDR in block mode**. > [!NOTE] > EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode. @@ -60,10 +60,10 @@ The following image shows an instance of unwanted software that was detected and |---------|---------| |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | |Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later | -|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [Features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | -|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled.
See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). | -|Windows Defender Antivirus antimalware client |To make sure your client is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | -|Windows Defender Antivirus engine |To make sure your engine is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | +|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering

See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | +|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled.

See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). | +|Windows Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | +|Windows Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | > [!IMPORTANT] > To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features. From 4aecc1f7671a9bc52f23bc348f95b196450164c7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Apr 2020 13:19:11 -0700 Subject: [PATCH 12/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 9fcc057786..c520d6e1da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -12,7 +12,9 @@ audience: ITPro ms.topic: article ms.prod: w10 ms.localizationpriority: medium -ms.custom: next-gen +ms.custom: +- next-gen +- edr ms.collection: --- @@ -47,8 +49,6 @@ The following image shows an instance of unwanted software that was detected and 2. Choose **Settings** > **Advanced features**. - :::image type="content" source="images/turn-edr-in-block-mode-on.jpg" alt-text="Turn EDR in block mode on"::: - 3. Turn on **EDR in block mode**. > [!NOTE] @@ -73,7 +73,7 @@ The following image shows an instance of unwanted software that was detected and ### Will EDR in block mode have any impact on a user's antivirus protection? -No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like Windows Defender Antivirus in passive mode, with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. +No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Windows Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. ### Why do I need to keep Windows Defender Antivirus up to date? From 636f57cf8dda7e6bb767d9815bb8f58a3fa5e091 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Apr 2020 13:25:09 -0700 Subject: [PATCH 13/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index c520d6e1da..a167ed2c65 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -18,7 +18,7 @@ ms.custom: ms.collection: --- -# Endpoint detection adn response (EDR) in block mode +# Endpoint detection and response (EDR) in block mode **Applies to:** @@ -29,7 +29,7 @@ ms.collection: When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious entities that are detected post-breach. > [!NOTE] -> EDR in block mode is currently in **[limited private preview](#can-i-participate-in-the-private-preview-of-edr-in-block-mode)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. +> EDR in block mode is currently in **[preview](#can-i-participate-in-the-preview-of-edr-in-block-mode)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. ## What happens when something is detected? @@ -83,9 +83,9 @@ The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat- Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on the optics received, along with behavioral and machine learning models. -### Can I participate in the private preview of EDR in block mode? +### Can I participate in the preview of EDR in block mode? -If you would like to participate in our private preview program, please send email to `shwjha@microsoft.com`. +If you would like to participate in our private preview program, send email to `shwjha@microsoft.com`. ## See also From 32751d5817ae1bf1cb90f63b54e70f9e8f9b9a83 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Apr 2020 13:26:18 -0700 Subject: [PATCH 14/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index a167ed2c65..85e4ee1a5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -24,6 +24,8 @@ ms.collection: - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +[Microsoft Defender ATP preview features](preview.md) + ## What is EDR in block mode? When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious entities that are detected post-breach. From c6aabbfafda002ab4f801dcc10c4b81df40d269f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Apr 2020 13:35:37 -0700 Subject: [PATCH 15/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 85e4ee1a5c..a6a159d735 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -28,7 +28,7 @@ ms.collection: ## What is EDR in block mode? -When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious entities that are detected post-breach. +When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. > [!NOTE] > EDR in block mode is currently in **[preview](#can-i-participate-in-the-preview-of-edr-in-block-mode)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. From 83a45ed6f6926d8049451fdb3a762574c4233504 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Apr 2020 13:40:21 -0700 Subject: [PATCH 16/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index a6a159d735..340b8836cc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -87,7 +87,7 @@ Cloud protection is needed to turn on the feature on the device. Cloud protectio ### Can I participate in the preview of EDR in block mode? -If you would like to participate in our private preview program, send email to `shwjha@microsoft.com`. +If you would like to participate in this preview program, send email to `shwjha@microsoft.com`. ## See also From 781a1e9cc1ed72db30647095bf3905470f878572 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Apr 