mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge branch 'master' into MDBranchPhase2aADMXBackedPolicies
This commit is contained in:
ManikaDhiman
commit
aad0c65d81
11
education/includes/education-content-updates.md
Normal file
11
education/includes/education-content-updates.md
Normal file
@ -0,0 +1,11 @@
|
||||
<!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->
|
||||
|
||||
|
||||
|
||||
## Week of October 19, 2020
|
||||
|
||||
|
||||
| Published On |Topic title | Change |
|
||||
|------|------------|--------|
|
||||
| 10/22/2020 | [Microsoft 365 Education Documentation for developers](/education/developers) | modified |
|
||||
| 10/22/2020 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified |
|
||||
@ -53,7 +53,7 @@ As indicated in the diagram, Microsoft continues to provide support for deep man
|
||||
With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can:
|
||||
|
||||
|
||||
- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune).
|
||||
- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/).
|
||||
|
||||
- Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages).
|
||||
|
||||
@ -69,7 +69,7 @@ You can envision user and device management as falling into these two categories
|
||||
|
||||
- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices:
|
||||
|
||||
- For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud.<br>Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
|
||||
- For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.<br>Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources.
|
||||
|
||||
- Likewise, for personal devices, employees can use a new, simplified [BYOD experience](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/) to add their work account to Windows, then access work resources on the device.
|
||||
|
||||
@ -135,6 +135,6 @@ There are a variety of steps you can take to begin the process of modernizing de
|
||||
|
||||
## Related topics
|
||||
|
||||
- [What is Intune?](https://docs.microsoft.com/intune/introduction-intune)
|
||||
- [What is Intune?](https://docs.microsoft.com//mem/intune/fundamentals/what-is-intune)
|
||||
- [Windows 10 Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
|
||||
- [Windows 10 Configuration service Providers](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference)
|
||||
|
||||
@ -52,6 +52,7 @@ This node specifies the username for a new local user account. This setting can
|
||||
This node specifies the password for a new local user account. This setting can be managed remotely.
|
||||
|
||||
Supported operation is Add.
|
||||
GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager.
|
||||
|
||||
<a href="" id="users-username-localusergroup"></a>**Users/_UserName_/LocalUserGroup**
|
||||
This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
|
||||
|
||||
@ -19,11 +19,10 @@
|
||||
### [Deployment phases](microsoft-defender-atp/deployment-phases.md)
|
||||
### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
|
||||
### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
|
||||
### [Phase 3: Onboard]()
|
||||
#### [Onboarding overview](microsoft-defender-atp/onboarding.md)
|
||||
##### [Onboarding using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/onboarding-endpoint-configuration-manager.md)
|
||||
##### [Onboarding using Microsoft Endpoint Manager](microsoft-defender-atp/onboarding-endpoint-manager.md)
|
||||
|
||||
### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
|
||||
#### [Onboarding using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/onboarding-endpoint-configuration-manager.md)
|
||||
#### [Onboarding using Microsoft Endpoint Manager](microsoft-defender-atp/onboarding-endpoint-manager.md)
|
||||
#### [Onboard supported devices](microsoft-defender-atp/onboard-configure.md)
|
||||
|
||||
## [Migration guides](microsoft-defender-atp/migration-guides.md)
|
||||
### [Switch from McAfee to Microsoft Defender for Endpoint]()
|
||||
|
||||
@ -10,7 +10,9 @@
|
||||
|
||||
### [Macro malware](macro-malware.md)
|
||||
|
||||
### [Phishing](phishing.md)
|
||||
### [Phishing attacks](phishing.md)
|
||||
|
||||
#### [Phishing trends and techniques](phishing-trends.md)
|
||||
|
||||
### [Ransomware](ransomware-malware.md)
|
||||
|
||||
|
||||
@ -0,0 +1,69 @@
|
||||
---
|
||||
title: Phishing trends and techniques
|
||||
ms.reviewer:
|
||||
description: Learn about how to spot phishing techniques
|
||||
keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack, spear phishing, whaling
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: secure
|
||||
ms.sitesec: library
|
||||
ms.localizationpriority: medium
|
||||
ms.author: ellevin
|
||||
author: levinec
|
||||
manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
search.appverid: met150
|
||||
---
|
||||
|
||||
# Phishing trends and techniques
|
||||
|
||||
Phishing attacks are scams that often use social engineering bait or lure content. Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
|
||||
|
||||
Below are some of the most common phishing techniques attackers will employ to try to steal information or gain access to your devices.
|
||||
|
||||
## Invoice phishing
|
||||
|
||||
In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds.
|
||||
|
||||
## Payment/delivery scam
|
||||
|
||||
You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them.
|
||||
|
||||
## Tax-themed phishing scams
|
||||
|
||||
A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts.
|
||||
|
||||
## Downloads
|
||||
|
||||
An attacker sends a fraudulent email requesting you to open or download a document attachment, such as a PDF. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you.
