deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-24 23:03:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into lomayor-mdatp-ah-updates

Browse Source
This commit is contained in:
lomayor
2019-08-07 14:27:01 -07:00
parent fde93f8788 1350b35e49
commit aa22b52870
741 changed files with 68646 additions and 67873 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/threat-protection/TOC.md
View File

@ -52,6 +52,7 @@
##### [Investigate machines](microsoft-defender-atp/investigate-machines.md)
##### [Investigate an IP address](microsoft-defender-atp/investigate-ip.md)
##### [Investigate a domain](microsoft-defender-atp/investigate-domain.md)
###### [Investigate connection events that occur behind forward proxies](microsoft-defender-atp/investigate-behind-proxy.md)
##### [Investigate a user account](microsoft-defender-atp/investigate-user.md)
#### [Machines list]()
@ -142,7 +143,7 @@
### [Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)
### [Portal overview](microsoft-defender-atp/portal-overview.md)
### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/commercial-gov.md)
## [Get started]()
### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md)
@ -153,6 +154,9 @@
### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md)
### [Assign user access to the portal](microsoft-defender-atp/assign-portal-access.md)
### [Evaluate Microsoft Defender ATP]()
#### [Attack surface reduction and next-generation capability evaluation]()
##### [Attack surface reduction and nex-generation evaluation overview](microsoft-defender-atp/evaluate-atp.md)
@ -245,7 +249,7 @@
##### [Manage updates and apply baselines]()
###### [Learn about the different kinds of updates](windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md)
###### [Manage protection and definition updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
###### [Manage protection and security intelligence updates](windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md)
###### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md)
###### [Manage updates for endpoints that are out of date](windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md)
###### [Manage event-based forced updates](windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md)
@ -390,7 +394,7 @@
####### [Get domain related alerts](microsoft-defender-atp/get-domain-related-alerts.md)
####### [Get domain related machines](microsoft-defender-atp/get-domain-related-machines.md)
####### [Get domain statistics](microsoft-defender-atp/get-domain-statistics.md)
####### [Is domain seen in organization](microsoft-defender-atp/is-domain-seen-in-org.md)
####### [Is domain seen in organization (Deprecated)](microsoft-defender-atp/is-domain-seen-in-org.md)
###### [File]()
####### [File methods and properties](microsoft-defender-atp/files.md)
@ -401,9 +405,9 @@
###### [IP]()
####### [Get IP related alerts](microsoft-defender-atp/get-ip-related-alerts.md)
####### [Get IP related machines](microsoft-defender-atp/get-ip-related-machines.md)
####### [Get IP related machines (Deprecated)](microsoft-defender-atp/get-ip-related-machines.md)
####### [Get IP statistics](microsoft-defender-atp/get-ip-statistics.md)
####### [Is IP seen in organization](microsoft-defender-atp/is-ip-seen-org.md)
####### [Is IP seen in organization (Deprecated)](microsoft-defender-atp/is-ip-seen-org.md)
###### [User]()
####### [User methods](microsoft-defender-atp/user.md)

2
windows/security/threat-protection/index.md
View File

@ -67,7 +67,7 @@ The attack surface reduction set of capabilities provide the first line of defen
- [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md)
- [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md)
- [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md)
- [Attack surface reduction controls](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
- [Attack surface reduction rules](windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md)
<a name="ngp"></a>

96
windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md Normal file
View File