2020 13:44:15 -0700 Subject: [PATCH 17/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 340b8836cc..49e0d07079 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -24,8 +24,6 @@ ms.collection: - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -[Microsoft Defender ATP preview features](preview.md) - ## What is EDR in block mode? When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. From bec68d2d1a98c2686ba72508eee38382527f257b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 16 Apr 2020 13:55:08 -0700 Subject: [PATCH 18/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 49e0d07079..4353c3b080 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -87,7 +87,7 @@ Cloud protection is needed to turn on the feature on the device. Cloud protectio If you would like to participate in this preview program, send email to `shwjha@microsoft.com`. -## See also +## Related article -- [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus) +[Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus) From a4418c812a1320705ef77014c0659ca34f0bc970 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Apr 2020 18:22:51 -0700 Subject: [PATCH 19/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 4353c3b080..99c948ef02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -77,11 +77,11 @@ No. EDR in block mode does not affect third-party antivirus protection running o ### Why do I need to keep Windows Defender Antivirus up to date? -The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack works in integration. To get best protection value, you should keep Windows Defender Antivirus up to date. +Because Windows Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date. ### Why do we need cloud protection on? -Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on the optics received, along with behavioral and machine learning models. +Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of capabilities, along with behavioral and machine learning models. ### Can I participate in the preview of EDR in block mode? From 815920d6b44cb9537e4d51fbf5ad423c0c8136bc Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 22 Apr 2020 12:22:04 -0700 Subject: [PATCH 20/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 99c948ef02..38407c91bc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -81,7 +81,7 @@ Because Windows Defender Antivirus detects and remediates malicious items, it's ### Why do we need cloud protection on? -Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of capabilities, along with behavioral and machine learning models. +Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of optics, along with behavioral and machine learning models. ### Can I participate in the preview of EDR in block mode? From c8d88527b1c9f9e54fd37a2cbe1be88dc5bf350a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 22 Apr 2020 13:17:47 -0700 Subject: [PATCH 21/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index 38407c91bc..fdba3e7c50 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -81,7 +81,7 @@ Because Windows Defender Antivirus detects and remediates malicious items, it's ### Why do we need cloud protection on? -Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of optics, along with behavioral and machine learning models. +Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models. ### Can I participate in the preview of EDR in block mode? From 21044f6fb7f9ca29780c64d8a6137996994bffab Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 22 Apr 2020 15:53:43 -0700 Subject: [PATCH 22/42] Create behavioral-blocking-containment.md --- .../behavioral-blocking-containment.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md new file mode 100644 index 0000000000..94b540ac6f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -0,0 +1,29 @@ +--- +title: Behavioral blocking and containment +description: Learn about behavioral blocking and containment capabilities in Microsoft Defender ATP +keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: +- next-gen +- edr +ms.collection: +--- + +# Behavioral blocking and containment + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Overview of behavioral blocking and containment + +As you know, not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats \ No newline at end of file From 92fdd2de437ac2d59b5e901c1dfee0bfcf716a70 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 22 Apr 2020 16:26:21 -0700 Subject: [PATCH 23/42] Update behavioral-blocking-containment.md --- .../behavioral-blocking-containment.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 94b540ac6f..8636102b28 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -26,4 +26,10 @@ ms.collection: ## Overview of behavioral blocking and containment -As you know, not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats \ No newline at end of file +As you know, not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats + +Behavioral blocking and containment capabilities offer protection in all of the following scenarios: +- Client behavioral blocking. Enabled by default, threats that are detected through machine learning are blocked and remediated automatically +- Feedback-loop blocking (also referred to as Rapid Protection). Enabled by default, detections that are assumed to be false negatives are observed through behavioral intelligence. +- On-client, policy driven attack surface reduction rules. When enabled, predefined common attack behaviors are prevented from executing, according to your ASR policies (e.g. no child processes from Office applications). Alerts on attempts to execute these behaviors surface in the Microsoft Defender ATP portal (https://securitycenter.windows.com) as informational alerts. +- Endpoint detection and response (EDR) in block mode. When enabled, From de1fa5ad12deed65b2651d8e1c234441a8ea5f5a Mon Sep 17 00:00:00 2001 From: Ikko Ashimine Date: Fri, 24 Apr 2020 01:22:08 +0900 Subject: [PATCH 24/42] Fix typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Micosoft→Microsoft --- windows/client-management/mdm/reclaim-seat-from-user.