|
||||
|
||||
## Phishing emails that deliver other threats
|
||||
|
||||
Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
|
||||
|
||||
We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
|
||||
|
||||
## Spear phishing
|
||||
|
||||
Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target.
|
||||
|
||||
Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer.
|
||||
|
||||
The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
|
||||
|
||||
## Whaling
|
||||
|
||||
Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization.
|
||||
|
||||
## Business email compromise
|
||||
|
||||
Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers.
|
||||
|
||||
## More information about phishing attacks
|
||||
|
||||
For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/):
|
||||
|
||||
- [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc)
|
||||
- [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc)
|
||||
- [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc)
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Phishing
|
||||
title: How to protect against phishing attacks
|
||||
ms.reviewer:
|
||||
description: Learn about how phishing work, deliver malware do your devices, and what you can do to protect yourself
|
||||
keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack
|
||||
@ -16,98 +16,15 @@ ms.topic: article
|
||||
search.appverid: met150
|
||||
---
|
||||
|
||||
# Phishing
|
||||
# How to protect against phishing attacks
|
||||
|
||||
Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication. They try to look like official communication from legitimate companies or individuals.
|
||||
|
||||
Cybercriminals often attempt to steal usernames, passwords, credit card details, bank account information, or other credentials. They use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. The information can also be sold in cybercriminal underground markets.
|
||||
|
||||
## What to do if you've been a victim of a phishing scam
|
||||
|
||||
If you feel you've been a victim of a phishing attack:
|
||||
|
||||
1. Contact your IT admin if you are on a work computer.
|
||||
2. Immediately change all passwords associated with the accounts.
|
||||
3. Report any fraudulent activity to your bank and credit card company.
|
||||
|
||||
### Reporting spam
|
||||
|
||||
- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**.
|
||||
|
||||
- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**.
|
||||
|
||||
- **Microsoft**: Create a new, blank email message with the one of the following recipients:
|
||||
- Junk: junk@office365.microsoft.com
|
||||
- Phishing: phish@office365.microsoft.com
|
||||
|
||||
Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
|
||||
|
||||
- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.
|
||||
|
||||
If you’re on a suspicious website:
|
||||
|
||||
- **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website.
|
||||
|
||||
- **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website.
|
||||
|
||||
>[!NOTE]
|
||||
>For more information, see [Protect yourself from phishing](https://support.microsoft.com/en-us/help/4033787/windows-protect-yourself-from-phishing).
|
||||
|
||||
## How phishing works
|
||||
|
||||
Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season bait content can be tax-filing announcements that attempt to lure you into providing personal information such as your SSN or bank account information.
|
||||
|
||||
Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information.
|
||||
|
||||
Another common phishing technique is the use of emails that direct you to open a malicious attachment like a PDF file. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you.
|
||||
|
||||
## Phishing trends and techniques
|
||||
|
||||
### Invoice phishing
|
||||
|
||||
In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds.
|
||||
|
||||
### Payment/delivery scam
|
||||
|
||||
You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them.
|
||||
|
||||
### Tax-themed phishing scams
|
||||
|
||||
A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts.
|
||||
|
||||
### Downloads
|
||||
|
||||
An attacker sends a fraudulent email requesting you to open or download a document, often requiring you to sign in.
|
||||
|
||||
### Phishing emails that deliver other threats
|
||||
|
||||
Phishing emails are often very effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files.
|
||||
|
||||
We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems.
|
||||
|
||||
## Targeted attacks against enterprises
|
||||
|
||||
### Spear phishing
|
||||
|
||||
Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target.
|
||||
|
||||
Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer.
|
||||
|
||||
The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks.
|
||||
|
||||
### Whaling
|
||||
|
||||
Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization.
|
||||
|
||||
### Business email compromise
|
||||
|
||||
Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers.
|
||||
|
||||
## How to protect against phishing attacks
|
||||
|
||||
Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware and never provide sensitive or personal information through email or unknown websites, or over the phone. Remember, phishing emails are designed to appear legitimate.
|
||||
|
||||
### Awareness
|
||||
## Learn the signs of a phishing scam
|
||||
|
||||
The best protection is awareness and education. Don’t open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL.
|
||||
|
||||
@ -141,9 +58,7 @@ Here are several telltale signs of a phishing scam:
|
||||
|
||||
If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate.
|
||||
|
||||
For more information, download and read this Microsoft [e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments.
|
||||
|
||||
### Software solutions for organizations
|
||||
## Software solutions for organizations
|
||||
|
||||
* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data.
|
||||
|
||||
@ -151,14 +66,36 @@ For more information, download and read this Microsoft [e-book on preventing soc
|
||||
|
||||
* Use [Office 365 Advanced Threat Protection (ATP)](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection.
|
||||
|
||||
For more tips and software solutions, see [prevent malware infection](prevent-malware-infection.md).
|
||||
## What to do if you've been a victim of a phishing scam
|
||||
|
||||
If you feel you've been a victim of a phishing attack:
|
||||
|
||||
1. Contact your IT admin if you are on a work computer
|
||||
2. Immediately change all passwords associated with the accounts
|
||||
3. Report any fraudulent activity to your bank and credit card company
|
||||
|
||||
### Reporting spam
|
||||
|
||||
- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**.
