deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 16:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged master

Browse Source
This commit is contained in:
ManikaDhiman 2020-07-02 16:28:38 -07:00
commit ad95c2c43d
73 changed files with 1125 additions and 328 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
windows/deployment/windows-autopilot/windows-autopilot-requirements.md
View File

@ -3,7 +3,7 @@ title: Windows Autopilot requirements
ms.reviewer:
manager: laurawi
description: See the requirements you need to run Windows Autopilot in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, Autopilot, ztd, zero-touch, partner, msfb, intune
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@ -27,7 +27,7 @@ ms.custom:
Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met.
> [!NOTE]
> For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot).
> For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsAutopilot).
## Software requirements
@ -50,7 +50,12 @@ Windows Autopilot depends on a variety of internet-based services. Access to the
- Ensure DNS name resolution for internet DNS names.
- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP).
In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to allow access to the required services. For additional details about each of these services and their specific requirements, review the following details:
In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to allow access to the required services.
> [!NOTE]
> Smart card and certificate based authentication are not supported during OOBE. For more information, see [Smartcards and certificate-based authentication](https://docs.microsoft.com/azure/active-directory/devices/azureadjoin-plan#smartcards-and-certificate-based-authentication).
For additional details about each of these services and their specific requirements, review the following details:
<table><th>Service<th>Information
<tr><td><b>Windows Autopilot Deployment Service<b><td>After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service. With Windows 10 version 1903 and above, the following URLs are used: https://ztd.dds.microsoft.com, https://cs.dds.microsoft.com. <br>
@ -61,11 +66,11 @@ In environments that have more restrictive Internet access, or for those that re
<tr><td><b>Intune<b><td>Once authenticated, Azure Active Directory will trigger enrollment of the device into the Intune MDM service. See the following link for details about network communication requirements: <a href="https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements">Intune network configuration requirements and bandwidth</a>.
<tr><td><b>Windows Update<b><td>During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. If there are problems connecting to Windows Update, see <a href="https://support.microsoft.com/help/818018/how-to-solve-connection-problems-concerning-windows-update-or-microsof">How to solve connection problems concerning Windows Update or Microsoft Update</a>.<br>
If Windows Update is inaccessible, the AutoPilot process will still continue but critical updates will not be available.
If Windows Update is inaccessible, the Autopilot process will still continue but critical updates will not be available.
<tr><td><b>Delivery Optimization<b><td>When downloading Windows Updates, Microsoft Store apps and app updates, Office Updates and Intune Win32 Apps, the <a href="https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization">Delivery Optimization</a> service is contacted to enable peer-to-peer sharing of content so that only a few devices need to download it from the internet.<br>
If the Delivery Optimization Service is inaccessible, the AutoPilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
If the Delivery Optimization Service is inaccessible, the Autopilot process will still continue with Delivery Optimization downloads from the cloud (without peer-to-peer).
<tr><td><b>Network Time Protocol (NTP) Sync<b><td>When a Windows device starts up, it will talk to a network time server to ensure that the time on the device is accurate. Ensure that UDP port 123 to time.windows.com is accessible.
<tr><td><b>Domain Name Services (DNS)<b><td>To resolve DNS names for all services, the device communicates with a DNS server, typically provided via DHCP.  This DNS server must be able to resolve internet names.
@ -80,11 +85,11 @@ If diagnostic data cannot be sent, the Autopilot process will still continue, bu
If the WNS services are not available, the Autopilot process will still continue without notifications.
<tr><td><b>Microsoft Store, Microsoft Store for Business<b><td>Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in. For more information, see <a href="https://docs.microsoft.com/microsoft-store/prerequisites-microsoft-store-for-business">Prerequisites for Microsoft Store for Business and Education</a> (also includes Azure AD and Windows Notification Services).<br>
If the Microsoft Store is not accessible, the AutoPilot process will still continue without Microsoft Store apps.
If the Microsoft Store is not accessible, the Autopilot process will still continue without Microsoft Store apps.
<tr><td><b>Office 365<b><td>As part of the Intune device configuration, installation of Microsoft 365 Apps for enterprise may be required. For more information, see <a href="https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2">Office 365 URLs and IP address ranges</a> (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
<tr><td><b>Certificate revocation lists (CRLs)<b><td>Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at <a href="https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_crl">Office 365 URLs and IP address ranges</a> and <a href="https://aka.ms/o365chains">Office 365 Certificate Chains</a>.
<tr><td><b>Hybrid AAD join<b><td>The device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at <a href="https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven-hybrid">Windows Autopilot user-driven mode</a>
<tr><td><b>Hybrid AAD join<b><td>The device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at <a href="https://docs.microsoft.com/windows/deployment/windows-Autopilot/user-driven-hybrid">Windows Autopilot user-driven mode</a>
<tr><td><b>Autopilot Self-Deploying mode and Autopilot White Glove<b><td>Firmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See <a href="https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-recommendations">TPM recommendations</a> for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
<br>Intel- https://ekop.intel.com/ekcertservice
@ -95,15 +100,15 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti
## Licensing requirements
Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs:
Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs.
To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required:
- [Microsoft 365 Business Premium subscriptions](https://www.microsoft.com/microsoft-365/business).
- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/microsoft-365/enterprise/firstline).
- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx).
- [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
- [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
- [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
- [Microsoft 365 Business Premium subscription](https://www.microsoft.com/microsoft-365/business).
- [Microsoft 365 F1 or F3 subscription](https://www.microsoft.com/microsoft-365/enterprise/firstline).
- [Microsoft 365 Academic A1, A3, or A5 subscription](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx).
- [Microsoft 365 Enterprise E3 or E5 subscription](https://www.microsoft.com/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune).
- [Enterprise Mobility + Security E3 or E5 subscription](https://www.microsoft.com/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features.
- [Intune for Education subscription](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
- [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/cloud-platform/microsoft-intune) (or an alternative MDM service).
> [!NOTE]
@ -124,9 +129,9 @@ Before Windows Autopilot can be used, some configuration tasks are required to s
Specific scenarios will then have additional requirements. Generally, there are two specific tasks:
- Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details.
- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information.
- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-Autopilot#create-an-Autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-Autopilot#assign-an-Autopilot-deployment-profile-to-a-device-group) for more information.
See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details.
See [Windows Autopilot Scenarios](windows-Autopilot-scenarios.md) for additional details.
For a walkthrough for some of these and related steps, see this video:
@ -138,4 +143,4 @@ There are no additional hardware requirements to use Windows 10 Autopilot, beyon
## Related topics
[Configure Autopilot deployment](https://docs.microsoft.com/windows/deployment/windows-autopilot/)
[Configure Autopilot deployment](https://docs.microsoft.com/windows/deployment/windows-Autopilot/)

170
windows/privacy/data-processor-service-for-windows-public-preview-terms.md Normal file
View File