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index ae536fae17..d060d950c0 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -1,6 +1,6 @@ --- title: Reclaim seat from user -description: The Reclaim seat from user operation returns reclaimed seats for a user in the Micosoft Store for Business. +description: The Reclaim seat from user operation returns reclaimed seats for a user in the Microsoft Store for Business. ms.assetid: E2C3C899-D0AD-469A-A319-31A420472A4C ms.reviewer: manager: dansimp @@ -14,7 +14,7 @@ ms.date: 09/18/2017 # Reclaim seat from user -The **Reclaim seat from user** operation returns reclaimed seats for a user in the Micosoft Store for Business. +The **Reclaim seat from user** operation returns reclaimed seats for a user in the Microsoft Store for Business. ## Request From 18824c361cb6df8bc3e78c760c10998381ec788b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 28 Apr 2020 13:17:44 -0700 Subject: [PATCH 25/42] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index bf656f4f16..d7b9c5f5dd 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -15875,6 +15875,11 @@ "source_path": "windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device", "redirect_document_id": false +}, +{ +"source_path": "windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md", +"redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode", +"redirect_document_id": true } ] } From d888123d17667db10d9dd2d35b60e0481e93f3ef Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 28 Apr 2020 14:11:30 -0700 Subject: [PATCH 26/42] Update behavioral-blocking-containment.md --- .../behavioral-blocking-containment.md | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 8636102b28..6c7554ab4e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -26,10 +26,20 @@ ms.collection: ## Overview of behavioral blocking and containment -As you know, not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats +Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats -Behavioral blocking and containment capabilities offer protection in all of the following scenarios: -- Client behavioral blocking. Enabled by default, threats that are detected through machine learning are blocked and remediated automatically -- Feedback-loop blocking (also referred to as Rapid Protection). Enabled by default, detections that are assumed to be false negatives are observed through behavioral intelligence. -- On-client, policy driven attack surface reduction rules. When enabled, predefined common attack behaviors are prevented from executing, according to your ASR policies (e.g. no child processes from Office applications). Alerts on attempts to execute these behaviors surface in the Microsoft Defender ATP portal (https://securitycenter.windows.com) as informational alerts. -- Endpoint detection and response (EDR) in block mode. When enabled, +Behavioral blocking and containment capabilities include: + +- **Client behavioral blocking**. Enabled by default, threats that are detected through machine learning are blocked and remediated automatically + +- **Feedback-loop blocking** (also referred to as rapid protection). Enabled by default, detections that are assumed to be false negatives are observed through behavioral intelligence, and threats are prevented earlier. + +- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. When enabled, predefined common attack behaviors are prevented from executing, according to your ASR policies (e.g. no child processes from Office applications). Alerts on attempts to execute these behaviors surface in the Microsoft Defender ATP portal (https://securitycenter.windows.com) as informational alerts. + +- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. When enabled, blocks malicious artifacts or behaviors that are observed through post-breach protection, even if Windows Defender Antivirus is not the primary antivirus solution. + +## Related articles + +- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) + +- [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) \ No newline at end of file From 1c29747cd5f363bdcb35dae4ae8411df21da64be Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Wed, 29 Apr 2020 09:12:32 -0700 Subject: [PATCH 27/42] Removing Layout from pre-installed @yannisle Removing based on your Issue posted in public repo. https://github.com/MicrosoftDocs/windows-itpro-docs/issues/6597 --- devices/hololens/hololens2-hardware.md | 1 - 1 file changed, 1 deletion(-) diff --git a/devices/hololens/hololens2-hardware.md b/devices/hololens/hololens2-hardware.md index ca62dbf852..f774eda6d6 100644 --- a/devices/hololens/hololens2-hardware.md +++ b/devices/hololens/hololens2-hardware.md @@ -123,7 +123,6 @@ In order to maintain/advance Internal Battery Charge Percentage while the device - Windows Holographic Operating System - Microsoft Edge - Dynamics 365 Remote Assist -- Dynamics 365 Layout - Dynamics 365 Guides - 3D Viewer - OneDrive for Business From 8274e718f00f80bd819614cf829c3d6e9aa40f94 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 10:02:11 -0700 Subject: [PATCH 28/42] Update behavioral-blocking-containment.md --- .../behavioral-blocking-containment.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 6c7554ab4e..f26846edc1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -26,15 +26,15 @@ ms.collection: ## Overview of behavioral blocking and containment -Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats +Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats with machine learning, pre- and post-breach. In almost real-time, when a suspicious behavior or artifact is detected and determined to be malicious, the threat is blocked. Pre-execution models learn about that threat, and prevent it from running on other endpoints. -Behavioral blocking and containment capabilities include: +Behavioral blocking and containment capabilities include the following: -- **Client behavioral blocking**. Enabled by default, threats that are detected through machine learning are blocked and remediated automatically +- **Client behavioral blocking**. Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (This is enabled by default.) -- **Feedback-loop blocking** (also referred to as rapid protection). Enabled by default, detections that are assumed to be false negatives are observed through behavioral intelligence, and threats are prevented earlier. +- **Feedback-loop blocking** (also referred to as rapid protection). Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (This is enabled by default.) -- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. When enabled, predefined common attack behaviors are prevented from executing, according to your ASR policies (e.g. no child processes from Office applications). Alerts on attempts to execute these behaviors surface in the Microsoft Defender ATP portal (https://securitycenter.windows.com) as informational alerts. +- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (This capability is not enabled by default; you turn it on on the Microsoft Defender Security Center.) - **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. When enabled, blocks malicious artifacts or behaviors that are observed through post-breach protection, even if Windows Defender Antivirus is not the primary antivirus solution. From 33ec435294453b9d972eb2099d9ab41f5c33ac20 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 10:12:47 -0700 Subject: [PATCH 29/42] Update behavioral-blocking-containment.md --- .../behavioral-blocking-containment.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index f26846edc1..b0bdd3c37e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -36,10 +36,10 @@ Behavioral blocking and containment capabilities include the following: - **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (This capability is not enabled by default; you turn it on on the Microsoft Defender Security Center.) -- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. When enabled, blocks malicious artifacts or behaviors that are observed through post-breach protection, even if Windows Defender Antivirus is not the primary antivirus solution. +- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (This capability is not enabled by default; you turn it on on the Microsoft Defender Security Center.) -## Related articles +## Next steps -- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md) +- [Configure your attack surface reduction rules](attack-surface-reduction.md) -- [Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md) \ No newline at end of file +- [Enable EDR in block mode](edr-in-block-mode.md) \ No newline at end of file From 48ab5f0424fb46e5c6210631a2b835ae38c4c8b7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 10:42:24 -0700 Subject: [PATCH 30/42] Update behavioral-blocking-containment.md --- .../microsoft-defender-atp/behavioral-blocking-containment.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index b0bdd3c37e..6df4757f86 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -38,6 +38,8 @@ Behavioral blocking and containment capabilities include the following: - **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (This capability is not enabled by default; you turn it on on the Microsoft Defender Security Center.) +As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development. + ## Next steps - [Configure your attack surface reduction rules](attack-surface-reduction.md) From 681c64212976952ef019cd3b122316a1d35eba05 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 11:05:46 -0700 Subject: [PATCH 31/42] Update TOC.md --- windows/security/threat-protection/TOC.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 5ea98e7de7..95034d1363 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -324,12 +324,10 @@ ##### [Understand custom detections](microsoft-defender-atp/overview-custom-detections.md) ##### [Create and manage detection rules](microsoft-defender-atp/custom-detection-rules.md) +### [Behavioral blocking and containment]() +#### [Behavioral blocking and containment](microsoft-defender-atp/behavioral-blocking-containment.md) #### [EDR in block mode](microsoft-defender-atp/edr-in-block-mode.md) - - - - ### [Automated investigation and response]() #### [Overview of AIR](microsoft-defender-atp/automated-investigations.md) From 86ac3f27be4e7bd7ec335ed036a4733bfe92451c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 11:08:07 -0700 Subject: [PATCH 32/42] Update behavioral-blocking-containment.md --- .../microsoft-defender-atp/behavioral-blocking-containment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 6df4757f86..423c734586 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -36,7 +36,7 @@ Behavioral blocking and containment capabilities include the following: - **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (This capability is not enabled by default; you turn it on on the Microsoft Defender Security Center.) -- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (This capability is not enabled by default; you turn it on on the Microsoft Defender Security Center.) +- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (This capability, currently in [limited private preview](edr-in-block-mode.md#can-i-participate-in-the-preview-of-edr-in-block-mode), is not enabled by default; you turn it on on the Microsoft Defender Security Center.) As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development. From 514a683f1e4d8cd7bb8506112e3b771b9a6ee415 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 11:12:14 -0700 Subject: [PATCH 33/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index fdba3e7c50..f49487a88c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -29,7 +29,7 @@ ms.collection: When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. > [!NOTE] -> EDR in block mode is currently in **[preview](#can-i-participate-in-the-preview-of-edr-in-block-mode)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. +> EDR in block mode is currently in **[limited private preview](#can-i-participate-in-the-preview-of-edr-in-block-mode)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. ## What happens when something is detected? @@ -87,7 +87,9 @@ Cloud protection is needed to turn on the feature on the device. Cloud protectio If you would like to participate in this preview program, send email to `shwjha@microsoft.com`. -## Related article +## Related articles + +[Behavioral blocking and containment](behavioral-blocking-containment.md) [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus) From f32b0dcb70934ca89db5841357b9792e22adc05a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 11:13:03 -0700 Subject: [PATCH 34/42] Update edr-in-block-mode.md --- .../microsoft-defender-atp/edr-in-block-mode.