|
||||
|
||||
- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**.
|
||||
|
||||
- **Microsoft**: Create a new, blank email message with the one of the following recipients:
|
||||
- Junk: junk@office365.microsoft.com
|
||||
- Phishing: phish@office365.microsoft.com
|
||||
|
||||
Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis).
|
||||
|
||||
- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved.
|
||||
|
||||
### If you’re on a suspicious website
|
||||
|
||||
- **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website.
|
||||
|
||||
- **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website.
|
||||
|
||||
## More information about phishing attacks
|
||||
|
||||
For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/):
|
||||
|
||||
* [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc)
|
||||
|
||||
* [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc)
|
||||
|
||||
* [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc)
|
||||
- [Protect yourself from phishing](https://support.microsoft.com/help/4033787/windows-protect-yourself-from-phishing)
|
||||
- [Phishing trends](phishing-trends.md)
|
||||
- [Microsoft e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Enable Block at First Sight to detect malware in seconds
|
||||
description: Turn on the block at first sight feature to detect and block malware within seconds, and validate that it is configured correctly.
|
||||
title: Enable block at first sight to detect malware in seconds
|
||||
description: Turn on the block at first sight feature to detect and block malware within seconds.
|
||||
keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
@ -12,7 +12,7 @@ ms.author: deniseb
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.custom: nextgen
|
||||
ms.date: 08/26/2020
|
||||
ms.date: 10/22/2020
|
||||
---
|
||||
|
||||
# Turn on block at first sight
|
||||
@ -24,9 +24,9 @@ ms.date: 08/26/2020
|
||||
|
||||
- Microsoft Defender Antivirus
|
||||
|
||||
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention.
|
||||
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments.
|
||||
|
||||
You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
|
||||
You can [specify how long a file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
|
||||
|
||||
>[!TIP]
|
||||
>Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
|
||||
@ -40,109 +40,75 @@ Microsoft Defender Antivirus uses multiple detection and prevention technologies
|
||||
|
||||
In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
|
||||
|
||||
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
|
||||
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if the file is a previously undetected file.
|
||||
|
||||
If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
|
||||
|
||||
In many cases, this process can reduce the response time for new malware from hours to seconds.
|
||||
|
||||
## Confirm and validate that block at first sight is turned on
|
||||
## Turn on block at first sight with Microsoft Intune
|
||||
|
||||
Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments.
|
||||
> [!TIP]
|
||||
> Microsoft Intune is now part of Microsoft Endpoint Manager.
|
||||
|
||||
### Confirm block at first sight is turned on with Intune
|
||||
1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Devices** > **Configuration profiles**.
|
||||
|
||||
1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**.
|
||||
2. Select or create a profile using the **Device restrictions** profile type.
|
||||
|
||||
> [!NOTE]
|
||||
> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
|
||||
3. In the **Configuration settings** for the Device restrictions profile, set or confirm the following settings under **Microsoft Defender Antivirus**:
|
||||
|
||||
2. Verify these settings are configured as follows:
|
||||
|
||||
- **Cloud-delivered protection**: **Enable**
|
||||
- **File Blocking Level**: **High**
|
||||
- **Time extension for file scanning by the cloud**: **50**
|
||||
- **Prompt users before sample submission**: **Send all data without prompting**
|
||||
- **Cloud-delivered protection**: Enabled
|
||||
- **File Blocking Level**: High
|
||||
- **Time extension for file scanning by the cloud**: 50
|
||||
- **Prompt users before sample submission**: Send all data without prompting
|
||||
|
||||
|
||||
|
||||
> [!WARNING]
|
||||
> Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus).
|
||||
4. Save your settings.
|
||||
|
||||
For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
|
||||
> [!TIP]
|
||||
> - Setting the file blocking level to **High** applies a strong level of detection. In the unlikely event that file blocking causes a false positive detection of legitimate files, you can [restore quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus).
|
||||
> - For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
|
||||
> - For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
|
||||
|
||||
For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
|
||||
## Turn on block at first sight with Microsoft Endpoint Manager
|
||||
|
||||
### Turn on block at first sight with Microsoft Endpoint Configuration Manager
|
||||
> [!TIP]
|
||||
> If you're looking for Microsoft Endpoint Configuration Manager, it's now part of Microsoft Endpoint Manager.
|
||||
|
||||
1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
|
||||
1. In Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), go to **Endpoint security** > **Antivirus**.
|
||||
|
||||
2. Click **Home** > **Create Antimalware Policy**.
|
||||
2. Select an existing policy, or create a new policy using the **Microsoft Defender Antivirus** profile type.
|
||||
|
||||
3. Enter a name and a description, and add these settings:
|
||||
- **Real time protection**
|
||||
- **Advanced**
|
||||
- **Cloud Protection Service**
|
||||
3. Set or confirm the following configuration settings:
|
||||
|
||||
4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
|
||||
|
||||
- **Turn on cloud-delivered protection**: Yes
|
||||
- **Cloud-delivered protection level**: High
|
||||
- **Defender Cloud Extended Timeout in Seconds**: 50
|
||||
|
||||
5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
|
||||
|
||||
:::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in Endpoint Manager":::
|
||||
|
||||
6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking suspicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
|
||||
|
||||
4. Apply the Microsoft Defender Antivirus profile to a group, such as **All users**, **All devices**, or **All users and devices**.