@ -0,0 +1,170 @@
---
title: Data processor service for Windows public preview terms
description: Use this article to understand Windows public preview terms of service.
keywords: privacy, GDPR
ms.localizationpriority: high
ROBOTS: NOINDEX, NOFOLLOW
ms.prod: w10
ms.topic: article
f1.keywords:
- NOCSH
ms.author: daniha
author: DaniHalfin
manager: dansimp
audience: itpro
ms.collection:
- GDPR
- M365-security-compliance
---
# Data processor service for Windows public preview terms
**These terms (“Terms”) must be read and accepted by a tenant admin with appropriate access rights and authority. By participating in this public preview, you: (a) agree to the following Terms, and (b) represent and warrant that you have such rights and authority.**
These Terms govern your use of the preview described below (“**Preview**”). In order to access the Preview, you must be a current Microsoft Windows customer with an Azure Active Directory (“**AAD**”) subscription. The Preview consists of features and services that are in preview, beta, or other pre-release form for use with Windows and AAD.
1. **Definitions**. The following terms have the following meanings:
1. "**Customer Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through your use of Windows or AAD.
2. "**Feedback**" means, collectively, suggestions, comments, feedback, ideas, or know-how, in any form, that you or your users provide to Microsoft about Microsofts business, products, or services.
3. "**Personal Data**" means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
4. "**Preview Data**" means all data, including all text, sound, video, or image files that are provided to Microsoft by, or on behalf of, you through use of the Services.
5. "**Subprocessor**" means other processors used by Microsoft to process Personal Data.
2. **Scope of Services**. The Preview is for a service that enables organizations to become controllers of Windows diagnostic data on supported versions of Windows, with Microsoft operating as processor of the data (collectively, the “**_Services_**”). You will collaborate with Microsoft in order to provide Microsoft the ability to enable the Services for you. To access the Services, you will need to configure participating Windows devices; Microsoft will assist you in such configuration via documentation or other communications.
3. **Intellectual Property**.
1. **License Grant**. During the term of this Preview (“**Term**”), Microsoft grants you and authorized users in your tenant for Windows a non-exclusive, non-transferable, non-sublicensable right and license to access and use the Services in accordance with these Terms.
2. **Use Terms**. These Terms supersede any Microsoft terms and conditions or other agreement. You acknowledge that (i) the Services may not work correctly or in the manner that a commercial service may function; Microsoft may change the Services for the final, commercial version or choose not to release a commercial version; (ii) Microsoft may not provide support for the Services; (iii) the Online Services Terms (OST), including any obligations Microsoft may have regarding Customer Data, do not apply to the Services or Preview Data; (iv) Microsoft has no obligation to hold, export, or return Preview Data, except as described in these Terms; (v) Microsoft has no liability for the deletion of Preview Data, except as described in these Terms; and (vi) you may lose access to the Services and Preview Data after the Term.
3. **Acceptable Use**. Neither you, nor those that access the Services through you, may: (a) use the Services: (i) in a way prohibited by law, regulation, governmental order or decree; (ii) to violate the rights of others; (iii) to try to gain unauthorized access to or disrupt any service, device, data, account or network; (iv) to spam or distribute malware; or (v) in a way that could harm the Services or impair anyone elses use of it; or (b) reverse engineer, decompile, disassemble, or work around any technical limitations in the Services, or use the Services to create a competing product. You are responsible for responding to any third-party request regarding your use of the Services or Preview Data, such as a request to take down Preview Data under the U.S. Digital Millennium Copyright Act or other applicable laws.
4. **Data Collection, Use and Location**. The Microsoft Privacy Statement https://privacy.microsoft.com/privacystatement applies to the collection, use and location of Preview Data. In the event of a conflict between Privacy Statement and the terms of these Terms, the terms of these Terms will control.
4. **Confidentiality**. The following confidentiality terms apply to the Preview:
1. During the Term plus 5 years, the parties will hold in strictest confidence and not use or disclose to any third party any Confidential Information of the other party. “Confidential Information” means all non-public information a party designates in writing or orally as being confidential, or which under the circumstances of disclosure ought to be treated as confidential. Confidential Information includes information relating to: </br></br>
1. a partys released or unreleased software or hardware products;</br></br>
2. a partys source code;</br></br>
3. a partys product marketing or promotion;</br></br>
4. a partys business policies or practices;</br></br>
5. a partys customers or suppliers;</br></br>
6. information received from others that a party must treat as confidential; and</br></br>
7. information provided, obtained, or created by a party under these Terms, including:
* information in reports;
* the parties electronic or written correspondence, customer lists and customer information, regardless of source;
* Personal Data; and
* Transactional, sales, and marketing information.
2. A party will consult with the other if it questions what comprises Confidential Information. Confidential Information excludes information (i) known to a party before the disclosing partys disclosure to the receiving party, (ii) information publicly available through no fault of the receiving party, (iii) received from a third party without breach of an obligation owed to the disclosing party, or (iv) independently developed by a party without reference to or use of the disclosing partys Confidential Information.
3. Each party will employ security procedures to prevent disclosure of the other partys Confidential Information to unauthorized third parties. The receiving partys security procedures must include risk assessment and controls for:</br></br>
1. system access;</br></br>
2. system and application development and maintenance;</br></br>
3. change management;</br></br>
4. asset classification and control;</br></br>
5. incident response, physical and environmental security;</br></br>
6. disaster recovery/business continuity; and</br></br>
7. employee training.
5. **Data Protection.**
**Generally**. To the extent Microsoft is a processor of Personal Data, the General Data Protection Regulation (GDPR) Terms in Appendix 1 govern that processing and the parties also agree to the following terms:
1. Processing Details: The parties agree that:
* The subject-matter of the processing is limited to Personal Data within the scope of the GDPR;
* The duration of the processing shall be for the duration of your right to use the Services and until all Personal Data is deleted or returned in accordance with your instructions or these Terms;
* The nature and purpose of the processing shall be to provide the Services pursuant to these Terms;
* The types of Personal Data processed by the Services include those expressly identified in Article 4 of the GDPR to the extent included by Preview Data; and
* The categories of data subjects are your representatives and end users, such as employees, contractors, collaborators, and customers.
2. Data Transfers:
* Preview Data and Personal Data that Microsoft processes on your behalf may be transferred to, and stored and processed in, the United States or any other country in which Microsoft or its Subprocessors operate. You appoint Microsoft to perform any such transfer of Preview Data and Personal Data to any such country and to store and process Preview Data and Personal Data to provide the Services.
* Microsoft will abide by the requirements of European Economic Area and Swiss data protection law regarding the collection, use, transfer, retention, and other processing of Personal Data from the European Economic Area and Switzerland. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.
* In addition, Microsoft is certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and the commitments they entail. Microsoft agrees to notify you in the event that it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Privacy Shield principles.
6. **No Support or Incident Response.** Microsoft will have no obligation under these Terms to correct any bugs, defects or errors in the Services or AAD, provide any updates, upgrades or new releases, or otherwise provide any technical support or maintenance for any Services or AAD. You will make reasonable efforts to promptly report to Microsoft any defects you find in the Services, as an aid to creating improved revisions of the Services. Microsoft will have no obligation under these Terms to provide you with incident response as part of the Services.
7. **Term and Termination.** The term of the Preview begins when you accept these Terms and continues until: (a) either party terminates this Preview by providing the other party: (i) 2 days notice for any reason (or no reason), or (ii) notice of such partys breach of these Terms and such party fails to cure within 15 days, or (b) upon the general availability of the Services. When the Term ends, you will no longer have access to the Services, and Microsoft will no longer have the rights to access Customer Data granted herein. Each party will, on request, return or destroy the others Confidential Information provided under the Preview.
8. **Feedback.** Providing Feedback is voluntary. Microsoft is under no obligation to post or use any Feedback. By providing Feedback to Microsoft, you (and anyone providing Feedback through your use of the Preview) irrevocably and perpetually grant to Microsoft and its affiliates, under all of its (and their) owned or controlled intellectual property rights, a worldwide, non-exclusive, fully paid-up, royalty-free, transferable, sub-licensable right and license to make, use, reproduce, prepare derivative works based upon, distribute, publicly perform, publicly display, transmit, and otherwise commercialize the Feedback (including by combining or interfacing products, services or technologies that depend on or incorporate Feedback with other products, services or technologies of Microsoft or others), without attribution in any way and for any purpose. You warrant that (a) you will not provide Feedback that is subject to a license requiring Microsoft to license anything to third parties because Microsoft exercises any of the above rights in your Feedback; and (b) you own or otherwise control all of the rights to such Feedback and that no such Feedback is subject to any third-party rights (including any personality or publicity rights).
9. **Representations and Warranties; Limitation of Liability.**
1. **By the Parties.** Each party represents and warrants to the other party that (a) it has all necessary rights, title, and authority to enter into and perform under these Terms; (b) its performance under these Terms will not breach any agreement with a third party; and (c) it will comply with any and all laws, rules, and regulations that are applicable to its performance under these Terms.
2. **Disclaimer.** EXCEPT AS OTHERWISE PROVIDED IN THESE TERMS AND TO THE EXTENT APPLICABLE LAW PERMITS, MICROSOFT (a) PROVIDES THE SERVICES AS-IS; (b) PROVIDES NO WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE; AND (c) DOES NOT GUARANTEE THAT THE SERVICES WILL BE AVAILABLE, UNINTERRUPTED, OR ERROR-FREE, OR THAT LOSS OF PREVIEW DATA WILL NOT OCCUR.
3. **Limitation of Liability.** Except as otherwise described in this Section 9, the only remedy either party has for claims relating to these Terms or participation in the Preview is to terminate these Terms or your participation in the Preview. NEITHER PARTY WILL BE LIABLE TO THE OTHER PARTY FOR ANY DAMAGES, INCLUDING DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, OR DAMAGES FOR LOST REVENUE, LOST PROFIT, LOST BUSINESS INFORMATION, OR BUSINESS INTERRUPTION, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES. The limitations in this Section 9 do not apply to claims arising from any breach of confidentiality obligations under Section 4.
10. **General.**
1. **Non-Exclusivity.** These Terms are nonexclusive. These Terms do not restrict either party from entering into the same or similar arrangement with any third party.
2. **Jurisdiction and Governing Law.** The laws of the State of Washington, excluding conflicts of law provisions, govern these Terms. If federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the federal courts in King County, Washington. If no federal jurisdiction exists, then each party consents to exclusive jurisdiction and venue in the Superior Court of King County, Washington.
3. **Force Majeure.** A party will not be liable for failure to perform an obligation under these Terms to the extent that failure is due to a cause beyond that partys reasonable control, including natural disaster, war, civil disturbance, or governmental action.
4. **Attorneys fees.** If a party employs attorneys to enforce any rights arising out of or relating to these Terms, the prevailing party will be entitled to recover its reasonable attorneys fees, costs, and other expenses.
5. **Assignment**. You may not assign these Terms or delegate any of your rights or obligations under these Terms to a third party without Microsofts prior written consent.
6. **Entire Agreement.** These Terms are the entire agreement between the parties regarding its subject matter and replaces all prior agreements, communications, and representations between the parties regarding its subject matter.
7. **Survival.** Sections 3.b, 4, 7 (with respect to post-termination obligations), and 8-10 will survive these Terms expiration or termination.</br></br>
<p align="center">
<b>Appendix 1: GDPR Terms</b><br>
For purposes of these GDPR Terms, you and Microsoft agree that you are the controller of Personal Data and Microsoft is the processor of such data, except when you act as a processor of Personal Data, in which case Microsoft is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Microsoft on your behalf. These GDPR Terms do not limit or reduce any data protection commitments Microsoft makes to you in other agreement between Microsoft and you. These GDPR Terms do not apply where Microsoft is a controller of Personal Data.
**Relevant GDPR Obligations: Articles 28, 32, and 33**
1. Microsoft shall not engage another processor without prior specific or your general written authorization. In the case of general written authorization, Microsoft shall inform you of any intended changes concerning the addition or replacement of other processors, thereby giving you the opportunity to object to such changes. (Article 28(2))
2. Processing by Microsoft shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on Microsoft with regard to you. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and your obligations and rights are set forth in the Terms above, including these GDPR Terms. In particular, Microsoft shall:
1. process the Personal Data only on your documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Microsoft is subject; in such a case, Microsoft shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
3. take all measures required pursuant to Article 32 of the GDPR;
4. respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
5. taking into account the nature of the processing, assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR;
6. assist you in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Microsoft;
7. at your choice, delete or return all the Personal Data to you after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
8. make available to you all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you.
9. immediately inform you if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3))
3. Where Microsoft engages another processor for carrying out specific processing activities on your behalf, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, Microsoft shall remain fully liable to you for the performance of that other processor's obligations. (Article 28(4))
4. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, you and Microsoft shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1. the pseudonymisation and encryption of Personal Data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. (Article 32(1))
5. In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2))
6. You and Microsoft shall take steps to ensure that any natural person acting under your authority or Microsofts who has access to Personal Data does not process them except on instructions from you, unless he or she is required to do so by Union or Member State law. (Article 32(4))
7. Microsoft shall notify you without undue delay after becoming aware of a personal data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to Microsoft.