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index f49487a88c..adcfad4d3e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -85,7 +85,7 @@ Cloud protection is needed to turn on the feature on the device. Cloud protectio ### Can I participate in the preview of EDR in block mode? -If you would like to participate in this preview program, send email to `shwjha@microsoft.com`. +EDR in block mode is currently in limited private preview. If you would like to participate in this private preview program, send email to `shwjha@microsoft.com`. ## Related articles From af52f52570dc60ce7f5eb2a46780b33b4a86d0d3 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 11:23:35 -0700 Subject: [PATCH 35/42] Update behavioral-blocking-containment.md --- .../microsoft-defender-atp/behavioral-blocking-containment.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 423c734586..8928a85f0d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -24,10 +24,12 @@ ms.collection: - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -## Overview of behavioral blocking and containment +## Behavioral blocking and containment overview Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats with machine learning, pre- and post-breach. In almost real-time, when a suspicious behavior or artifact is detected and determined to be malicious, the threat is blocked. Pre-execution models learn about that threat, and prevent it from running on other endpoints. +## Behavioral blocking and containment capabilities + Behavioral blocking and containment capabilities include the following: - **Client behavioral blocking**. Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (This is enabled by default.) From 3545b41114c5789531d84852650a9a7edaf6a864 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 11:29:37 -0700 Subject: [PATCH 36/42] Update behavioral-blocking-containment.md --- .../behavioral-blocking-containment.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 8928a85f0d..d2e8051a79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -26,19 +26,19 @@ ms.collection: ## Behavioral blocking and containment overview -Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats with machine learning, pre- and post-breach. In almost real-time, when a suspicious behavior or artifact is detected and determined to be malicious, the threat is blocked. Pre-execution models learn about that threat, and prevent it from running on other endpoints. +Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats with machine learning, pre- and post-breach. In almost real time, when a suspicious behavior or artifact is detected and determined to be malicious, the threat is blocked. Pre-execution models learn about that threat, and prevent it from running on other endpoints. ## Behavioral blocking and containment capabilities Behavioral blocking and containment capabilities include the following: -- **Client behavioral blocking**. Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (This is enabled by default.) +- **Client behavioral blocking**. Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) -- **Feedback-loop blocking** (also referred to as rapid protection). Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (This is enabled by default.) +- **Feedback-loop blocking** (also referred to as rapid protection). Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) -- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (This capability is not enabled by default; you turn it on on the Microsoft Defender Security Center.) +- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.) -- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (This capability, currently in [limited private preview](edr-in-block-mode.md#can-i-participate-in-the-preview-of-edr-in-block-mode), is not enabled by default; you turn it on on the Microsoft Defender Security Center.) +- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in [limited private preview](edr-in-block-mode.md#can-i-participate-in-the-preview-of-edr-in-block-mode), is not enabled by default; you turn it on the Microsoft Defender Security Center.) As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development. From 85169f19aef52a0fea83cb6b15bb692d43a9b2f9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 11:32:00 -0700 Subject: [PATCH 37/42] Update behavioral-blocking-containment.md --- .../microsoft-defender-atp/behavioral-blocking-containment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index d2e8051a79..88fdf5f0f6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -38,7 +38,7 @@ Behavioral blocking and containment capabilities include the following: - **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.) -- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in [limited private preview](edr-in-block-mode.md#can-i-participate-in-the-preview-of-edr-in-block-mode), is not enabled by default; you turn it on the Microsoft Defender Security Center.) +- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in [limited private preview](edr-in-block-mode.md#can-i-participate-in-the-preview-of-edr-in-block-mode), is not enabled by default; you turn it on in the Microsoft Defender Security Center.) As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development. From 2ea65287b698206538b5eae34654b70d71ce6a8a Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Apr 2020 11:52:52 -0700 Subject: [PATCH 38/42] Update behavioral-blocking-containment.md --- .../microsoft-defender-atp/behavioral-blocking-containment.