|
||||
|
||||
7. Click **OK** to create the policy.
|
||||
## Turn on block at first sight with Group Policy
|
||||
|
||||
### Confirm block at first sight is turned on with Group Policy
|
||||
> [!NOTE]
|
||||
> We recommend using Intune or Microsoft Endpoint Manager to turn on block at first sight.
|
||||
|
||||
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**.
|
||||
|
||||
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
2. Using the **Group Policy Management Editor** go to **Computer configuration** > **Administrative templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**.
|
||||
|
||||
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**:
|
||||
3. In the MAPS section, double-click **Configure the 'Block at First Sight' feature**, and set it to **Enabled**, and then select **OK**.
|
||||
|
||||
1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
|
||||
|
||||
2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**.
|
||||
|
||||
> [!WARNING]
|
||||
> [!IMPORTANT]
|
||||
> Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
|
||||
|
||||
4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Real-time Protection**:
|
||||
4. In the MAPS section, double-click **Send file samples when further analysis is required**, and set it to **Enabled**. Under **Send file samples when further analysis is required**, select **Send all samples**, and then click **OK**.
|
||||
|
||||
1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**.
|
||||
5. If you changed any settings, redeploy the Group Policy Object across your network to ensure all endpoints are covered.
|
||||
|
||||
2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**.
|
||||
|
||||
5. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**:
|
||||
|
||||
1. Double-click **Select cloud protection level** and ensure the option is set to **Enabled**.
|
||||
|
||||
2. Ensure that **Select cloud blocking level** section on the same page is set to **High blocking level**, and then click **OK**.
|
||||
|
||||
If you had to change any of the settings, you should redeploy the Group Policy Object across your network to ensure all endpoints are covered.
|
||||
|
||||
### Confirm block at first sight is turned on with Registry editor
|
||||
|
||||
1. Start Registry Editor.
|
||||
|
||||
2. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet`, and make sure that
|
||||
|
||||
1. **SpynetReporting** key is set to **1**
|
||||
|
||||
2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples)
|
||||
|
||||
3. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection`, and make sure that
|
||||
|
||||
1. **DisableIOAVProtection** key is set to **0**
|
||||
|
||||
2. **DisableRealtimeMonitoring** key is set to **0**
|
||||
|
||||
4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that the **MpCloudBlockLevel** key is set to **2**
|
||||
|
||||
### Confirm Block at First Sight is enabled on individual clients
|
||||
## Confirm block at first sight is enabled on individual clients
|
||||
|
||||
You can confirm that block at first sight is enabled on individual clients using Windows security settings.
|
||||
|
||||
@ -157,24 +123,43 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote
|
||||
3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
|
||||
|
||||
> [!NOTE]
|
||||
> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
|
||||
> - If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints.
|
||||
> - Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
|
||||
|
||||
### Validate block at first sight is working
|
||||
## Validate block at first sight is working
|
||||
|
||||
You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
|
||||
To validate that the feature is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
|
||||
|
||||
## Turn off block at first sight
|
||||
|
||||
> [!WARNING]
|
||||
> Turning off block at first sight will lower the protection state of the endpoint and your network.
|
||||
> [!CAUTION]
|
||||
> Turning off block at first sight will lower the protection state of your device(s) and your network.
|
||||
|
||||
You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
|
||||
You might choose to disable block at first sight if you want to retain the prerequisite settings without actually using block at first sight protection. You might do temporarily turn block at first sight off if you are experiencing latency issues or you want to test the feature's impact on your network. However, we do not recommend disabling block at first sight protection permanently.
|
||||
|
||||
### Turn off block at first sight with Microsoft Endpoint Manager
|
||||
|
||||
1. Go to Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
|
||||
|
||||
2. Go to **Endpoint security** > **Antivirus**, and then select your Microsoft Defender Antivirus policy.
|
||||
|
||||
3. Under **Manage**, choose **Properties**.
|
||||
|
||||
4. Next to **Configuration settings**, choose **Edit**.
|
||||
|
||||
5. Change one or more of the following settings:
|
||||
|
||||
- Set **Turn on cloud-delivered protection** to **No** or **Not configured**.
|
||||
- Set **Cloud-delivered protection level** to **Not configured**.
|
||||
- Clear the **Defender Cloud Extended Timeout In Seconds** box.
|
||||
|
||||
6. Review and save your settings.
|
||||
|
||||
### Turn off block at first sight with Group Policy
|
||||
|
||||
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**.
|
||||
|
||||
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
2. Using the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
|
||||
3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**.