96
windows/privacy/deploy-data-processor-service-windows.md Normal file
View File

@ -0,0 +1,96 @@
---
title: Technical Deployment of the data processor service for Windows
description: Use this article to understand how to deploy and manage the data processor service for Windows.
keywords: privacy, GDPR
ms.localizationpriority: high
ROBOTS: NOINDEX, NOFOLLOW
ms.prod: w10
ms.topic: article
f1.keywords:
- NOCSH
ms.author: daniha
author: DaniHalfin
manager: dansimp
audience: itpro
ms.collection:
- GDPR
- M365-security-compliance
---
# Data processor service for Windows Overview
>[!NOTE]
>This topic is intended for participants in the data processor service for Windows preview program and requires acceptance of specific terms of use. To learn
more about the program and agree to the terms of use, see [https://aka.ms/dpswpublicpreview](https://aka.ms/dpswpublicpreview).
The privacy landscape keeps evolving, and with it, we make changes to our services to meet our customers needs.
The data processor service for Windows empowers you to be in control of diagnostic data from Windows devices, and act as data controllers for that data, under the definition of the European Union General Data Protection Regulation (GDPR).
The data processor service for Windows will serve as a foundation for other Microsoft services that use Windows diagnostic data.
The data processor service for Windows offering enables you to store and manage your Windows diagnostic data in the cloud, on top of an end-to-end data platform designed and built with compliance in mind, to help you meet your compliance obligations.
Your data is routed and stored inside an enterprise compliance boundary, operating under a prescriptive and focused set of compliance requirements, in accordance with industry standards.
The data processor service for Windows provides you with controls that help respond to delete data subject requests (DSRs) on diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, youre able to execute an export DSR for a specific Azure AD User ID.
Should you desire so, Microsoft will accommodate a data processor service for Windows tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for diagnostic data, but still wish to remain an Azure customer.
>[!Note]
>Tenant account closure will lead to the deletion of all data associated with that tenant.
## Deployment of data processor service for Windows
Use the instructions below to easily manage the data processor service for Windows using a single setting, through Group Policy, or an MDM solution, in Windows 10, version 1809 or Windows Server 2019 and newer.
### Prerequisites
#### Versions supported
The data processor service for Windows is currently supported on Windows 10, version 1809, and newer versions.
#### Network requirements
The following endpoints need to be reachable from devices enrolled into the data processor service for Windows:
login.live.com
cy2.vortex.data.microsoft.com.akadns.net
v10.events.data.microsoft.com
v10.vortex-win.data.microsoft.com/collect/v1
For additional information, see the “device authentication” and “diagnostic data” sections in the endpoint articles for each respective Windows version:
[Windows 10, version 1809 endpoints](https://docs.microsoft.com/Windows/privacy/manage-Windows-1809-endpoints)
[Windows 10, version 1903 endpoints](https://docs.microsoft.com/Windows/privacy/manage-Windows-1903-endpoints)
### Deploying data processor service for Windows
You can use either Group Policy or an MDM solution to deploy the data processor service for Windows to your supported devices.
In Group Policy, to enable data collection through the data processor service for Windows, go to **Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**.
If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**.
To use an MDM solution, such as [Microsoft Intune](https://docs.microsoft.com/intune/custom-settings-Windows-10), to deploy the data processor service for Windows to your supported devices, use the following custom OMA-URI setting configuration:
- **Name:** System/AllowCommercialDataPipeline
- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline
- **Data type:** Integer
Under **Value**, use **1** to enable the service.
If you wish to disable, at any time, switch the same setting to **0** to disable. The default is **0**.
>[!Note]
>Data collected from a device, before it was enrolled into the data processor service for Windows, will not be moved into the enterprise compliance boundary.
## Managing data processor service for Windows
### Executing user-based data subject requests (DSRs)
To perform user-based DSRs, the data processor service for Windows requires your organization to be reflected in Azure AD.
If your environment is cloud-only and managed in Azure, or all your devices are Azure AD joined - you dont need to take any further action.
If your environment uses on-premises Active Directory to manage identities - Azure AD Connect synchronization is required, and your environment needs to be configured for hybrid Azure AD join.
To learn more, visit [How To: Plan your hybrid Azure Active Directory join implementation](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan) and [Azure AD Connect sync: Understand and customize synchronization](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis).
Once you have Azure AD join or hybrid Azure AD join in place, you can learn more about executing user-based DSRs, by visiting this [page](https://review.docs.microsoft.com/microsoft-365/compliance/gdpr-dsr-windows?branch=siosulli-wps&view=o365-worldwide).
## Geo-location
Windows Diagnostic Data collected through the data processor service for Windows is hosted in our datacenter in the United States.

4
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
View File

@ -24,9 +24,9 @@ ms.reviewer:
- Certificate trust
The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps.
The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps.
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\<drive>:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\<drive>:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
## Discovering schema role

8
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
View File

@ -57,12 +57,12 @@ To do this, follow the **Configure device settings** steps under [Setting up Azu
Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD joined devices. Begin with upgrading the Active Directory Schema
### Upgrading Active Directory to the Windows Server 2016 Schema
### Upgrading Active Directory to the Windows Server 2016 or later Schema
To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016.
To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later.
> [!IMPORTANT]
> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema** (this section).
> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 or later Schema** (this section).
#### Identify the schema role domain controller
@ -78,7 +78,7 @@ The command should return the name of the domain controller where you need to ru
Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory.
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\<drive>:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\<drive>:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials.

4
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
View File

@ -39,7 +39,7 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, may not require Azure Active Directory premium subscription.
Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema.
Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory or later schema.
Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs.
@ -49,7 +49,7 @@ Review these requirements and those from the Windows Hello for Business planning
> * Active Directory Domain Functional Level
> * Active Directory Forest Functional Level
> * Domain Controller version
> * Windows Server 2016 Schema
> * Windows Server 2016 or later Schema
> * Azure Active Directory subscription
> * Correct subscription for desired features and outcomes

2
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -52,7 +52,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
| Key trust</br>Group Policy managed | Certificate trust</br>Mixed managed | Key trust</br>Modern managed | Certificate trust</br>Modern managed |
| --- | --- | --- | --- |
| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**<br> *Minimum:* Windows 10, version 1703<br> *Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).</br>**Azure AD Joined:**<br> Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later |
| Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema | Windows Server 2016 Schema |
| Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema |
| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |

2
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
View File

@ -30,7 +30,7 @@ Key trust deployments need an adequate number of 2016 or later domain controller
> [!NOTE]
>There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue.
The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
## Create the Windows Hello for Business Users Security Global Group

2
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -88,7 +88,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller.
> [!NOTE]
> RDP does not support authentication with Windows Hello for Business key trust deployments. RDP is only supported with certificate trust deployments at this time.

185
windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -63,7 +63,8 @@ The following list provides examples of specific events that will cause BitLocke
- Using a different keyboard that does not correctly enter the PIN or whose keyboard map does not match the keyboard map assumed by the pre-boot environment. This can prevent the entry of enhanced PINs.
- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
>**Note:**  Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
> [!NOTE]
> Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
- Moving the BitLocker-protected drive into a new computer.
- Upgrading the motherboard to a new one with a new TPM.
@ -72,18 +73,21 @@ The following list provides examples of specific events that will cause BitLocke
- Having a BIOS, UEFI firmware, or an option ROM component that is not compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
- Changing the usage authorization for the storage root key of the TPM to a non-zero value.
>**Note:**  The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
> [!NOTE]
> The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
- Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
- Pressing the F8 or F10 key during the boot process.
- Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
- Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
>**Note:**  Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.
> [!NOTE]
> Before you begin recovery, we recommend that you determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if you determine that an attacker has modified your computer by obtaining physical access, you can create new security policies for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker will reseal the encryption key to the current values of the measured components.
For planned scenarios, such as a known hardware or firmware upgrades, you can avoid initiating recovery by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
>**Note:**  If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
> [!NOTE]
> If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
If software maintenance requires the computer be restarted and you are using two-factor authentication, you can enable BitLocker Network Unlock to provide the secondary authentication factor when the computers do not have an on-premises user to provide the additional authentication method.
@ -106,7 +110,8 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
2. At the command prompt, type the following command and then press ENTER:
`manage-bde. -ComputerName <RemoteComputerName> -forcerecovery <BitLockerVolume>`
> **Note:**  Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
> [!NOTE]
> Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
## <a href="" id="bkmk-planningrecovery"></a>Planning your recovery process
@ -142,7 +147,8 @@ If the user does not have a recovery password in a printout or on a USB flash dr
In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS). Select the **Do not enable BitLocker until recovery information is stored in AD
DS** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
>**Note:**  If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.
> [!NOTE]
> If the PCs are part of a workgroup, users should be advised to save their BitLocker recovery password with their Microsoft Account online. Having an online copy of your BitLocker recovery password is recommended to help ensure that you do not lose access to your data in the event that recovery is required.
The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
@ -182,7 +188,8 @@ Before you give the user the recovery password, you should gather any informatio
Because the recovery password is 48 digits long the user may need to record the password by writing it down or typing it on a different computer. If you are using MBAM, the recovery password will be regenerated after it is recovered from the MBAM database to avoid the security risks associated with an uncontrolled password.
>**Note:**  Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
> [!NOTE]
> Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
### <a href="" id="bkmk-planningpostrecovery"></a>Post-recovery analysis
@ -217,7 +224,8 @@ After you have identified what caused recovery, you can reset BitLocker protecti
The details of this reset can vary according to the root cause of the recovery. If you cannot determine the root cause, or if malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.
>**Note:**  You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.
> [!NOTE]
> You can perform a BitLocker validation profile reset by suspending and resuming BitLocker.
- [Unknown PIN](#bkmk-unknownpin)
- [Lost startup key](#bkmk-loststartup)
@ -253,6 +261,153 @@ This error might occur if you updated the firmware. As a best practice you shoul
Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair is not able to be run automatically from the PC and instead Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLockerprotected drives.
## BitLocker recovery screen
During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery.
### Custom recovery message
BitLocker Group Policy settings in Windows 10, version 1511, let you confiure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**.
It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP:
*<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>*
![Custom URL](./images/bl-intune-custom-url.png)
Example of customized recovery screen:
![Customized BitLocker Recovery Screen](./images/bl-password-hint1.png)
### BitLocker recovery key hints
BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volumes recovery key. Hints are displayed on the recovery screen and refer to the location where key has been saved. Hints are displayed in both the modern (blue) and legacy (black) recovery screen. This applies to both the bootmanager recovery screen and the WinRE unlock screen.
![Customized BitLocker recovery screen](./images/bl-password-hint2.png)
> [!IMPORTANT]
> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account.
There are rules governing which hint is shown during the recovery (in order of processing):
1. Always display custom recovery message if it has been configured (using GPO or MDM).
2. Always display generic hint: "For more information, go to https://aka.ms/recoverykeyfaq."
3. If multiple recovery keys exist on the volume, prioritize the last created (and successfully backed up) recovery key.
4. Prioritize keys with successful backup over keys that have never been backed up.
5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Azure AD > Active Directory**.
6. If a key has been printed and saved to file, display a combined hint, “Look for a printout or a text file with the key,” instead of two separate hints.
7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed up date.
8. There is no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, “Contact your organizations help desk,” will be displayed.
9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system will ask for a key that has been backed up, even if another key is newer.
#### Example 1 (single recovery key with single backup)
| Custom URL | Yes |
|----------------------|------------|
| Saved to Microsoft Account | Yes |
| Saved to Azure AD | No |
| Saved to Active Directory | No |
| Printed | No |
| Saved to file | No |
**Result:** The hint for the Microsoft Account and custom URL are displayed.
![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.PNG)
#### Example 2 (single recovery key with single backup)
| Custom URL | Yes |
|----------------------|------------|
| Saved to Microsoft Account | No |
| Saved to Azure AD | No |
| Saved to Active Directory | Yes |
| Printed | No |
| Saved to file | No |
**Result:** Only the custom URL is displayed.
![Example 2 of customized BitLocker recovery screen](./images/rp-example2.PNG)
#### Example 3 (single recovery key with multiple backups)
| Custom URL | No |
|----------------------|------------|
| Saved to Microsoft Account | Yes |
| Saved to Azure AD | Yes |
| Saved to Active Directory | No |
| Printed | Yes |
| Saved to file | Yes |
**Result:** Only the Microsoft Account hint is displayed.
![Example 3 of customized BitLocker recovery screen](./images/rp-example3.PNG)
#### Example 4 (multiple recovery passwords)
| Custom URL | No |
|----------------------|-----------------|
| Saved to Microsoft Account | No |
| Saved to Azure AD | No |
| Saved to Acive Directory | No |
| Printed | No |
| Saved to file | Yes |
| Creation time | **1PM** |
| Key ID | A564F193 |
&nbsp;
&nbsp;
| Custom URL | No |
|----------------------|-----------------|
| Saved to Microsoft Account | No |
| Saved to Azure AD | No |
| Saved to Active Directory | No |
| Printed | No |
| Saved to file | No |
| Creation time | **3PM** |
| Key ID | T4521ER5 |
**Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
![Example 4 of customized BitLocker recovery screen](./images/rp-example4.PNG)
#### Example 5 (multiple recovery passwords)
| Custom URL | No |
|----------------------|-----------------|
| Saved to Microsoft Account | Yes |
| Saved to Azure AD | Yes |
| Saved to Active Directory | No |
| Printed | No |
| Saved to file | No |
| Creation time | **1PM** |
| Key ID | 99631A34 |
&nbsp;
&nbsp;
| Custom URL | No |
|----------------------|-----------------|
| Saved to Microsoft Account | No |
| Saved to Azure AD | Yes |
| Saved to Active Directory | No |
| Printed | No |
| Saved to file | No |
| Creation time | **3PM** |
| Key ID | 9DF70931 |
**Result:** The hint for the most recent key is displayed.
![Example 5 of customized BitLocker recovery screen](./images/rp-example5.PNG)
## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
@ -261,7 +416,8 @@ Besides the 48-digit BitLocker recovery password, other types of recovery inform
If the recovery methods discussed earlier in this document do not unlock the volume, you can use the BitLocker Repair tool to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. You can then use this recovered data to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. We recommend that you still save the recovery password. A key package cannot be used without the corresponding recovery password.
>**Note:**  You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
> [!NOTE]
> You must use the BitLocker Repair tool **repair-bde** to use the BitLocker key package.
The BitLocker key package is not saved by default. To save the package along with the recovery password in AD DS you must select the **Backup recovery password and key package** option in the Group Policy settings that control the recovery method. You can also export the key package from a working volume. For more details on how to export key packages, see [Retrieving the BitLocker Key Package](#bkmk-appendixc).
@ -299,7 +455,8 @@ You can reset the recovery password in two ways:
```powershell
Manage-bde protectors adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
```
>**Warning:**  You must include the braces in the ID string.
> [!WARNING]
> You must include the braces in the ID string.
**To run the sample recovery password script**
@ -308,9 +465,11 @@ You can reset the recovery password in two ways:
**cscript ResetPassword.vbs**
> **Important:** This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset.
>
> **Note:**  To manage a remote computer, you can specify the remote computer name rather than the local computer name.
> [!IMPORTANT]
> This sample script is configured to work only for the C volume. You must customize the script to match the volume where you want to test password reset.
> [!NOTE]
> To manage a remote computer, you can specify the remote computer name rather than the local computer name.
You can use the following sample script to create a VBScript file to reset the recovery passwords.

