From 005bcd9283face7ec6d8d9ee147dd426ba860420 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 23 Apr 2018 14:34:26 -0700 Subject: [PATCH 1/3] Added info about reboot required, plus new topic for restoring quarantined files. --- windows/security/threat-protection/TOC.md | 1 + ...-remediation-windows-defender-antivirus.md | 7 +++ ...ntined-files-windows-defender-antivirus.md | 47 +++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index c7591e103c..b808cc230f 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -242,6 +242,7 @@ #### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md) #### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md) #### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md) +#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md) ### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index 27f2b3e2e4..41eef3f1c0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -65,6 +65,13 @@ Quarantine | Configure removal of items from Quarantine folder | Specify how man Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender AV is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable +>[!IMPORTANT] +>Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additonal remediation steps have been completed. +>

+>If you are certain Windows Defender AV quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender AV](restore-quarantined-files-windows-defender-antivirus.md). +>

+>To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md). + Also see the [Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) topic for more remediation-related settings. diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md new file mode 100644 index 0000000000..9881b9e0a9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -0,0 +1,47 @@ +--- +title: Restore quarantined files in Windows Defender AV +description: You can restore files and folders that were quarantined by Windows Defender AV. +keywords: +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 04/23/2018 +--- + +# Restore quarantined files in Windows Defender AV + + +**Applies to:** + +- Windows 10 +- Windows Server 2016 + +**Audience** + +- Enterprise security administrators + +**Manageability available with** + +- Windows Defender Security Center + +If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender AV quarantines suspicious files. If you are certain these files do not present a threat, you can restore them. + +1. Open **Windows Defender Security Center**. +2. Click **Virus & threat protection** and then click **Scan history**. +3. Under **Quarantined threats**, click **See full history**. +4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.) + +## Related topics + +[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) +[Review scan results](review-scan-results-windows-defender-antivirus.md) +[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +[Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) + From 0191ad50f4e9abd0ed1c70bb7e380b4c157f318c Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 23 Apr 2018 15:07:22 -0700 Subject: [PATCH 2/3] Fix formatting and a typo. --- ...configure-remediation-windows-defender-antivirus.md | 2 +- ...ore-quarantined-files-windows-defender-antivirus.md | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index 41eef3f1c0..8fbf0984c3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -66,7 +66,7 @@ Threats | Specify threat alert levels at which default action should not be take Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable >[!IMPORTANT] ->Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additonal remediation steps have been completed. +>Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. >

>If you are certain Windows Defender AV quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender AV](restore-quarantined-files-windows-defender-antivirus.md). >

diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index 9881b9e0a9..db4d6528c0 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -39,9 +39,9 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y ## Related topics -[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) -[Review scan results](review-scan-results-windows-defender-antivirus.md) -[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) -[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -[Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) +- [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) +- [Review scan results](review-scan-results-windows-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) From d1591fa11c8a9e44cc28a29cf69be39369f1bc97 Mon Sep 17 00:00:00 2001 From: Javier Aranzales Date: Mon, 23 Apr 2018 23:05:18 +0000 Subject: [PATCH 3/3] Merged PR 7388: Updated itadmin-tib-get-started.md Updated itadmin-tib-get-started.md --- education/trial-in-a-box/itadmin-tib-get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index 97a8d7964f..45008bc831 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -150,7 +150,7 @@ A provisioning package is a method for applying settings to Windows 10 without n ![The first screen to set up a new PC in Windows 10 Fall Creators Update](images/win10_oobe_firstscreen.png) - If the PC is past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings > Update & security > Recovery > Reset this PC**. + If you go past the region selection screen, select **Ctrl + Shift + F3** which will prompt the "System Preparation Tool." Select **Okay** in the tool to return to the region selection screen. If this doesn't work, reset the PC by going to **Settings > Update & Security > Recovery > Reset this PC.** 2. Insert the USB drive into **Device B**. Windows will recognize the drive and automatically install the provisioning package. 3. When prompted, remove the USB drive. You can then use the USB drive to start provisioning another student PC.