|
||||
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 12 KiB |
@ -41,6 +41,14 @@ ms.date: 04/24/2018
|
||||
> For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates.
|
||||
|
||||
## Onboard devices using Group Policy
|
||||
|
||||
[](images/onboard-gp.png#lightbox)
|
||||
|
||||
|
||||
Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP.
|
||||
|
||||
|
||||
|
||||
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Onboarding**.
|
||||
|
||||
@ -40,6 +40,10 @@ For more information on enabling MDM with Microsoft Intune, see [Device enrollme
|
||||
|
||||
## Onboard devices using Microsoft Intune
|
||||
|
||||
[ ](images/onboard-intune-big.png#lightbox)
|
||||
|
||||
Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP.
|
||||
|
||||
Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
|
||||
|
||||
For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx).
|
||||
@ -54,6 +58,7 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh
|
||||
> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md).
|
||||
|
||||
|
||||
Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP.
|
||||
|
||||
## Offboard and monitor devices using Mobile Device Management tools
|
||||
For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.
|
||||
|
||||
@ -52,6 +52,14 @@ Starting in Configuration Manager version 2002, you can onboard the following op
|
||||
|
||||
### Onboard devices using System Center Configuration Manager
|
||||
|
||||
|
||||
[](images/onboard-config-mgr.png#lightbox)
|
||||
|
||||
|
||||
Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP.
|
||||
|
||||
|
||||
|
||||
1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
|
||||
|
||||
a. In the navigation pane, select **Settings** > **Onboarding**.
|
||||
|
||||
@ -40,6 +40,13 @@ You can also manually onboard individual devices to Microsoft Defender ATP. You
|
||||
> To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md).
|
||||
|
||||
## Onboard devices
|
||||
|
||||
[](images/onboard-script.png#lightbox)
|
||||
|
||||
|
||||
Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP.
|
||||
|
||||
|
||||
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/):
|
||||
|
||||
1. In the navigation pane, select **Settings** > **Onboarding**.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Deployment phases
|
||||
description: Learn how deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service
|
||||
description: Learn how to deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service
|
||||
keywords: deploy, prepare, setup, onboard, phase, deployment, deploying, adoption, configuring
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
@ -29,23 +29,25 @@ ms.topic: article
|
||||
|
||||
There are three phases in deploying Microsoft Defender ATP:
|
||||
|
||||
|Phase | Desription |
|
||||
|Phase | Description |
|
||||
|:-------|:-----|
|
||||
| <br>[Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Microsoft Defender ATP: <br><br>- Stakeholders and sign-off <br> - Environment considerations <br>- Access <br> - Adoption order
|
||||
|  <br>[Phase 2: Setup](production-deployment.md)| Take the initial steps to access Microsoft Defender Security Center. You'll be guided on:<br><br>- Validating the licensing <br> - Completing the setup wizard within the portal<br>- Network configuration|
|
||||
|  <br>[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. You'll be guided on:<br><br>- Using Microsoft Endpoint Configuration Manager to onboard devices<br>- Configure capabilities
|
||||
|  <br>[Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them.
|
||||
|
||||
|
||||
|
||||
The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP.
|
||||
The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP.
|
||||
|
||||
There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md).
|
||||
If you're unfamiliar with the general deployment planning steps, check out the [Plan deployment](deployment-strategy.md) topic to get a high-level overview of the general deployment steps and methods.
|
||||
|
||||
## In Scope
|
||||
|
||||
The following is in scope for this deployment guide:
|
||||
|
||||
- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service
|
||||
- Use of Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities
|
||||
|
||||
- Enabling Microsoft Defender ATP endpoint detection and response (EDR) capabilities
|
||||
|
||||
- Enabling Microsoft Defender ATP endpoint protection platform (EPP)
|
||||
capabilities
|
||||
@ -54,11 +56,6 @@ The following is in scope for this deployment guide:
|
||||
|
||||
- Attack surface reduction
|
||||
|
||||
- Enabling Microsoft Defender ATP endpoint detection and response (EDR)
|
||||
capabilities including automatic investigation and remediation
|
||||
|
||||
- Enabling Microsoft Defender ATP threat and vulnerability management (TVM)
|
||||
|
||||
|
||||
## Out of scope
|
||||
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
---
|
||||
title: Plan your Microsoft Defender ATP deployment strategy
|
||||
title: Plan your Microsoft Defender ATP deployment
|
||||
description: Select the best Microsoft Defender ATP deployment strategy for your environment
|
||||
keywords: deploy, plan, deployment strategy, cloud native, management, on prem, evaluation, onboarding, local, group policy, gp, endpoint manager, mem
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
@ -16,7 +16,7 @@ ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
---
|
||||
|
||||
# Plan your Microsoft Defender ATP deployment strategy
|
||||
# Plan your Microsoft Defender ATP deployment
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
@ -27,24 +27,51 @@ ms.topic: article
|
||||
|
||||
Depending on the requirements of your environment, we've put together material to help guide you through the various options you can adopt to deploy Microsoft Defender ATP.