BIN
windows/security/information-protection/bitlocker/images/bl-intune-custom-url.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/security/information-protection/bitlocker/images/bl-password-hint1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 126 KiB

BIN
windows/security/information-protection/bitlocker/images/bl-password-hint2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 69 KiB

BIN
windows/security/information-protection/bitlocker/images/rp-example1.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 118 KiB

BIN
windows/security/information-protection/bitlocker/images/rp-example2.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/security/information-protection/bitlocker/images/rp-example3.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 96 KiB

BIN
windows/security/information-protection/bitlocker/images/rp-example4.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/security/information-protection/bitlocker/images/rp-example5.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 91 KiB

10
windows/security/threat-protection/TOC.md
View File

@ -33,11 +33,12 @@
#### [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
#### [Dashboard insights](microsoft-defender-atp/tvm-dashboard-insights.md)
#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
#### [Configuration score](microsoft-defender-atp/configuration-score.md)
#### [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
#### [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
#### [Remediation and exception](microsoft-defender-atp/tvm-remediation.md)
#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
#### [Event timeline](microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md)
#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
### [Attack surface reduction]()
@ -218,6 +219,7 @@
##### [Configure and validate exclusions](microsoft-defender-atp/mac-exclusions.md)
##### [Set preferences](microsoft-defender-atp/mac-preferences.md)
##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/mac-pua.md)
##### [Schedule scans](microsoft-defender-atp/mac-schedule-scan-atp.md)
#### [Troubleshoot]()
##### [Troubleshoot installation issues](microsoft-defender-atp/mac-support-install.md)
@ -441,7 +443,11 @@
#### [Rules]()
##### [Manage suppression rules](microsoft-defender-atp/manage-suppression-rules.md)
##### [Manage indicators](microsoft-defender-atp/manage-indicators.md)
##### [Create indicators](microsoft-defender-atp/manage-indicators.md)
###### [Create indicators for files](microsoft-defender-atp/indicator-file.md)
###### [Create indicators for IPs and URLs/domains](microsoft-defender-atp/indicator-ip-domain.md)
###### [Create indicators for certificates](microsoft-defender-atp/indicator-certificates.md)
###### [Manage indicators](microsoft-defender-atp/indicator-manage.md)
##### [Manage automation file uploads](microsoft-defender-atp/manage-automation-file-uploads.md)
##### [Manage automation folder exclusions](microsoft-defender-atp/manage-automation-folder-exclusions.md)

13
windows/security/threat-protection/index.md
View File

@ -1,7 +1,7 @@
---
title: Threat Protection (Windows 10)
description: Learn how Microsoft Defender ATP helps protect against threats.
keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, configuration score, advanced hunting, cyber threat hunting, web threat protection
keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -54,7 +54,7 @@ This built-in capability uses a game-changing risk-based approach to the discove
- [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md)
- [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
- [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
- [Configuration score](microsoft-defender-atp/configuration-score.md)
- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
- [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md)
- [Remediation](microsoft-defender-atp/tvm-remediation.md)
- [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
@ -111,12 +111,11 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft
<a name="ss"></a>
**[Configuration Score](microsoft-defender-atp/configuration-score.md)**<br>
>[!NOTE]
> Secure score is now part of [Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) as [Configuration score](microsoft-defender-atp/configuration-score.md).
**[Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)**<br>
Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
- [Configuration score](microsoft-defender-atp/configuration-score.md)
Microsoft Defender ATP includes a Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)
- [Threat analytics](microsoft-defender-atp/threat-analytics.md)
<a name="mte"></a>

4
windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
View File

@ -54,7 +54,7 @@ Because your protection is a cloud service, computers must have access to the in
| :--: | :-- | :-- |
| Microsoft Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Microsoft Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <br/> `*.wdcpalt.microsoft.com` <br/> `*.wd.microsoft.com`|
| Microsoft Update Service (MU) <br/> Windows Update Service (WU)| Security intelligence and product updates |`*.update.microsoft.com` <br/> `*.delivery.mp.microsoft.com`<br/> `*.windowsupdate.com` <br/> for details see [Connection endpoints for Windows Update](https://docs.microsoft.com/windows/privacy/manage-windows-1709-endpoints#windows-update)|
|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`|
|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Microsoft Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com` </br> `*.download.windowsupdate.com`</br> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`|
| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net` <br/> `ussus1westprod.blob.core.windows.net` <br/> `usseu1northprod.blob.core.windows.net` <br/> `usseu1westprod.blob.core.windows.net` <br/> `ussuk1southprod.blob.core.windows.net` <br/> `ussuk1westprod.blob.core.windows.net` <br/> `ussas1eastprod.blob.core.windows.net` <br/> `ussas1southeastprod.blob.core.windows.net` <br/> `ussau1eastprod.blob.core.windows.net` <br/> `ussau1southeastprod.blob.core.windows.net` |
| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/` <br/> `https://www.microsoft.com/pkiops/certs` <br/> `https://crl.microsoft.com/pki/crl/products` <br/> `https://www.microsoft.com/pki/certs` |
| Symbol Store|Used by Microsoft Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
@ -121,6 +121,6 @@ You will also see a detection under **Quarantined threats** in the **Scan histor
- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
- [Run an Microsoft Defender Antivirus scan from the command line](command-line-arguments-microsoft-defender-antivirus.md) and [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md)
- [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md)
- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006)

4
windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
View File

@ -32,8 +32,8 @@ Although you can use a non-Microsoft antivirus solution with Microsoft Defender
| |Advantage |Why it matters |
|--|--|--|
|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Windows Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
|2|Threat analytics and your configuration score |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [configuration score](../microsoft-defender-atp/configuration-score.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). |
|2|Threat analytics and your score for devices |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [Microsoft Secure Score for Devices](../microsoft-defender-atp/tvm-microsoft-secure-score-devices.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. |
|3|Performance |Microsoft Defender ATP is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).|
|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).|
|5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).|

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/12/2019
---
# DeviceTvmSecureConfigurationAssessment

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/12/2019
---
# DeviceTvmSecureConfigurationAssessmentKB

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/12/2019
---
# DeviceTvmSoftwareInventoryVulnerabilities

1
windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md
View File

@ -15,7 +15,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/12/2019
---
# DeviceTvmSoftwareVulnerabilitiesKB

4
windows/security/threat-protection/microsoft-defender-atp/android-intune.md
View File

@ -136,7 +136,7 @@ Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
As Microsoft Defender ATP for Android is deployed via managed Google Play,
updates to the app are automatic via Google Play.
Currently only Work Profile, Fully Managed devices are supported for deployment.
Currently only Work Profile enrolled devices are supported for deployment.
>[!NOTE]
@ -265,7 +265,7 @@ assignment.
## Complete onboarding and check status
1. Confirm the installation status of Microsoft Defender ATP for Android by
clicking on the **Device Install Status**. Verif that the device is
clicking on the **Device Install Status**. Verify that the device is
displayed here.
![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png)

14
windows/security/threat-protection/microsoft-defender-atp/configure-and-manage-tvm.md
View File

@ -39,7 +39,15 @@ Ensure that you have the right RBAC permissions to configure your Threat & Vulne
>- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).
## Related topics
- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md)
- [Configuration score](configuration-score.md)
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