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 88fdf5f0f6..db8a4231aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -32,12 +32,12 @@ Not all cyberattacks involve a simple piece of malware that's found and removed. Behavioral blocking and containment capabilities include the following: +- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.) + - **Client behavioral blocking**. Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) - **Feedback-loop blocking** (also referred to as rapid protection). Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) -- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.) - - **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in [limited private preview](edr-in-block-mode.md#can-i-participate-in-the-preview-of-edr-in-block-mode), is not enabled by default; you turn it on in the Microsoft Defender Security Center.) As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development. From 2f3d6c859b664423c094789088a735f13a83bb99 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 1 May 2020 10:48:25 -0700 Subject: [PATCH 39/42] Updated support link --- devices/hololens/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index 330bc3286e..443b2dafd4 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -64,7 +64,7 @@ ## [Frequently asked questions](hololens-faq.md) ## [Frequently asked security questions](hololens-faq-security.md) ## [Status of the HoloLens services](hololens-status.md) -## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=3ec35c62-022f-466b-3a1e-dbbb7b9a55fb) +## [Get support](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f) # Resources ## [Windows Autopilot for HoloLens 2 evaluation guide](hololens2-autopilot.md) From 3d1ece47057c7dd04d0e0f98263096ac14294c12 Mon Sep 17 00:00:00 2001 From: martyav Date: Tue, 5 May 2020 12:33:52 -0400 Subject: [PATCH 40/42] updated enable-network-protection added section on checking state with regedit moved headings on other sections one level down gave new title to avoid repetition --- .../enable-network-protection.md | 31 ++++++++++++++----- 1 file changed, 23 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index 7f23be0e27..61f527b0ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -17,14 +17,29 @@ audience: ITPro manager: dansimp --- -# Enable network protection +# Turning on network protection **Applies to:** * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. +You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. + +## Check if network protection is enabled + +You can see if network protection has been enabled on a local device by using Registry editor. + +1. Select the **Start** button in the task bar and type **regedit** to open Registry editor +1. Choose **HKEY_LOCAL_MACHINE** from the side menu +1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** **Windows Defender** > **Policy Manager** +1. Select **EnableNetworkProtection** to see the current state of network protection on the device + + * 0, or **Off** + * 1, or **On** + * 2, or **Audit** mode + +## Enable network protection You can enable network protection by using any of these methods: @@ -34,7 +49,7 @@ You can enable network protection by using any of these methods: * [Group Policy](#group-policy) * [PowerShell](#powershell) -## Intune +### Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. 1. Click **Device configuration** > **Profiles** > **Create profile**. @@ -45,11 +60,11 @@ You can enable network protection by using any of these methods: 1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. -## MDM +### MDM Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode. -## SCCM +### SCCM 1. In System Center Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. 1. Click **Home** > **Create Exploit Guard Policy**. @@ -58,13 +73,13 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d 1. Review the settings and click **Next** to create the policy. 1. After the policy is created, click **Close**. -## Group Policy +### Group Policy You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. 1. On a standalone computer, click **Start**, type and then click **Edit group policy**. - -Or- + *-Or-* On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -89,7 +104,7 @@ You can confirm network protection is enabled on a local computer by using Regis * 1=On * 2=Audit -## PowerShell +### PowerShell 1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: From 8c49a1007c3580c10e29701bf551d15c1c935da0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 5 May 2020 09:45:51 -0700 Subject: [PATCH 41/42] Update reclaim-seat-from-user.md --- windows/client-management/mdm/reclaim-seat-from-user.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index d060d950c0..3beb6993e3 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 09/18/2017 +ms.date: 05/05/2020 --- # Reclaim seat from user From 8786902c23c2ea8e915e7ec539bccf43234faf20 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Tue, 5 May 2020 10:00:36 -0700 Subject: [PATCH 42/42] pencil edit --- windows/security/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 95034d1363..06efa1c47e 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -691,7 +691,7 @@ ### [Microsoft Defender SmartScreen](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) #### [Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md) -#### [Set up and use Microsft Defender SmartScreen on individual devices](microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md) +#### [Set up and use Microsoft Defender SmartScreen on individual devices](microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md) ### [Windows Sandbox](windows-sandbox/windows-sandbox-overview.md)