|
||||
|
||||
These are the general steps you need to take to deploy Microsoft Defender ATP:
|
||||
|
||||
You can deploy Microsoft Defender ATP using various management tools. In general the following management tools are supported:
|
||||
|
||||
|
||||
- Group policy
|
||||
- Microsoft Endpoint Configuration Manager
|
||||
- Mobile Device Management tools
|
||||
- Local script
|
||||
- Identify architecture
|
||||
- Select deployment method
|
||||
- Configure capabilities
|
||||
|
||||
|
||||
## Microsoft Defender ATP deployment strategy
|
||||
## Step 1: Identify architecture
|
||||
We understand that every enterprise environment is unique, so we've provided several options to give you the flexibility in choosing how to deploy the service.
|
||||
|
||||
Depending on your environment, some tools are better suited for certain architectures.
|
||||
|
||||
Use the following material to select the appropriate Microsoft Defender ATP architecture that best suites your organization.
|
||||
|
||||
|**Item**|**Description**|
|
||||
|:-----|:-----|
|
||||
|[](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)<br/> [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures: <ul><li> Cloud-native </li><li> Co-management </li><li> On-premise</li><li>Evaluation and local onboarding</li>
|
||||
|
||||
|
||||
|
||||
## Step 2: Select deployment method
|
||||
Microsoft Defender ATP supports a variety of endpoints that you can onboard to the service.
|
||||
|
||||
The following table lists the supported endpoints and the corresponding deployment tool that you can use so that you can plan the deployment appropriately.
|
||||
|
||||
| Endpoint | Deployment tool |
|
||||
|--------------|------------------------------------------|
|
||||
| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) |
|
||||
| **macOS** | [Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) |
|
||||
| **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)|
|
||||
| **iOS** | [App-based](ios-install.md) |
|
||||
| **Android** | [Microsoft Endpoint Manager](android-intune.md) |
|
||||
|
||||
|
||||
|
||||
## Step 3: Configure capabilities
|
||||
After onboarding endpoints, configure the security capabilities in Microsoft Defender ATP so that you can maximize the robust security protection available in the suite. Capabilities include:
|
||||
|
||||
- Endpoint detection and response
|
||||
- Next-generation protection
|
||||
- Attack surface reduction
|
||||
|
||||
|
||||
|
||||
## Related topics
|
||||
- [Deployment phases](deployment-phases.md)
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 230 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 644 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 7.4 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 543 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 396 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 577 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 429 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 11 KiB |
@ -40,6 +40,20 @@ In general, to onboard devices to the service:
|
||||
|
||||
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr]
|
||||
|
||||
## Onboarding tool options
|
||||
The following table lists the available tools based on the endpoint that you need to onboard.
|
||||
|
||||
| Endpoint | Tool options |
|
||||
|--------------|------------------------------------------|
|
||||
| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) |
|
||||
| **macOS** | [Local scripts](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) |
|
||||
| **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)|
|
||||
| **iOS** | [App-based](ios-install.md) |
|
||||
| **Android** | [Microsoft Endpoint Manager](android-intune.md) |
|
||||
|
||||
|
||||
|
||||
|
||||
## In this section
|
||||
Topic | Description
|
||||
:---|:---
|
||||
|
||||
@ -26,16 +26,40 @@ ms.topic: article
|
||||
**Applies to:**
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
|
||||
## Collection creation
|
||||
This article is part of the Deployment guide and acts as an example onboarding method that guides users in:
|
||||
- Step 1: Onboarding Windows devices to the service
|
||||
- Step 2: Configuring Microsoft Defender ATP capabilities
|
||||
|
||||
This onboarding guidance will walk you through the following basic steps that you need to take when using Microsoft Endpoint Configuration Manager:
|
||||
- **Creating a collection in Microsoft Endpoint Configuration Manager**
|
||||
- **Configuring Microsoft Defender ATP capabilities using Microsoft Endpoint Configuration Manager**
|
||||
|
||||
>[!NOTE]
|
||||
>Only Windows devices are covered in this example deployment.
|
||||
|
||||
While Microsoft Defender ATP supports onboarding of various endpoints and tools, this article does not cover them.
|
||||
|
||||
For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md).
|
||||
|
||||
|
||||
## Step 1: Onboard Windows devices using Microsoft Endpoint Configuration Manager
|
||||
|
||||
### Collection creation
|
||||
To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
|
||||
deployment can target either and existing collection or a new collection can be
|
||||
created for testing. The onboarding like group policy or manual method does
|
||||
not install any agent on the system. Within the Configuration Manager console
|
||||
deployment can target an existing collection or a new collection can be
|
||||
created for testing.
|
||||
|
||||
Onboarding using tools such as Group policy or manual method does not install any agent on the system.
|
||||
|
||||
Within the Microsoft Endpoint Configuration Manager console
|
||||
the onboarding process will be configured as part of the compliance settings
|
||||
within the console. Any system that receives this required configuration will
|
||||
within the console.
|
||||
|
||||
Any system that receives this required configuration will
|
||||
maintain that configuration for as long as the Configuration Manager client
|
||||
continues to receive this policy from the management point. Follow the steps
|
||||
below to onboard systems with Configuration Manager.