14
windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
View File

@ -83,7 +83,7 @@ Perform the following steps to onboard Windows servers through Microsoft Defende
> [!TIP]
> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md).
#### Configure and update System Center Endpoint Protection clients
### Configure and update System Center Endpoint Protection clients
Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware.
@ -93,7 +93,7 @@ The following steps are required to enable this integration:
- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting.
#### Turn on Server monitoring from the Microsoft Defender Security Center portal
### Turn on Server monitoring from the Microsoft Defender Security Center portal
1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**.
@ -103,7 +103,7 @@ The following steps are required to enable this integration:
<span id="server-mma"/>
#### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP
### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP
1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603).
@ -118,12 +118,11 @@ Once completed, you should see onboarded Windows servers in the portal within an
<span id="server-proxy"/>
#### Configure Windows server proxy and Internet connectivity settings
### Configure Windows server proxy and Internet connectivity settings
- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the <a href="https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway" data-raw-source="[OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway)">OMS Gateway</a>.
- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server).
### Option 2: Onboard Windows servers through Azure Security Center
1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**.
@ -134,7 +133,7 @@ Once completed, you should see onboarded Windows servers in the portal within an
4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp).
### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later
You can onboard Windows Server 2012 R2 and Windows Server 2016 using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection).
## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition
You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods:
@ -191,11 +190,10 @@ The following capabilities are included in this integration:
- Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach.
> [!IMPORTANT]
> - When you use Azure Security Center to monitor Windows servers, a Microsoft Defender ATP tenant is automatically created. The Microsoft Defender ATP data is stored in Europe by default.
> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users).
> - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time.
> - When you use Azure Security Center to monitor Windows servers, a Microsoft Defender ATP tenant is automatically created and the Microsoft Defender ATP data is stored in Europe by default. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers.
## Offboard Windows servers
You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices.

BIN
windows/security/threat-protection/microsoft-defender-atp/images/bug-caution-icon2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 626 B

BIN
windows/security/threat-protection/microsoft-defender-atp/images/bug-lightning-icon2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 673 B

BIN
windows/security/threat-protection/microsoft-defender-atp/images/event-insights-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/report-warning-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 662 B

BIN
windows/security/threat-protection/microsoft-defender-atp/images/ta.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 199 KiB

After

Width:  |  Height:  |  Size: 152 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/ta_dashboard.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 144 KiB

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-black-bug-icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 920 B

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-dashboard-devices.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 194 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-dashboard-nav.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 196 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-dates.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-drilldown.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score400.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 78 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-flyout.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 96 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-flyout500.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-overview-mixed-type.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-software-pages.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 115 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-page-example.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 133 KiB

After

Width:  |  Height:  |  Size: 80 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/tvm-top-events-card.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 21 KiB

72
windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Create indicators based on certificates
ms.reviewer:
description: Create indicators based on certificates that define the detection, prevention, and exclusion of entities.
keywords: ioc, certificate, certificates, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Create indicators based on certificates (preview)
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
You can create indicators for certificates. Some common use cases include:
- Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) and [controlled folder access](controlled-folders.md) but need to allow behaviors from signed applications by adding the certificate in the allow list.
- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Windows Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same.
### Before you begin
It's important to understand the following requirements prior to creating indicators for certificates:
- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on machines on Windows 10, version 1703 or later.
- The virus and threat protection definitions must be up-to-date.
- This feature currently supports entering .CER or .PEM file extensions.
>[!IMPORTANT]
> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities').
>- The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
>- Microsoft signed certificates cannot be blocked.
#### Create an indicator for certificates from the settings page:
>[!IMPORTANT]
> It can take up to 3 hours to create and remove a certificate IoC.
1. In the navigation pane, select **Settings** > **Indicators**.
2. Select the **Certificate** tab.
3. Select **Add indicator**.
4. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
- Action - Specify the action to be taken and provide a description.
- Scope - Define the scope of the machine group.
5. Review the details in the Summary tab, then click **Save**.
## Related topics
- [Create indicators](manage-indicators.md)
- [Create indicators for files](indicator-file.md)
- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
- [Manage indicators](indicator-manage.md)

79
windows/security/threat-protection/microsoft-defender-atp/indicator-file.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Create indicators for files
ms.reviewer:
description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities.
keywords: file, hash, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Create indicators for files
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
There are two ways you can create indicators for files:
- By creating an indicator through the settings page
- By creating a contextual indicator using the add indicator button from the file details page
### Before you begin
It's important to understand the following prerequisites prior to creating indicators for files:
- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on machines on Windows 10, version 1703 or later.
- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
>[!IMPORTANT]
>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action
>- Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.
>[!NOTE]
>Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes.
### Create an indicator for files from the settings page
1. In the navigation pane, select **Settings** > **Indicators**.
2. Select the **File hash** tab.
3. Select **Add indicator**.
4. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
- Action - Specify the action to be taken and provide a description.
- Scope - Define the scope of the machine group.
5. Review the details in the Summary tab, then click **Save**.
### Create a contextual indicator from the file details page
One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file.
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a machine in your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.
## Related topics
- [Create indicators](manage-indicators.md)
- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
- [Create indicators based on certificates](indicator-certificates.md)
- [Manage indicators](indicator-manage.md)

75
windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md Normal file
View File

@ -0,0 +1,75 @@
---
title: Create indicators for IPs and URLs/domains
ms.reviewer:
description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities.
keywords: ip, url, domain, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Create indicators for IPs and URLs/domains
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser.
The threat intelligence data set for this has been managed by Microsoft.
By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by machine groups if you deem certain groups to be more or less at risk than others.
### Before you begin
It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:
- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).
- The Antimalware client version must be 4.18.1906.x or later.
- Supported on machines on Windows 10, version 1709 or later.
- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center> Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).
>[!IMPORTANT]
> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement: <br>
> NOTE:
>- IP is supported for all three protocols
>- Encrypted URLs (full path) can only be blocked on first party browsers
>- Encrypted URLS (FQDN only) can be blocked outside of first party browsers
>- Full URL path blocks can be applied on the domain level and all unencrypted URLs
>[!NOTE]
>There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
### Create an indicator for IPs, URLs, or domains from the settings page
1. In the navigation pane, select **Settings** > **Indicators**.
2. Select the **IP addresses or URLs/Domains** tab.
3. Select **Add indicator**.
4. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
- Action - Specify the action to be taken and provide a description.
- Scope - Define the scope of the machine group.
5. Review the details in the Summary tab, then click **Save**.
## Related topics
- [Create indicators](manage-indicators.md)
- [Create indicators for files](indicator-file.md)
- [Create indicators based on certificates](indicator-certificates.md)
- [Manage indicators](indicator-manage.md)

70
windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md Normal file
View File

@ -0,0 +1,70 @@
---
title: Manage indicators
ms.reviewer:
description: Manage indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Manage indicators
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink)
1. In the navigation pane, select **Settings** > **Indicators**.
2. Select the tab of the entity type you'd like to manage.
3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
## Import a list of IoCs
You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
Download the sample CSV to know the supported column attributes.
1. In the navigation pane, select **Settings** > **Indicators**.
2. Select the tab of the entity type you'd like to import indicators for.
3. Select **Import** > **Choose file**.
4. Select **Import**. Do this for all the files you'd like to import.
5. Select **Done**.
The following table shows the supported parameters.
Parameter | Type | Description
:---|:---|:---
indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required**
action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
title | String | Indicator alert title. **Required**
description | String | Description of the indicator. **Required**
expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional**
severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional**
recommendedActions | String | TI indicator alert recommended actions. **Optional**
rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
## Related topics
- [Create indicators](manage-indicators.md)
- [Create indicators for files](indicator-file.md)
- [Create indicators for IPs and URLs/domains](indicator-ip-domain.md)
- [Create indicators based on certificates](indicator-certificates.md)

78
windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md Normal file
View File