@ -0,0 +1,96 @@
---
title: Microsoft Defender ATP for US Government GCC High customers
description: Learn about the requirements and the available Microsoft Defender ATP capabilities for US Government CCC High customers
keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Microsoft Defender ATP for US Government GCC High customers
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for US Government Community Cloud High (GCC High) customers, built in the US Azure Government environment, uses the same underlying technologies as Microsoft Defender ATP in Azure Commercial.
This offering is currently available to US Office 365 GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some key differences in the availability of capabilities for this offering.
## Endpoint versions
The following OS versions are supported:
- Windows 10, version 1903
- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/en-us/help/4490481))
- Windows 10, version 1803 (OS Build 17134.799 with [KB4499183](https://support.microsoft.com/help/4499183))
- Windows 10, version 1709 (OS Build 16299.1182 with [KB4499147](https://support.microsoft.com/help/4499147))
- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/en-us/help/4490481))
>[!NOTE]
>A patch must be deployed before machine onboarding in order to configure Microsoft Defender ATP to the correct environment.
The following OS versions are not supported:
- Windows Server 2008 R2 SP1
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro
- Windows 8 Pro
- Windows 8.1 Enterprise
- macOS
The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2019:
## Threat & Vulnerability Management
Not currently available.
## Automated investigation and remediation
The following capabilities are not currently available:
- Response to Office 365 alerts
- Live response
## Management and APIs
The following capabilities are not currently available:
- Threat protection report
- Machine health and compliance report
- Integration with third-party products
## Integrations
Integrations with the following Microsoft products are not currently available:
- Azure Security Center
- Azure Advanced Threat Protection
- Azure Information Protection
- Office 365 Advanced Threat Protection
- Microsoft Cloud App Security
- Skype for Business
- Microsoft Intune (sharing of device information and enhanced policy enforcement)
## Microsoft Threat Experts
Not currently available.
## Required connectivity settings
You'll need to ensure that traffic from the following are allowed:
Service location | DNS record
:---|:---
Common URLs for all locations (Global location) | ```crl.microsoft.com```<br>```ctldl.windowsupdate.com```<br>```notify.windows.com```
Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com``` <br>```winatp-gw-usgt.microsoft.com```<br>```winatp-gw-usgv.microsoft.com```<br>```*.blob.core.usgovcloudapi.net```

59
windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md
View File

@ -31,7 +31,10 @@ The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to r
The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service.
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
>[!TIP]
>For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](investigate-behind-proxy.md).
The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods:
- Auto-discovery methods:
- Transparent proxy
@ -45,6 +48,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- Registry based configuration
- WinHTTP configured using netsh command Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
## Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet.
@ -175,56 +180,6 @@ However, if the connectivity check results indicate a failure, an HTTP error is
> The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool.
> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy.
## Conduct investigations with Microsoft Defender ATP behind a proxy
Microsoft Defender ATP supports network connection monitoring from different levels of the operating system network stack. A challenging case is when the network uses a forward proxy as a gateway to the internet.
The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. Microsoft Defender ATP supports advanced HTTP level sensor.
By enabling this sensor, Microsoft Defender ATP will expose a new type of events that surfaces the real target domain names. <br><br>
**Investigation Impact**<br>
In machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
![Image of network events on machine's timeline](images/atp-proxy-investigation.png)<br>
Additional events triggered by the Network Protection layer are now available to surface the real domain names even behind a proxy. <br>
Event's information:
![Image of single network event](images/atp-proxy-investigation-event.png)<br>
**Advanced Hunting**<br>
All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ConnecionSuccess action type.<br>
Using this simple query will show you all the relevant events:
```
NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess"
| take 10
```
![Image of advanced hunting query](images/atp-proxy-investigation-ah.png)
You can also filter out the events that are related to connection to the proxy itself. Use the following query to filter out the connections to the proxy:
```
NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
| take 10
```
**How to enable the advanced network connection sensor**<br>
Monitoring network connection behind forward proxy is possible due to additional Network Events that originate from Network Protection. To see them in machines timeline you need to turn Network Protection on at least in audit mode. <br>
Network protection is a feature in Windows Defender Exploit Guard that protects employees using any app from accessing phishing scams, exploit-hosting sites, and malicious content on the Internet. This includes preventing third-party browsers from connecting to dangerous sites. Its behavior can be controlled by the following options: Block and Audit. <br>
If you turn this policy on in "Block" mode, users/apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.<br>
If you turn this policy on in "Audit" mode, users/apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.<br>
If you turn this policy off, users/apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.<br>
If you do not configure this policy, network blocking will be disabled by default. <br><br>
> [!NOTE]
> In order to enable Monitoring network connection behind forward proxy and see the domains you will need to enable network protection at least in audit mode.
Additional documentation:
- [Applying network protection with GP policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
- [Windows Defender Exploit Guard Documentation](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet)
## Related topics
- [Onboard Windows 10 machines](configure-endpoints.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