|
||||
continues to receive this policy from the management point.
|
||||
|
||||
Follow the steps below to onboard endpoints using Microsoft Endpoint Configuration Manager.
|
||||
|
||||
1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
|
||||
|
||||
@ -75,8 +99,17 @@ below to onboard systems with Configuration Manager.
|
||||
|
||||
After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
|
||||
|
||||
## Endpoint detection and response
|
||||
### Windows 10
|
||||
|
||||
## Step 2: Configure Microsoft Defender ATP capabilities
|
||||
This section guides you in configuring the following capabilities using Microsoft Endpoint Configuration Manager on Windows devices:
|
||||
|
||||
- [**Endpoint detection and response**](#endpoint-detection-and-response)
|
||||
- [**Next-generation protection**](#next-generation-protection)
|
||||
- [**Attack surface reduction**](#attack-surface-reduction)
|
||||
|
||||
|
||||
### Endpoint detection and response
|
||||
#### Windows 10
|
||||
From within the Microsoft Defender Security Center it is possible to download
|
||||
the '.onboarding' policy that can be used to create the policy in System Center Configuration
|
||||
Manager and deploy that policy to Windows 10 devices.
|
||||
@ -132,7 +165,7 @@ Manager and deploy that policy to Windows 10 devices.
|
||||
|
||||
|
||||
|
||||
### Previous versions of Windows Client (Windows 7 and Windows 8.1)
|
||||
#### Previous versions of Windows Client (Windows 7 and Windows 8.1)
|
||||
Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
|
||||
|
||||
1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
|
||||
@ -183,7 +216,7 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W
|
||||
|
||||
Once completed, you should see onboarded endpoints in the portal within an hour.
|
||||
|
||||
## Next generation protection
|
||||
### Next generation protection
|
||||
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
|
||||
|
||||
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
|
||||
@ -230,7 +263,7 @@ needs on how Antivirus is configured.
|
||||
After completing this task, you now have successfully configured Windows
|
||||
Defender Antivirus.
|
||||
|
||||
## Attack surface reduction
|
||||
### Attack surface reduction
|
||||
The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
|
||||
Protection.
|
||||
|
||||
@ -295,7 +328,7 @@ See [Optimize ASR rule deployment and
|
||||
detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
|
||||
|
||||
|
||||
### To set Network Protection rules in Audit mode:
|
||||
#### Set Network Protection rules in Audit mode:
|
||||
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
|
||||
|
||||
@ -325,7 +358,7 @@ detections](https://docs.microsoft.com/windows/security/threat-protection/micros
|
||||
After completing this task, you now have successfully configured Network
|
||||
Protection in audit mode.
|
||||
|
||||
### To set Controlled Folder Access rules in Audit mode:
|
||||
#### To set Controlled Folder Access rules in Audit mode:
|
||||
|
||||
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||
|
||||
|
||||
@ -27,24 +27,25 @@ ms.topic: article
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
|
||||
|
||||
In this section, we will be using Microsoft Endpoint Manager (MEM) to deploy
|
||||
Microsoft Defender ATP to your endpoints.
|
||||
|
||||
For more information about MEM, check out these resources:
|
||||
- [Microsoft Endpoint Manager page](https://docs.microsoft.com/mem/)
|
||||
- [Blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/)
|
||||
- [Introduction video on MEM](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace)
|
||||
|
||||
|
||||
This process is a multi-step process, you'll need to:
|
||||
This article is part of the Deployment guide and acts as an example onboarding method that guides users in:
|
||||
- Step 1: Onboarding devices to the service by creating a group in Microsoft Endpoint Manager (MEM) to assign configurations on
|
||||
- Step 2: Configuring Microsoft Defender ATP capabilities using Microsoft Endpoint Manager
|
||||
|
||||
- Identify target devices or users
|
||||
This onboarding guidance will walk you through the following basic steps that you need to take when using Microsoft Endpoint Manager:
|
||||
|
||||
- Create an Azure Active Directory group (User or Device)
|
||||
- [Identifying target devices or users](#identify-target-devices-or-users)
|
||||
|
||||
- Create a Configuration Profile
|
||||
- Creating an Azure Active Directory group (User or Device)
|
||||
|
||||
- In MEM, we'll guide you in creating a separate policy for each feature
|
||||
- [Creating a Configuration Profile](#step-2-create-configuration-policies-to-configure-microsoft-defender-atp-capabilities)
|
||||
|
||||
- In Microsoft Endpoint Manager, we'll guide you in creating a separate policy for each capability.
|
||||
|
||||
While Microsoft Defender ATP supports onboarding of various endpoints and tools, this article does not cover them.
|
||||
|
||||
For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md).