@ -0,0 +1,78 @@
---
title: How to schedule scans with MDATP for macOS
description: Learn how to schedule an automatic scanning time for Microsoft Defender ATP in macOS to better protect your organization's assets.
keywords: microsoft, defender, atp, mac, scans, antivirus
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Schedule scans with Microsoft Defender ATP for Mac
While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. Create a scanning schedule using launchd on a macOS computer.
## Schedule a scan with launchd
1. Create a new .xml file. Use the following example to create your scanning schedule file.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.microsoft.wdav.schedquickscan</string>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c<string>
<string>/usr/local/bin/mdatp --scan --quick<string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartCalendarInterval</key><dict>
<key>Day</key>
<integer>3</integer>
<key>Hour</key>
<integer>2</integer>
<key>Minute</key>
<integer>0</integer>
<key>Weekday</key>
<integer>5</integer>
</dict>
<key>StartInterval</key>
<integer>604800</integer>
<key>WorkingDirectory</key>
<string>/usr/local/bin/</string>
</dict>
</plist>
```
2. Save the file as a program configuration file (.plist) with the name com.microsoft.wdav.schedquickscan.plist.
>[!NOTE]
>To change a quick scan to a full scan, use /usr/local/bin/mdatp --scan full in the array string and update your .plist filename.
3. Search for, and then open **Terminal**.
4. To load your file into **launchd**, enter the following commands:
```bash
`$ launchctl load /Library/LaunchDaemons/<your file name.plist>`
`$ launchctl start <your file name>`
```
5. Your scheduled scan runs at the date, time, and frequency you defined in your .plist file. In the example, the scan runs at 2:00 AM every 7 days on a Friday, with the StartInterval using 604800 seconds for one week.
> [!NOTE]
> Agents executed with launchd will not run at the scheduled time if the computer is asleep, but will run once the computer is awake. If the computer is off, the scan will not run until the computer is on at the next scheduled time.

185
windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md
View File

@ -1,5 +1,5 @@
---
title: Manage indicators
title: Create indicators
ms.reviewer:
description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities.
keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain
@ -18,7 +18,7 @@ ms.collection: M365-security-compliance
ms.topic: article
---
# Manage indicators
# Create indicators
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
@ -49,188 +49,17 @@ The current supported actions are:
You can create an indicator for:
- Files
- IP addresses
- URLs/domains
- [Files](indicator-file.md)
- [IP addresses, URLs/domains](indicator-ip-domain.md)
- [Certificates (preview)](indicator-certificates.md)
>[!NOTE]
>There is a limit of 15,000 indicators per tenant.
![Image of indicators settings page](images/rules-indicators.png)
## Related topics
## Create indicators for files
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
There are two ways you can create indicators for files:
- By creating an indicator through the settings page
- By creating a contextual indicator using the add indicator button from the file details page
### Before you begin
It's important to understand the following prerequisites prior to creating indicators for files:
- This feature is available if your organization uses Microsoft Defender Antivirus and Cloudbased protection is enabled. For more information, see [Manage cloudbased protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on devices on Windows 10, version 1703 or later.
- To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
>[!IMPORTANT]
>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action
>- Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.
>[!NOTE]
>Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes.
### Create an indicator for files from the settings page
1. In the navigation pane, select **Settings** > **Indicators**.
2. Select the **File hash** tab.
3. Select **Add indicator**.
4. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
- Action - Specify the action to be taken and provide a description.
- Scope - Define the scope of the device group according to your [user permissions](machine-groups.md).
5. Review the details in the Summary tab, then click **Save**.
### Create a contextual indicator from the file details page
One of the options when taking [response actions on a file](respond-file-alerts.md) is adding an indicator for the file.
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the file's Action center, but the alerts will still be visible in the Alerts queue.
## Create indicators for IPs and URLs/domains
Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser.
The threat intelligence data set for this has been managed by Microsoft.
By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. You can do this through the settings page or by device groups if you deem certain groups to be more or less at risk than others.
### Before you begin
It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains:
- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md).
- The Antimalware client version must be 4.18.1906.x or later.
- Supported on devices on Windows 10, version 1709 or later.
- Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center> Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md).
>[!IMPORTANT]
> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement: <br>
> NOTE:
>- IP is supported for all three protocols
>- Encrypted URLs (full path) can only be blocked on first party browsers
>- Encrypted URLS (FQDN only) can be blocked outside of first party browsers
>- Full URL path blocks can be applied on the domain level and all unencrypted URLs
>[!NOTE]
>There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
### Create an indicator for IPs, URLs, or domains from the settings page
1. In the navigation pane, select **Settings** > **Indicators**.
2. Select the **IP addresses or URLs/Domains** tab.
3. Select **Add indicator**.
4. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
- Action - Specify the action to be taken and provide a description.
- Scope - Define the scope of the device group.
5. Review the details in the Summary tab, then click **Save**.
## Create indicators for certificates
You can create indicators for certificates. Some common use cases include:
- Scenarios when you need to deploy blocking technologies, such as [attack surface reduction rules](attack-surface-reduction.md) and [controlled folder access](controlled-folders.md) but need to allow behaviors from signed applications by adding the certificate in the allow list.
- Blocking the use of a specific signed application across your organization. By creating an indicator to block the certificate of the application, Microsoft Defender AV will prevent file executions (block and remediate) and the Automated Investigation and Remediation behave the same.
### Before you begin
It's important to understand the following requirements prior to creating indicators for certificates:
- This feature is available if your organization uses Microsoft Defender Antivirus and Cloudbased protection is enabled. For more information, see [Manage cloudbased protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
- The Antimalware client version must be 4.18.1901.x or later.
- Supported on devices on Windows 10, version 1703 or later.
- The virus and threat protection definitions must be up-to-date.
- This feature currently supports entering .CER or .PEM file extensions.
>[!IMPORTANT]
> - A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as its trusted by the client (Root CA certificate is installed under the Local Machine 'Trusted Root Certification Authorities').
>- The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality only leaf certificates are supported.
>- Microsoft signed certificates cannot be blocked.
#### Create an indicator for certificates from the settings page:
>[!IMPORTANT]
> It can take up to 3 hours to create and remove a certificate IoC.
1. In the navigation pane, select **Settings** > **Indicators**.
2. Select the **Certificate** tab.
3. Select **Add indicator**.
4. Specify the following details:
- Indicator - Specify the entity details and define the expiration of the indicator.
- Action - Specify the action to be taken and provide a description.
- Scope - Define the scope of the device group.
5. Review the details in the Summary tab, then click **Save**.
## Manage indicators
1. In the navigation pane, select **Settings** > **Indicators**.
2. Select the tab of the entity type you'd like to manage.
3. Update the details of the indicator and click **Save** or click the **Delete** button if you'd like to remove the entity from the list.
## Import a list of IoCs
You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
Download the sample CSV to know the supported column attributes.
1. In the navigation pane, select **Settings** > **Indicators**.
2. Select the tab of the entity type you'd like to import indicators for.
3. Select **Import** > **Choose file**.
4. Select **Import**. Do this for all the files you'd like to import.
5. Select **Done**.
The following table shows the supported parameters.
Parameter | Type | Description
:---|:---|:---
indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required**
indicatorValue | String | Identity of the [Indicator](ti-indicator.md) entity. **Required**
action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required**
title | String | Indicator alert title. **Required**
description | String | Description of the indicator. **Required**
expirationTime | DateTimeOffset | The expiration time of the indicator in the following format YYYY-MM-DDTHH:MM:SS.0Z. **Optional**
severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional**
recommendedActions | String | TI indicator alert recommended actions. **Optional**
rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional**
## Related topic
- [Create contextual IoC](respond-file-alerts.md#add-indicator-to-block-or-allow-a-file)
- [Use the Microsoft Defender ATP indicators API](ti-indicator.md)
- [Use partner integrated solutions](partner-applications.md)

6
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md
View File

@ -102,11 +102,9 @@ In conjunction with being able to quickly respond to advanced attacks, Microsoft
<a name="ss"></a>
**[Configuration score](configuration-score.md)**<br>
> [!NOTE]
> Secure score is now part of [Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) as [Configuration score](configuration-score.md).
**[Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)**<br>
Microsoft Defender ATP includes a configuration score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
Microsoft Defender ATP includes Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
<a name="mte"></a>

3
windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
View File

@ -110,11 +110,12 @@ See the following topics for related APIs:
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

2
windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
View File

@ -57,7 +57,7 @@ Area | Description
**Advanced hunting** | Advanced hunting allows you to proactively hunt and investigate across your organization using a powerful search and query tool.
**Reports** | View graphs detailing threat protection, device health and compliance, web protection, and vulnerability.
**Partners & APIs** | View supported partner connections, which enhance the detection, investigation, and threat intelligence capabilities of the platform. You can also view connected applications, the API explorer, API usage overview, and data export settings.
**Threat & Vulnerability management** | View your configuration score, exposure score, exposed devices, vulnerable software, and take action on top security recommendations.
**Threat & Vulnerability management** | View your Microsoft Secure Score for Devices, exposure score, exposed devices, vulnerable software, and take action on top security recommendations.
**Evaluation and tutorials** | Manage test devices, attack simulations, and reports. Learn and experience the Microsoft Defender ATP capabilities through a guided walk-through in a trial environment.
**Service health** | Provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues.
**Configuration management** | Displays on-boarded devices, your organizations' security baseline, predictive analysis, web protection coverage, and allows you to perform attack surface management on your devices.

12
windows/security/threat-protection/microsoft-defender-atp/recommendation.md
View File

@ -35,7 +35,7 @@ Method |Return Type |Description
## Properties
Property | Type | Description
Property | Type | Description
:---|:---|:---
id | String | Recommendation ID
productName | String | Related software name
@ -43,15 +43,15 @@ recommendationName | String | Recommendation name
Weaknesses | Long | Number of discovered vulnerabilities
Vendor | String | Related vendor name
recommendedVersion | String | Recommended version
recommendationCategory | String | Recommendation category. Possible values are: “Accounts”, “Application”, “Network”, “OS”, “SecurityStack
recommendationCategory | String | Recommendation category. Possible values are: "Accounts", "Application", "Network", "OS", "SecurityStack
subCategory | String | Recommendation sub-category
severityScore | Double | Potential impact of the configuration to the organizations configuration score (1-10)
severityScore | Double | Potential impact of the configuration to the organization's Microsoft Secure Score for Devices (1-10)
publicExploit | Boolean | Public exploit is available
activeAlert | Boolean | Active alert is associated with this recommendation
associatedThreats | String collection | Threat analytics report is associated with this recommendation
remediationType | String | Remediation type. Possible values are: “ConfigurationChange”,“Update”,“Upgrade”,”Uninstall”
Status | Enum | Recommendation exception status. Possible values are: “Active” and “Exception”
configScoreImpact | Double | Configuration score impact
remediationType | String | Remediation type. Possible values are: "ConfigurationChange","Update","Upgrade","Uninstall"
Status | Enum | Recommendation exception status. Possible values are: "Active" and "Exception"
configScoreImpact | Double | Microsoft Secure Score for Devices impact
exposureImpacte | Double | Exposure score impact
totalMachineCount | Long | Number of installed devices
exposedMachinesCount | Long | Number of installed devices that are exposed to vulnerabilities

22
windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md
View File

@ -41,28 +41,30 @@ The threat analytics dashboard is a great jump off point for getting to the repo
![Image of a threat analytics dashboard](images/ta_dashboard.png)
Select a threat on any of the overviews or on the table to view the report for that threat.
Select a threat from any of the overviews or from the table to view the report for that threat.
## View a threat analytics report
Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used by the threat. It also provides worldwide impact information, mitigation recommendations, and detection information. It includes several cards that show dynamic data about how your organization is impacted by the threat and how prepared it is to stop the threat.
Each threat report generally provides an overview of the threat and an analysis of the techniques and tools used by the threat. It also provides mitigation recommendations and detection information. It includes several cards that show dynamic data about how your organization is impacted by the threat and how prepared it is to stop the threat.
![Image of a threat analytics report](images/ta.png)
### Organizational impact
Each report includes cards designed to provide information about the organizational impact of a threat:
- **Devices with alerts** — shows the current number of distinct devices in your organization that have been impacted by the threat. A device is categorized as **Active** if there is at least 1 alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
- **Devices with alerts** — shows the current number of distinct devices that have been impacted by the threat. A device is categorized as **Active** if there is at least one alert associated with that threat and **Resolved** if *all* alerts associated with the threat on the device have been resolved.
- **Devices with alerts over time** — shows the number of distinct devices with **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