9
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -139,13 +139,18 @@ Agent Resource | Ports
## Windows Server, version 1803 and Windows Server 2019
To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
>[!NOTE]
>The Onboarding package for Windows Server 2019 through System Center Configuration Manager currently ships a script. For more information on how to deploy scripts in System Center Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/packages-and-programs).
Supported tools include:
- Local script
- Group Policy
- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602
- VDI onboarding scripts for non-persistent machines
For more information, see [Onboard Windows 10 machines](configure-endpoints.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
1. Configure Microsoft Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints.md).
@ -162,7 +167,7 @@ Supported tools include:
c. Confirm that a recent event containing the passive mode event is found:
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
![Image of passive mode verification result](images/atp-verify-passive-mode.png)
3. Run the following command to check if Windows Defender AV is installed:

4
windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md
View File

@ -49,7 +49,7 @@ The Microsoft Defender ATP service utilizes state of the art data protection tec
There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview).
In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum.
## Do I have the flexibility to select where to store my data?
@ -80,7 +80,7 @@ No. Customer data is isolated from other customers and is not shared. However, i
You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. Theres a flexibility of choosing in the range of 1 month to six months to meet your companys regulatory compliance needs.
**At contract termination or expiration**<br>
Your data will be kept and will be available to you while the licence is under grace period or suspended mode. At the end of this period, that data will be erased from Microsofts systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsofts systems to make it unrecoverable, no later than 180 days from contract termination or expiration.
## Can Microsoft help us maintain regulatory compliance?

2
windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md
View File

@ -20,6 +20,8 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and machine configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation.
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can

2
windows/security/threat-protection/microsoft-defender-atp/get-ip-related-machines.md
View File

@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Get IP related machines API
# Get IP related machines API (Deprecated)
**Applies to:**

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-ah.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 125 KiB

After

Width:  |  Height:  |  Size: 138 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation-event.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 64 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/atp-proxy-investigation.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 52 KiB

After

Width:  |  Height:  |  Size: 70 KiB

2
windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-config.md
View File

@ -23,6 +23,8 @@ ms.topic: article
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
[!include[Prerelease information](prerelease.md)]
Learn how you can use Microsoft Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin.
>[!TIP]

89
windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md Normal file
View File

@ -0,0 +1,89 @@
---
title: Investigate connection events that occur behind forward proxies
description: Investigate connection events that occur behind forward proxies
keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Investigate connection events that occur behind forward proxies
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink)
Microsoft Defender ATP supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet.
The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value.
Microsoft Defender ATP supports advanced HTTP level monitoring through network protection. When turned on, a new type of event is surfaced which exposes the real target domain names.
## Use network protection to monitor network connection behind a firewall
Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a machine timeline, turn network protection on (at the minimum in audit mode).
Network protection can be controlled using the following modes:
- **Block** <br> Users or apps will be blocked from connecting to dangerous domains. You will be able to see this activity in Windows Defender Security Center.
- **Audit** <br> Users or apps will not be blocked from connecting to dangerous domains. However, you will still see this activity in Microsoft Defender Security Center.
If you turn network protection off, users or apps will not be blocked from connecting to dangerous domains. You will not see any network activity in Microsoft Defender Security Center.
If you do not configure it, network blocking will be turned off by default.
For more information, see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection).
## Investigation impact
When network protection is turned on, you'll see that on a machine's timeline the IP address will keep representing the proxy, while the real target address shows up.
![Image of network events on machine's timeline](images/atp-proxy-investigation.png)
Additional events triggered by the network protection layer are now available to surface the real domain names even behind a proxy.
Event's information:
![Image of single network event](images/atp-proxy-investigation-event.png)
## Hunt for connection events using advanced hunting
All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the `ConnecionSuccess` action type.
Using this simple query will show you all the relevant events:
```
NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess"
| take 10
```
![Image of advanced hunting query](images/atp-proxy-investigation-ah.png)
You can also filter out events that are related to connection to the proxy itself.
Use the following query to filter out the connections to the proxy:
```
NetworkCommunicationEvents
| where ActionType == "ConnectionSuccess" and RemoteIP != "ProxyIP"
| take 10
```
## Related topics
- [Applying network protection with GP - policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection)
- [Protect your network](https://docs.microsoft.comwindows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)