|
||||
|
||||
## Resources
|
||||
|
||||
@ -57,7 +58,13 @@ Here are the links you'll need for the rest of the process:
|
||||
|
||||
- [Intune Security baselines](https://docs.microsoft.com/mem/intune/protect/security-baseline-settings-defender-atp#microsoft-defender)
|
||||
|
||||
## Identify target devices or users
|
||||
For more information about Microsoft Endpoint Manager, check out these resources:
|
||||
- [Microsoft Endpoint Manager page](https://docs.microsoft.com/mem/)
|
||||
- [Blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/)
|
||||
- [Introduction video on MEM](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace)
|
||||
|
||||
## Step 1: Onboard devices by creating a group in MEM to assign configurations on
|
||||
### Identify target devices or users
|
||||
In this section, we will create a test group to assign your configurations on.
|
||||
|
||||
>[!NOTE]
|
||||
@ -93,11 +100,18 @@ needs.<br>
|
||||
|
||||
8. Your testing group now has a member to test.
|
||||
|
||||
## Create configuration policies
|
||||
## Step 2: Create configuration policies to configure Microsoft Defender ATP capabilities
|
||||
In the following section, you'll create a number of configuration policies.
|
||||
|
||||
First is a configuration policy to select which groups of users or devices will
|
||||
be onboarded to Microsoft Defender ATP. Then you will continue by creating several
|
||||
different types of Endpoint security policies.
|
||||
be onboarded to Microsoft Defender ATP.
|
||||
|
||||
Then you will continue by creating several
|
||||
different types of endpoint security policies.
|
||||
|
||||
- [Endpoint detection and response](#endpoint-detection-and-response)
|
||||
- [Next-generation protection](#next-generation-protection)
|
||||
- [Attack surface reduction](#attack-surface-reduction--attack-surface-reduction-rules)
|
||||
|
||||
### Endpoint detection and response
|
||||
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Onboard to the Microsoft Defender ATP service
|
||||
description:
|
||||
description: Learn how to onboard endpoints to Microsoft Defender ATP service
|
||||
keywords:
|
||||
search.product: eADQiWindows 10XVcnh
|
||||
ms.prod: w10
|
||||
@ -44,28 +44,51 @@ Deploying Microsoft Defender ATP is a three-phase process:
|
||||
</td>
|
||||
<td align="center" bgcolor="#d5f5e3">
|
||||
<a href="https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboarding">
|
||||
<img src="images/onboard.png" alt="Onboard" title="Onboard to the Microsoft Defender ATP service" />
|
||||
<img src="images/onboard.png" alt="Onboard diagram" title="Onboard to the Microsoft Defender ATP service" />
|
||||
<br/>Phase 3: Onboard </a><br>
|
||||
</td>
|
||||
|
||||
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
You are currently in the onboarding phase.
|
||||
|
||||
These are the steps you need to take to deploy Microsoft Defender ATP:
|
||||
|
||||
- Step 1: Onboard endpoints to the service
|
||||
- Step 2: Configure capabilities
|
||||
|
||||
## Step 1: Onboard endpoints using any of the supported management tools
|
||||
The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Microsoft Defender ATP.
|
||||
|
||||
After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service.
|
||||
|
||||
### Onboarding tool options
|
||||
|
||||
The following table lists the available tools based on the endpoint that you need to onboard.
|
||||
|
||||
| Endpoint | Tool options |
|
||||
|--------------|------------------------------------------|
|
||||
| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) |
|
||||
| **macOS** | [Local scripts](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) |
|
||||
| **Linux Server** | [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)|
|
||||
| **iOS** | [App-based](ios-install.md) |
|
||||
| **Android** | [Microsoft Endpoint Manager](android-intune.md) |
|
||||
|
||||
|
||||
To deploy Microsoft Defender ATP, you'll need to onboard devices to the service.
|
||||
|
||||
Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements.
|
||||
|
||||
After onboarding the devices, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.
|
||||
## Step 2: Configure capabilities
|
||||
After onboarding the endpoints, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.
|
||||
|
||||
|
||||
This article provides resources to guide you on:
|
||||
- Using various management tools to onboard devices
|
||||
- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
|
||||
- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
|
||||
## Example deployments
|
||||
In this deployment guide, we'll guide you through using two deployment tools to onboard endpoints and how to configure capabilities.
|
||||
|
||||
The tools in the example deployments are:
|
||||
- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
|
||||
- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
|
||||
|
||||
Using the mentioned deployment tools above, you'll then be guided in configuring the following Microsoft Defender ATP capabilities:
|
||||
- Endpoint detection and response configuration
|
||||
- Next-generation protection configuration
|
||||
- Attack surface reduction configuration
|
||||
|
||||
@ -22,7 +22,6 @@ ms.topic: conceptual
|
||||
|
||||
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631)
|
||||
|
||||
@ -86,7 +86,8 @@ The threat insights icon is highlighted if there are associated exploits in the
|
||||
|
||||
If you select a CVE, a flyout panel will open with more information such as the vulnerability description, details, threat insights, and exposed devices.
|
||||
|
||||
The "OS Feature" category is shown in relevant scenarios.
|
||||
- The "OS Feature" category is shown in relevant scenarios
|
||||
- You can go to the related security recommendation for every CVE with exposed device
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user