### Organizational resilience
Each report also includes cards that provide an overview of how resilient your organization can be against a given threat:
- **Mitigation status** — shows the number of devices that have and have not applied mitigations for the threat. Devices are considered mitigated if they have all the measurable mitigations in place.
- **Security configuration status** — shows the number of devices that have applied the recommended security settings that can help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
- **Vulnerability patching status** — shows the number of devices that have applied security updates or patches that address vulnerabilities exploited by the threat.
- **Mitigation recommendations** — lists specific actionable recommendations to improve your visibility into the threat and increase your organizational resilience. This card lists only measurable mitigations along with the number of devices that don't have these mitigations in place.
- **Mitigation details** — lists specific actionable recommendations that can help you increase your organizational resilience. This card lists tracked mitigations, including recommended settings and vulnerability patches, along with the number of devices that don't have the mitigations in place.
>[!IMPORTANT]
>- Charts only reflect mitigations that are measurable, meaning an evaluation can be made on whether a device has applied the mitigations or not. Check the report overview for additional mitigations that are not reflected in the charts.
>- Even if all mitigations were measurable, they don't guarantee complete resilience. They reflect the best possible actions needed to improve resiliency.
### Additional report details and limitations
When using the reports, keep the following in mind:
>[!NOTE]
>Devices are counted as "unavailable" if they have been unable to transmit data to the service.
- Data is scoped based on your RBAC permissions. You will only see the status of devices that you have been granted access to on the RBAC.
- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not reflected in the charts.
- Mitigations don't guarantee complete resilience. The provided mitigations reflect the best possible actions needed to improve resiliency.
- Devices are counted as "unavailable" if they have been unable to transmit data to the service.
- Antivirus related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".

135
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md Normal file
View File

@ -0,0 +1,135 @@
---
title: Event timeline
description: Event timeline is a "risk news feed" which will help you interpret how risk is introduced into the organization and which mitigations happened to reduce it.
keywords: event timeline, mdatp event timeline, mdatp tvm event timeline, threat and vulnerability management, Microsoft Defender Advanced Threat Protection
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: ellevin
author: levinec
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Event timeline
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
Event timeline is a risk news feed which helps you interpret how risk, through new vulnerabilities or exploits, is introduced into the organization. You can view events which may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was addd to an exploit kit, and more.
Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) so you can determine the cause of large changes. Reduce you exposure score by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md).
## Navigate to the Event timeline page
You can access Event timeline mainly through three ways:
- In the Threat & Vulnerability Management navigation menu in the Microsoft Defender Security Center
- Top events card in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most machines or critical vulnerabilities)
- Hovering over the Exposure Score graph in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
### Navigation menu
Go to the Threat & Vulnerability Management navigation menu and select **Event timeline** to view impactful events.
### Top events card
In the Threat & Vulnerability Management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page.
![Event timeline page](images/tvm-top-events-card.png)
### Exposure score graph
In the Threat & Vulnerability Management dashboard, hover over the Exposure score graph to view top events from that day that impacted your machines. If there are no events, then none will be shown.
![Event timeline page](images/tvm-event-timeline-exposure-score400.png)
Selecting **Show all events from this day** will lead you to the Event timeline page with a pre-populated custom date range for that day.
![Event timeline page](images/tvm-event-timeline-drilldown.png)
Select **Custom range** to change the date range to another custom one, or a pre-set time range.
![Event timeline date range options](images/tvm-event-timeline-dates.png)
## Event timeline overview
On the Event timeline page, you can view the all the necesssary info related to an event.
Features:
- Customize columns
- Filter by event type or percent of impacted machines
- View 30, 50, or 100 items per page
The two large numbers at the top of the page show the number of new vulnerabilities and exploitable vulnerabilities, not events. Some events can have multiple vulnerabilities, and some vulnerabilities can have multiple events.
![Event timeline page](images/tvm-event-timeline-overview-mixed-type.png)
### Columns
- **Date**: month, day, year
- **Event**: impactful event, including component, type, and number of impacted machines
- **Related component**: software
- **Originally impacted machines**: the number, and percentage, of impacted machines when this event originally occurred. You can also filter by the percent of originally impacted machines, out of your total number of machines.
- **Currently impacted machines**: the current number, and percentage, of machines that this event currently impacts. You can find this field by selecting **Customize columns**.
- **Types**: reflect time-stamped events that impact the score. They can be filtered.
- Exploit added to an exploit kit
- Exploit was verified
- New public exploit
- New vulnerability
- **Score trend**: exposure score trend
### Icons
The following icons show up next to events:
- ![bug icon](images/tvm-black-bug-icon.png) New public exploit
- ![report warning icon](images/report-warning-icon.png) New vulnerability was published
- ![exploit kit](images/bug-lightning-icon2.png) Exploit found in exploit kit
- ![bug icon](images/bug-caution-icon2.png) Exploit verified
### Drill down to a specific event
Once you select an event, a flyout will appear listing the details and current CVEs that affect your machines. You can show more CVEs or view the related recommendation.
The arrow below "score trend" helps you determine whether this event potentially raised or lowered your organizational exposure score. Higher exposure score means machines are more vulnerable to exploitation.
![Event timeline flyout](images/tvm-event-timeline-flyout500.png)
From there, select **Go to related security recommendation** to go to the [security recommendations page](tvm-security-recommendation.md) and the recommendation that will address the new software vulnerability. After reading the description and vulnerability details in the security recommendation, you can [submit a remediation request](tvm-security-recommendation.md#request-remediation), and track the request in the [remediation page](tvm-remediation.md).
## View Event timelines in software pages
To open a software page, select an event > select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout. [Learn more about software pages](tvm-software-inventory.md#software-pages)
A full page will appear with all the details of a specific software, including an event timeline tab. From there you can view all the events related to that software, along with security recommendations, discovered vulnerabilities, installed machines, and version distribution.
![Software page with an Event timeline tab](images/tvm-event-timeline-software-pages.png)
## Related topics
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Advanced hunting overview](overview-hunting.md)
- [All advanced hunting tables](advanced-hunting-reference.md)

5
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -1,7 +1,7 @@
---
title: Threat & Vulnerability Management scenarios
description: Learn how Threat & Vulnerability Management can be used to help security admins, IT admins, and SecOps collaborate in defending against security threats.
keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase configuration score, increase threat & vulnerability configuration score, configuration score, exposure score, security controls
keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -56,11 +56,12 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Advanced hunting overview](overview-hunting.md)

3
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md
View File

@ -319,7 +319,7 @@ The steps below provide guidance for the following scenario:
- In this scenario, the SENSE service will not start automatically even though onboarding package was deployed
> [!NOTE]
> The following steps are only relevant when using Microsoft Endpoint Configuration Manager
> The following steps are only relevant when using Microsoft Endpoint Configuration Manager. For more details about onboarding using Microsoft Endpoint Configuration Manager, see [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection).
1. Create an application in Microsoft Endpoint Configuration Manager.
@ -445,4 +445,3 @@ The steps below provide guidance for the following scenario:
- [Troubleshoot Microsoft Defender ATP](troubleshoot-mdatp.md)
- [Onboard devices](onboard-configure.md)
- [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md)

23
windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
View File

@ -1,7 +1,7 @@
---
title: Threat & Vulnerability Management dashboard insights
description: The Threat & Vulnerability Management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience.
keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
search.appverid: met150
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -32,13 +32,13 @@ Threat & Vulnerability Management is a component of Microsoft Defender ATP, and
You can use the Threat & Vulnerability Management capability in [Microsoft Defender Security Center](https://securitycenter.windows.com/) to:
- View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices
- View exposure and Microsoft Secure Score for Devices side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices
- Correlate EDR insights with endpoint vulnerabilities and process them
- Select remediation options, triage and track the remediation tasks
- Select exception options and track active exceptions
> [!NOTE]
> Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and configuration score.
> Devices that are not active in the last 30 days are not factored in on the data that reflects your organization's Threat & Vulnerability Management exposure score and Microsoft Secure Score for Devices.
Watch this video for a quick overview of what is in the Threat & Vulnerability Management dashboard.
@ -46,15 +46,7 @@ Watch this video for a quick overview of what is in the Threat & Vulnerability M
## Threat & Vulnerability Management in Microsoft Defender Security Center
When you open the portal, you'll see the main areas of the capability:
- (1) Menu to open the navigation pane
- (2) Threat & Vulnerability Management navigation pane
- (3) Threat & Vulnerability Management dashboard
![Microsoft Defender Advanced Threat Protection portal](images/tvm_dashboard.png)
![Threat & Vulnerability Management menu](images/tvm-menu.png)
![Microsoft Defender Advanced Threat Protection portal](images/tvm-dashboard-devices.png)
You can navigate through the portal using the menu options available in all sections. Refer to the following tables for a description of each section.
@ -62,7 +54,7 @@ You can navigate through the portal using the menu options available in all sect
Area | Description
:---|:---
**Dashboard** | Get a high-level view of the organization exposure score, organization configuration score, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed devices data.
**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data.
[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you have enabled your Intune connections in Microsoft Defender ATP.
[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions.
[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page which shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs or security updates.
@ -74,7 +66,7 @@ Area | Description
:---|:---
**Selected device groups (#/#)** | Filter the Threat & Vulnerability Management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the Threat & Vulnerability management pages.
[**Exposure score**](tvm-exposure-score.md) | See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations.
[**Configuration score**](configuration-score.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the **Security recommendation** page.
[**Microsoft Secure Score for Devices**](tvm-microsoft-secure-score-devices.md) | See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your score for devices. Selecting the bars will take you to the **Security recommendation** page.
**Device exposure distribution** | See how many devices are exposed based on their exposure level. Select a section in the doughnut chart to go to the **Devices list** page and view the affected device names, exposure level, risk level, and other details such as domain, operating system platform, its health state, when it was last seen, and its tags.
**Top security recommendations** | See the collated security recommendations which are sorted and prioritized based on your organization's risk exposure and the urgency that it requires. Select **Show more** to see the rest of the security recommendations in the list or **Show exceptions** for the list of recommendations that have an exception.
**Top vulnerable software** | Get real-time visibility into your organization's software inventory with a stack-ranked list of vulnerable software installed on your network's devices and how they impact your organizational exposure score. Select an item for details or **Show more** to see the rest of the vulnerable software list in the **Software inventory** page.
@ -88,11 +80,12 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

9
windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
View File

@ -22,8 +22,14 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Your Exposure score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. It reflects how vulnerable your organization is to cybersecurity threats. Low exposure score means your devices are less vulnerable from exploitation.
- Quickly understand and identify high-level takeaways about the state of security in your organization.
- Detect and respond to areas that require investigation or action to improve the current state.
- Communicate with peers and management about the impact of security efforts.
The card gives you a high-level view of your exposure score trend over time. Any spikes in the chart gives you a visual indication of a high cybersecurity threat exposure that you can investigate further.
![Exposure score card](images/tvm_exp_score.png)
@ -56,11 +62,12 @@ Lower your threat and vulnerability exposure by remediating [security recommenda
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Configuration score](configuration-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

22
windows/security/threat-protection/microsoft-defender-atp/configuration-score.md → windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
View File

@ -1,7 +1,7 @@
---
title: Overview of Configuration score in Microsoft Defender Security Center
description: Your configuration score shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls
keywords: configuration score, mdatp configuration score, secure score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
title: Overview of Microsoft Secure Score for Devices in Microsoft Defender Security Center
description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls
keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, security controls, improvement opportunities, security configuration score over time, security posture, baseline
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
@ -16,16 +16,16 @@ audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
---
# Configuration score
# Microsoft Secure Score for Devices
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