2
windows/security/threat-protection/microsoft-defender-atp/is-domain-seen-in-org.md
View File

@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Was domain seen in org
# Was domain seen in org (Deprecated)
**Applies to:**

2
windows/security/threat-protection/microsoft-defender-atp/is-ip-seen-org.md
View File

@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Was IP seen in org
# Was IP seen in org (Deprecated)
**Applies to:**

6
windows/security/threat-protection/microsoft-defender-atp/oldTOC.md
View File

@ -392,7 +392,7 @@
####### [Get domain related alerts](get-domain-related-alerts.md)
####### [Get domain related machines](get-domain-related-machines.md)
####### [Get domain statistics](get-domain-statistics.md)
####### [Is domain seen in organization](is-domain-seen-in-org.md)
####### [Is domain seen in organization (Deprecated)](is-domain-seen-in-org.md)
###### [File]()
####### [Methods and properties](files.md)
@ -403,9 +403,9 @@
###### [IP]()
####### [Get IP related alerts](get-ip-related-alerts.md)
####### [Get IP related machines](get-ip-related-machines.md)
####### [Get IP related machines (Deprecated)](get-ip-related-machines.md)
####### [Get IP statistics](get-ip-statistics.md)
####### [Is IP seen in organization](is-ip-seen-org.md)
####### [Is IP seen in organization (Deprecated)](is-ip-seen-org.md)
###### [User]()
####### [Methods](user.md)

2
windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md
View File

@ -46,7 +46,7 @@ The Microsoft secure score tile is reflective of the sum of all the Microsoft De
Each Windows Defender security control contributes 100 points to the score. The total number is reflective of the score potential and calculated by multiplying the number of supported security controls (Windows Defender security controls pillars) by the maximum points that each pillar contributes (maximum of 100 points for each pillar).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/en-us/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
The Office 365 Secure Score looks at your settings and activities and compares them to a baseline established by Microsoft. For more information, see [Introducing the Office 365 Secure Score](https://support.office.com/article/introducing-the-office-365-secure-score-c9e7160f-2c34-4bd0-a548-5ddcc862eaef#howtoaccess).
In the example image, the total points for the Windows security controls and Office 365 add up to 602 points.

1
windows/security/threat-protection/microsoft-defender-atp/preview.md
View File

@ -44,6 +44,7 @@ The following features are included in the preview release:
- [Evaluation lab](evaluation-lab.md) <BR> The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can
focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) <BR> You can now onboard Windows Server 2008 R2 SP1.
- [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac) <BR> Microsoft Defender ATP for Mac brings the next-generation protection, and endpoint detection and response coverage to Mac devices. Core components of the unified endpoint security platform will now be available for Mac devices.

11
windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md
View File

@ -20,7 +20,7 @@ ms.date: 07/13/2017
# Increase scheduling priority
**Applies to**
- Windows 10
- Windows 10
Describes the best practices, location, values, policy management, and security considerations for the **Increase scheduling priority** security policy setting.
@ -45,7 +45,7 @@ Constant: SeIncreaseBasePriorityPrivilege
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\User Rights Assignment
 
## Policy management
This section describes features, tools, and guidance to help you manage this policy.
@ -81,7 +81,12 @@ Verify that only Administrators and Window Manager/Window Manager Group have the
None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager/Window Manager Group is the default configuration.
> [!Warning]
> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
>
> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
- [Increase scheduling priority for Windows Server 2012 and earlier](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11))
- [Increase scheduling priority for Windows Server 2012 and earlier](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn221960(v%3dws.11))

10
windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Apply Windows Defender Antivirus updates after certain events
description: Manage how Windows Defender Antivirus applies protection updates after startup or receiving cloud-delivered detection reports.
description: Manage how Windows Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports.
keywords: updates, protection, force updates, events, startup, check for latest, notifications
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -32,7 +32,7 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Scheduled scans** section and set **Check for the latest definition updates before running a scan** to **Yes**.
2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**.
3. Click **OK**.
@ -99,9 +99,9 @@ You can also use Group Policy, PowerShell, or WMI to configure Windows Defender
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Security Intelligence Updates**.
5. Double-click **Initiate definition update on startup** and set the option to **Enabled**.
5. Double-click **Initiate security intelligence update on startup** and set the option to **Enabled**.
6. Click **OK**.
@ -143,7 +143,7 @@ If you have enabled cloud-delivered protection, Windows Defender AV will send fi
3. Click **Policies** then **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following:
1. Double-click **Allow real-time definition updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
1. Double-click **Allow real-time security intelligence updates based on reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
2. Double-click **Allow notifications to disable definitions based reports to Microsoft MAPS** and set the option to **Enabled**. Click **OK**.
> [!NOTE]

8
windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md
View File

@ -36,10 +36,10 @@ If Windows Defender Antivirus did not download protection updates for a specifie
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Definition updates** section and configure the following settings:
2. Go to the **Security intelligence updates** section and configure the following settings:
1. Set **Force a definition update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
2. For the **If Configuration Manager is used as a source for definition updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
1. Set **Force a security intelligence update if the client computer is offline for more than two consecutive scheduled updates** to **Yes**.
2. For the **If Configuration Manager is used as a source for security intelligence updates...**, specify the hours before which the protection updates delivered by Configuration Manager should be considered out-of-date. This will cause the next update location to be used, based on the defined [fallback source order](manage-protection-updates-windows-defender-antivirus.md#fallback-order).
3. Click **OK**.
@ -55,7 +55,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie
4. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
5. Double-click the **Define the number of days after which a catch-up definition update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
5. Double-click the **Define the number of days after which a catch-up security intelligence update is required** setting and set the option to **Enabled**. Enter the number of days after which you want Windows Defender AV to check for and download the latest protection update.
6. Click **OK**.

14
windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md
View File

@ -37,13 +37,13 @@ You can also randomize the times when each endpoint checks and downloads protect
1. On your System Center Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**)
2. Go to the **Definition updates** section.
2. Go to the **Security intelligence updates** section.
3. To check and download updates at a certain time:
1. Set **Check for Endpoint Protection definitions at a specific interval...** to **0**.
2. Set **Check for Endpoint Protection definitions daily at...** to the time when updates should be checked.
1. Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to **0**.
2. Set **Check for Endpoint Protection security intelligence updates daily at...** to the time when updates should be checked.
3
4. To check and download updates on a continual interval, Set **Check for Endpoint Protection definitions at a specific interval...** to the number of hours that should occur between updates.
4. To check and download updates on a continual interval, Set **Check for Endpoint Protection security intelligence updates at a specific interval...** to the number of hours that should occur between updates.
5. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers).
@ -60,9 +60,9 @@ You can also randomize the times when each endpoint checks and downloads protect
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following settings:
1. Double-click the **Specify the interval to check for definition updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for definition updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
3. Double-click the **Specify the time to check for definition updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.
1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**.
2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**.
3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**.

4
windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
View File

@ -93,7 +93,7 @@ The procedures in this article first describe how to set the order, and then how
4. Expand the tree to **Windows components > Windows Defender > Signature updates** and configure the following settings:
1. Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**.
1. Double-click the **Define the order of sources for downloading security intelligence updates** setting and set the option to **Enabled**.
2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot.
@ -101,7 +101,7 @@ The procedures in this article first describe how to set the order, and then how
3. Click **OK**. This will set the order of protection update sources.
4. Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**.
4. Double-click the **Define file shares for downloading security intelligence updates** setting and set the option to **Enabled**.
5. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths then this source will be skipped when the VM downloads updates.

6
windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md
View File

@ -56,7 +56,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates**.
6. Double-click the **Allow definition updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
6. Double-click the **Allow security intelligence updates from Microsoft Update** setting and set the option to **Enabled**. Click **OK**.
**Use a VBScript to opt-in to Microsoft Update**
@ -75,7 +75,7 @@ You can opt-in to Microsoft Update on the mobile device in one of the following
You can configure Windows Defender Antivirus to only download protection updates when the PC is connected to a wired power source.
**Use Group Policy to prevent definition updates on battery power:**
**Use Group Policy to prevent security intelligence updates on battery power:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
@ -85,7 +85,7 @@ You can configure Windows Defender Antivirus to only download protection updates
5. Expand the tree to **Windows components > Windows Defender Antivirus > Signature Updates** and configure the following setting:
1. Double-click the **Allow definition updates when running on battery power** setting and set the option to **Disabled**.
1. Double-click the **Allow security intelligence updates when running on battery power** setting and set the option to **Disabled**.
2. Click **OK**. This will prevent protection updates from downloading when the PC is on battery power.