>[!NOTE]
> Secure score is now part of Threat & Vulnerability Management as Configuration score.
> Configuration score is now part of Threat & Vulnerability Management as Microsoft Secure Score for Devices.
Your Configuration score is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher configuration score means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:
Your score for devices is visible in the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) of the Microsoft Defender Security Center. A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. It reflects the collective security configuration state of your devices across the following categories:
- Application
- Operating system
@ -38,9 +38,9 @@ Select a category to go to the [**Security recommendations**](tvm-security-recom
## How it works
>[!NOTE]
> Configuration score currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.
> Microsoft Secure Score for Devices currently supports configurations set via Group Policy. Due to the current partial Intune support, configurations which might have been set through Intune might show up as misconfigured. Contact your IT Administrator to verify the actual configuration status in case your organization is using Intune for secure configuration management.
The data in the configuration score card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
The data in the Microsoft Secure Score for Devices card is the product of meticulous and ongoing vulnerability discovery process aggregated with configuration discovery assessments that continuously:
- Compare collected configurations to the collected benchmarks to discover misconfigured assets
- Map configurations to vulnerabilities that can be remediated or partially remediated (risk reduction)
@ -49,9 +49,9 @@ The data in the configuration score card is the product of meticulous and ongoin
## Improve your security configuration
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Configuration score improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
You can improve your security configuration when you remediate issues from the security recommendations list. As you do so, your Microsoft Secure Score for Devices improves, which means your organization becomes more resilient against cybersecurity threats and vulnerabilities.
1. From the Configuration score card in the Threat & Vulnerability Management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
1. From the Microsoft Secure Score for Devices card in the Threat & Vulnerability Management dashboard, select the one of the categories to view the list of recommendations related to that category. It will take you to the [**Security recommendations**](tvm-security-recommendation.md) page. If you want to see all security recommendations, once you get to the Security recommendations page, clear the search field.
2. Select an item on the list. The flyout panel will open with details related to the recommendation. Select **Remediation options**.
@ -67,7 +67,7 @@ You can improve your security configuration when you remediate issues from the s
6. Send a follow-up email to your IT Administrator and allow the time that you have allotted for the remediation to propagate in the system.
7. Review the **Configuration score** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your configuration score should increase.
7. Review the **Microsoft Secure Score for Devices** card again on the dashboard. The number of security controls recommendations will decrease. When you select **Security controls** to go back to the **Security recommendations** page, the item that you have addressed will not be listed there anymore, and your Microsoft Secure Score for Devices should increase.
>[!IMPORTANT]
>To boost your vulnerability assessment detection rates, download the following mandatory security updates and deploy them in your network:

11
windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
View File

@ -56,7 +56,7 @@ Once you are in the Remediation page, select the remediation activity that you w
## Exceptions
When you [file for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md), you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [configuration score](configuration-score.md).
When you [file for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md), you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md).
The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status.
@ -77,11 +77,11 @@ The following statuses will be a part of an exception:
### Exception impact on scores
Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Configuration Score (for configurations) of your organization in the following manner:
Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Microsoft Secure Score for Devices of your organization in the following manner:
- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores
- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores.
- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control.
- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Configuration Score results out of the exception option that you made
- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Microsoft Secure Score for Devices results out of the exception option that you made.
The exception impact shows on both the Security recommendations page column and in the flyout pane.
@ -99,10 +99,11 @@ Select **Show exceptions** at the bottom of the **Top security recommendations**
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

22
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -22,8 +22,7 @@ ms.topic: conceptual
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!TIP]
> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
[!include[Prerelease information](../../includes/prerelease.md)]
@ -59,7 +58,7 @@ Go to the Threat & Vulnerability Management navigation menu and select **Securit
### Top security recommendations in the Threat & Vulnerability Management dashboard
In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [configuration score](configuration-score.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's security configuration to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
In a given day as a Security Administrator, you can take a look at the [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) to see your [exposure score](tvm-exposure-score.md) side-by-side with your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). The goal is to **lower** your organization's exposure from vulnerabilities, and **increase** your organization's device security to be more resilient against cybersecurity threat attacks. The top security recommendations list can help you achieve that goal.
![Example of Top security recommendations card, with four security recommendations.](images/top-security-recommendations350.png)
@ -67,7 +66,7 @@ The top security recommendations lists the improvement opportunities prioritized
## Security recommendations overview
View recommendations, the number of weaknesses found, related components, threat insights, number of exposed devices, status, remediation type, remediation activities, impact to your exposure and configuration scores, and associated tags.
View recommendations, the number of weaknesses found, related components, threat insights, number of exposed devices, status, remediation type, remediation activities, impact to your exposure score and Microsoft Secure Score for Devices, and associated tags.
The color of the **Exposed devices** graph changes as the trend changes. If the number of exposed devices is on the rise, the color changes into red. If there's a decrease in the number of exposed devices, the color of the graph will change into green.
@ -80,7 +79,7 @@ Useful icons also quickly calls your attention to:
- ![red bug](images/tvm_bug_icon.png) associated public exploits
- ![light bulb](images/tvm_insight_icon.png) recommendation insights
### Investigate
### Explore security recommendation options
Select the security recommendation that you want to investigate or process.
@ -97,6 +96,14 @@ From the flyout, you can do any of the following:
>[!NOTE]
>When a change is made on a device, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
### Investigate changes in machine exposure or impact
If there is a large jump in the number of exposed machines, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating.
1. Select the recommendation and **Open software page**
2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md)
3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request
## Request remediation
The Threat & Vulnerability Management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune.
@ -128,8 +135,6 @@ As an alternative to a remediation request, you can create exceptions for recomm
There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons.
Exceptions can be created for both Security update and Configuration change recommendations.
When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list.
1. Select a security recommendation you would like create an exception for, and then **Exception options**.
@ -205,10 +210,11 @@ After you have identified which software and software versions are vulnerable du
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

11
windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
View File

@ -48,7 +48,13 @@ Select the software that you want to investigate and a flyout panel opens up wit
## Software pages
Once you are in the Software inventory page and have opened the flyout panel by selecting a software to investigate, select **Open software page** (see image in the previous section). A full page will appear with all the details of a specific software and the following information:
You can view software pages a few different ways:
- Software inventory page > Select a software name > Select **Open software page** in the flyout
- [Security recommendations page](tvm-security-recommendation.md) > Select a recommendation > Select **Open software page** in the flyout
- [Event timeline page](threat-and-vuln-mgt-event-timeline.md) > Select an event > Select the hyperlinked software name (like Visual Studio 2017) in the section called "Related component" in the flyout
A full page will appear with all the details of a specific software and the following information:
- Side panel with vendor information, prevalence of the software in the organization (including number of devices it is installed on, and exposed devices that are not patched), whether and exploit is available, and impact to your exposure score
- Data visualizations showing the number of, and severity of, vulnerabilities and misconfigurations. Also, graphs of the number of exposed devices
@ -80,10 +86,11 @@ You can report a false positive when you see any vague, inaccurate version, inco
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Weaknesses](tvm-weaknesses.md)
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

5
windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
View File

@ -1,7 +1,7 @@
---
title: Threat & Vulnerability Management supported operating systems and platforms
description: Before you begin, ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your all devices are properly accounted for.
keywords: threat & vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, configuration score, exposure score
keywords: threat & vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score
search.appverid: met150
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -46,11 +46,12 @@ Some of the above prerequisites might be different from the [Minimum requirement
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

3
windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
View File

@ -127,10 +127,11 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
- [Supported operating systems and platforms](tvm-supported-os.md)
- [Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md)
- [Exposure score](tvm-exposure-score.md)
- [Configuration score](configuration-score.md)
- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md)
- [Security recommendations](tvm-security-recommendation.md)
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Event timeline](threat-and-vuln-mgt-event-timeline.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

2
windows/security/threat-protection/microsoft-defender-atp/use.md
View File

@ -39,5 +39,5 @@ Topic | Description
:---|:---
[Portal overview](portal-overview.md) | Understand the portal layout and area descriptions.
[View the Security operations dashboard](security-operations-dashboard.md) | The Microsoft Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the devices on your network, investigate devices, files, and URLs, and see snapshots of threats seen on devices.
[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices.
[View the Threat & Vulnerability Management dashboard](tvm-dashboard-insights.md) | The **Threat & Vulnerability Management dashboard** lets you view exposure and Microsoft Secure Score for Devices side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed devices.
[View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics.md) | The **Threat analytics** dashboard helps you continually assess and control risk exposure to threats. Use the charts to quickly identify devices for the presence or absence of mitigations.

12
windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
View File

@ -33,27 +33,29 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
<th align="left">Description</th>
</tr>
<tr>
<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p>
<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p><strong>Windows 10, Version 1607 and earlier:</strong><br>Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen</td>
<td>At least Windows Server 2012, Windows 8 or Windows RT</td>
<td>This policy setting turns on Microsoft Defender SmartScreen.<p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.<p>If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.</td>
</tr>
<tr>
<td>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
<td>Windows 10, version 1703</td>
<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
<td><strong>Windows 10, version 1703</td>
<td>This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.</br></br>This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.</p><p><strong>Important:</strong> Using a trustworthy browser helps ensure that these protections work as expected.</p></td>
</tr>
<tr>
<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><strong>Windows 10, Version 1607 and earlier:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td>
<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><strong>Windows 10, Version 1607 and earlier:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td>
<td>Microsoft Edge on Windows 10 or later</td>
<td>This policy setting turns on Microsoft Defender SmartScreen.<p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.<p>If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.</td>
</tr>
<tr>
<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files<p><strong>Windows 10, Version 1511 and 1607:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files</td>
<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files<p><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files<p><strong>Windows 10, Version 1511 and 1607:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files</td>
<td>Microsoft Edge on Windows 10, version 1511 or later</td>
<td>This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.<p>If you enable this setting, it stops employees from bypassing the warning, stopping the file download.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.</td>
</tr>
<tr>
<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites<p><strong>Windows 10, Version 1511 and 1607:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites</td>
<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites<p><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites<p><strong>Windows 10, Version 1511 and 1607:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites</td>
<td>Microsoft Edge on Windows 10, version 1511 or later</td>
<td>This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.<p>If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.</td>
</tr>

5
windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
View File

@ -22,7 +22,10 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting.
Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require smart card** security policy setting.
> [!NOTE]
> You may need to download the ADMX template for your version of Windows to enable this policy to be applied.
## Reference