2
windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
View File

@ -94,7 +94,7 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Protection |Do a quick scan |`mdatp --scan --quick` |
|Protection |Do a full scan |`mdatp --scan --full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` |
|Protection |Request a definition update |`mdatp --definition-update` |
|Protection |Request a security intelligence update |`mdatp --definition-update` |
## Microsoft Defender ATP portal information

10
windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
View File

@ -1487,7 +1487,7 @@ Symbolic name:
Message:
</td>
<td >
<b>The antimalware definition update failed.
<b>The security intelligence update failed.
</b>
</td>
</tr>
@ -1498,12 +1498,12 @@ Description:
<td >
Windows Defender Antivirus has encountered an error trying to update signatures.
<dl>
<dt>New Signature Version: &lt;New version number&gt;</dt>
<dt>Previous Signature Version: &lt;Previous signature version&gt;</dt>
<dt>New security intelligence version: &lt;New version number&gt;</dt>
<dt>Previous security intelligence version: &lt;Previous version&gt;</dt>
<dt>Update Source: &lt;Update source&gt;, for example:
<ul>
<li>Signature update folder</li>
<li>Internal definition update server</li>
<li>Security intelligence update folder</li>
<li>Internal security intelligence update server</li>
<li>Microsoft Update Server</li>
<li>File share</li>
<li>Microsoft Malware Protection Center (MMPC)</li>

20
windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md
View File

@ -124,20 +124,20 @@ Scan | Specify the scan type to use for a scheduled scan | [Configure scheduled
Scan | Specify the time for a daily quick scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Specify the time of day to run a scheduled scan | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Scan | Start the scheduled scan only when computer is on but not in use | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Security intelligence updates | Allow definition updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow definition updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow security intelligence updates from Microsoft Update | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow security intelligence updates when running on battery power | [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
Security intelligence updates | Allow notifications to disable definitions based repots to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Allow real-time definition updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Allow real-time security intelligence updates based on reports to Microsoft MAPS | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Check for the latest virus and spyware definitions on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Define file shares for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
Security intelligence updates | Define the number of days after which a catch up definition update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Security intelligence updates | Define file shares for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
Security intelligence updates | Define the number of days after which a catch up security intelligence update is required | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Security intelligence updates | Define the number of days before spyware definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Security intelligence updates | Define the number of days before virus definitions are considered out of date | [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
Security intelligence updates | Define the order of sources for downloading definition updates | [Manage Windows Defender Antivirus protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
Security intelligence updates | Initiate definition update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Specify the day of the week to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Specify the interval to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Specify the time to check for definition updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Define the order of sources for downloading security intelligence updates | [Manage Windows Defender Antivirus protection and security intelligence updates](manage-protection-updates-windows-defender-antivirus.md)
Security intelligence updates | Initiate security intelligence update on startup | [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
Security intelligence updates | Specify the day of the week to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Specify the interval to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Specify the time to check for security intelligence updates | [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
Security intelligence updates | Turn on scan after Security intelligence update | [Configure scheduled scans for Windows Defender Antivirus](scheduled-catch-up-scans-windows-defender-antivirus.md)
Threats | Specify threat alert levels at which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)
Threats | Specify threats upon which default action should not be taken when detected | [Configure remediation for Windows Defender Antivirus scans](configure-remediation-windows-defender-antivirus.md)

2
windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
View File

@ -85,7 +85,7 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan.
<a id="definition-version"></a>
**Review the definition update version and download the latest updates in the Windows Security app**
**Review the security intelligence update version and download the latest updates in the Windows Security app**
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).

13
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -6,6 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: dansimp
audience: ITPro
ms.date: 04/09/2019
ms.reviewer:
manager: dansimp
@ -149,6 +150,11 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSBUILD_DLL" FriendlyName="MSBuild.dll" FileName="MSBuild.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_DOTNET" FriendlyName="dotnet.exe" FileName="dotnet.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="65535.65535.65535.65535" />
<!-- msxml3.dll pick correct version based on release you are supporting -->
<!-- msxml6.dll pick correct version based on release you are supporting -->
<!-- jscript9.dll pick correct version based on release you are supporting -->
@ -885,6 +891,10 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
<FileRuleRef RuleID="ID_DENY_MSBUILD_DLL" />
<FileRuleRef RuleID="ID_DENY_DOTNET" />
<FileRuleRef RuleID="ID_DENY_MS_BUILD" />
<FileRuleRef RuleID="ID_DENY_MS_BUILD_FMWK" />
<FileRuleRef RuleID="ID_DENY_D_1"/>
<FileRuleRef RuleID="ID_DENY_D_2"/>
<FileRuleRef RuleID="ID_DENY_D_3"/>
@ -1499,6 +1509,5 @@ Pick the correct version of each .dll for the Windows release you plan to suppor
<CiSigners />
<HvciOptions>0</HvciOptions>
</SiPolicy>
```
```
<br />

41
windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -11,8 +11,9 @@ ms.pagetype: security
ms.localizationpriority: medium
author: levinec
ms.author: ellevin
ms.date: 11/29/2018
ms.reviewer:
audience: ITPro
ms.date: 08/05/2019
ms.reviewer: v-maave
manager: dansimp
---
@ -22,14 +23,17 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It protects your data by checking against a list of known, trusted apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It can be turned on via the Windows Security App, or from the System Center Configuration Manager (SCCM) and Intune, for managed devices. Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
Controlled folder access works by only allowing apps to access protected folders if the app is included on a list of trusted software. If an app isn't on the list, Controlled folder access will block it from making changes to files inside protected folders.
This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
Apps are added to the trusted list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization, and that have never displayed any malicious behavior, are deemed trustworthy and automatically added to the list.
A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
Apps can also be manually added to the trusted list via SCCM and Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for the app, can be performed from the Security Center Console.
Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
With Controlled folder access in place, a notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
@ -43,13 +47,13 @@ Controlled folder access requires enabling [Windows Defender Antivirus real-time
## Review controlled folder access events in the Microsoft Defender ATP Security Center
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md).
You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.
Here is an example query
Here is an example query
```
```PowerShell
MiscEvents
| where ActionType in ('ControlledFolderAccessViolationAudited','ControlledFolderAccessViolationBlocked')
```
@ -60,15 +64,15 @@ You can review the Windows event log to see events that are created when control
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
2. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
3. On the left panel, under **Actions**, click **Import custom view...**.
4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
1. On the left panel, under **Actions**, click **Import custom view...**.
4. Click **OK**.
1. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
5. This will create a custom view that filters to only show the following events related to controlled folder access:
1. Click **OK**.
1. This will create a custom view that filters to only show the following events related to controlled folder access:
Event ID | Description
-|-
@ -76,10 +80,9 @@ Event ID | Description
1124 | Audited controlled folder access event
1123 | Blocked controlled folder access event
## In this section
## In this section
Topic | Description
Topic | Description
---|---
[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network

14
windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -11,8 +11,8 @@ ms.pagetype: security
ms.localizationpriority: medium
author: levinec
ms.author: ellevin
ms.date: 05/13/2019
ms.reviewer:
audience: ITPro
manager: dansimp
---
@ -36,13 +36,15 @@ You can enable network protection by using any of these methods:
## Intune
1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune.
1. Click **Device configuration** > **Profiles** > **Create profile**.
1. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
2. Click **Device configuration** > **Profiles** > **Create profile**.
3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.
![Create endpoint protection profile](images/create-endpoint-protection-profile.png)
1. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
4. Click **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**.
![Enable network protection in Intune](images/enable-np-intune.png)
1. Click **OK** to save each open blade and click **Create**.
1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
5. Click **OK** to save each open blade and click **Create**.
6. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
## MDM