deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs2' into jdrs2apn

Browse Source
This commit is contained in:
jdeckerMS
2017-03-29 06:58:08 -07:00
parent 08761ed4f5 e5eae57f4f
commit b205d9b4d3
22 changed files with 567 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/configure/provisioning-apply-package.md
View File

@ -46,7 +46,7 @@ Provisioning packages can be applied to a device during the first-run experience
### After setup, from a USB drive, network folder, or SharePoint site
On a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network forlder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
![add a package option](images/package.png)

15
windows/deploy/upgrade-readiness-deployment-script.md
View File

@ -42,9 +42,9 @@ To run the Upgrade Readiness deployment script:
3. By default, the script sends log information to both the console and the log file. To change the default behavior, use one of the following options:
> *logMode = 0 log to console only*
>
>
> *logMode = 1 log to file and console*
>
>
> *logMode = 2 log to file only*
3. To enable Internet Explorer data collection, set AllowIEData to IEDataOptIn. By default, AllowIEData is set to Disable. Then use one of the following options to determine what Internet Explorer data can be collected:
@ -57,7 +57,16 @@ To run the Upgrade Readiness deployment script:
>
> *IEOptInLevel = 3 Data collection is enabled for all sites*
4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
4. The latest version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**.
The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**.
This data gives us the ability to determine the status of your machines and to help troubleshoot issues. If you choose to opt-in to and send this data to Microsoft, you must also allow https traffic to be sent to the following wildcard endpoints:
\*vortex\*.data.microsoft.com<BR>
\*settings\*.data.microsoft.com
5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system.
The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.

2
windows/deploy/upgrade-readiness-get-started.md
View File

@ -79,7 +79,7 @@ For Upgrade Readiness to receive and display upgrade readiness data from Microso
To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this.
Note: The compatibility update KB runs under the computers system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account.
Note: The compatibility update KB runs under the computers system account. If you are using user authenticated proxies, read [this blog post](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) to learn what you need to do to run it under the logged on user account.
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|

2
windows/deploy/upgrade-readiness-requirements.md
View File

@ -78,8 +78,6 @@ See [Windows 7, Windows 8, and Windows 8.1 appraiser telemetry events and fields
Before you get started configuring Upgrade Anatlyics, review the following tips and limitations about this release.
**User authenticated proxies are not supported in this release.** User computers communicate with Microsoft through Windows telemetry. The Windows telemetry client runs in System context and requires a connection to various Microsoft telemetry endpoints. User authenticated proxies are not supported at this time. Work with your Network Administrator to ensure that user computers can communicate with telemetry endpoints.
**Upgrade Readiness does not support on-premises Windows deployments.** Upgrade Readiness is built as a cloud service, which allows Upgrade Readiness to provide you with insights based on the data from user computers and other Microsoft compatibility services. Cloud services are easy to get up and running and are cost-effective because there is no requirement to physically implement and maintain services on-premises.
**In-region data storage requirements.** Windows telemetry data from user computers is encrypted, sent to, and processed at Microsoft-managed secure data centers located in the US. Our analysis of the upgrade readiness-related data is then provided to you through the Upgrade Readiness solution in the Microsoft Operations Management Suite (OMS) portal. At the time this topic is being published, only OMS workspaces created in the East US and West Europe are supported. Were adding support for additional regions and well update this information when new international regions are supported.

3
windows/keep-secure/TOC.md
View File

@ -801,9 +801,10 @@
#### [Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
#### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
#### [Windows Defender Antivirus compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
### [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
#### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
#### [Windows Defender Antivirus on Windows Server](windows-defender-antivirus-on-windows-server-2016.md)
#### [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
#### [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
##### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)

6
windows/keep-secure/command-line-arguments-windows-defender-antivirus.md
View File

@ -19,10 +19,14 @@ author: iaanw
- Windows 10
**Audience**
- Enterprise security administrators
You can use a dedicated command-line tool to perform various functions in Windows Defender Antivirus.
This utility can be handy when you want to automate the use of Windows Defender Antivirus.
This utility can be useful when you want to automate the use of Windows Defender Antivirus.
The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt.

176
windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md
View File

@ -1,5 +1,5 @@
---
title: Configure advanced scanning types for Windows Defender AV
title: Configure scanning options for Windows Defender AV
description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
search.product: eADQiWindows 10XVcnh
@ -12,7 +12,7 @@ localizationpriority: medium
author: iaanw
---
# Configure email, removable storage, network, reparse point, and archive scanning in Windows Defender AV
# Configure scanning options in Windows Defender AV
**Applies to**
@ -25,147 +25,79 @@ author: iaanw
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
To configure the Group Policy settings described in the following table:
Scan Turn on e-mail scanning
Scan Turn on reparse point scanning
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx).
Description | GP location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
---|---|---|---
See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | `-DisableRestorePoint`
Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-exclusions-windows-defender-antivirus.md) will take precendence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
Scan packed executables | Scan > Scan packed executables | Enabled | Not available
Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
Specify the maximum CPU load (as a percentage) during a scan. This a theoretical maximum - scans will not always use the maximum load defined here, but they will never exceed it | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies not limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
**Use Configuration Manager to configure scanning options:**
See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch).
**Use Microsoft Intune to configure scanning options**
## Manage email scans in Windows Defender
See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Scan options](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#specify-scan-options-settings) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
You can use Windows Defender to scan email files. Malware can install itself and hide in email files, and although real-time protection offers you the best protection from email malware, you can also scan emails stored on your PC or server with Windows Defender.
> **Important:** Mail scanning only applies to on-demand and scheduled scans, not on-access scans.
Windows Defender scans Microsoft Office Outlook 2003 and older email files. We identify the file type at run-time based on the content of the file, not on location or extension.
> **Note: ** Scanning email files might increase the time required to complete a scan.
Windows Defender can extract embedded objects within a file (attachments and archived files, for example) and scan internally.
> **Note:** While Windows Defender can be configured to scan email files, it can only remediate threats detected inside certain files, for example:
<a id="ref1"></a>
### Email scanning limitations
Enabling email scanning will cause Windows Defender AV to scan emails during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
- DBX
- MBX
- MIME
You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using real-time protection to protect against email malware.
>[!WARNING]
> Is this true - can it scan Outlook 2013/ 2016?
> "Windows Defender scans Microsoft Office Outlook 2003 and older email files."
You can configure Windows Defender to scan PST files used by Outlook 2003 or older versions (where the archive type is set to non-uni-code), but Windows Defender cannot remediate threats detected inside PST files. We recommend using [always-on real-time protection](configure-real-time-protection-windows-defender-antivirus.md) to protect against email-based malware.
If Windows Defender detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat:
- Email subject
- Attachment name
Email scanning in Windows Defender is turned off by default. There are three ways you can manage scans through Windows Defender:
- *Group Policy* settings
- WMI
- PowerShell
> **Important:** There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
>[!WARNING]
>There are some risks associated with scanning some Microsoft Outlook files and email messages. You can read about tips and risks associated with scanning Outlook files and email messages in the following articles:
- [Scanning Outlook files in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-1)
- [Scanning email messages in Outlook 2013](https://technet.microsoft.com/library/dn769141.aspx#bkmk-2)
## Use *Group Policy* settings to enable email scans
This policy setting allows you to turn on email scanning. When email scanning is enabled, the engine will parse the mailbox and mail files to analyze the mail bodies and attachments.
Turn on email scanning with the following *Group Policy* settings:
1. Open the **Group Policy Editor**.
2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
3. Click **Scan**.
4. Double-click **Turn on e-mail scanning**.
This will open the **Turn on e-mail scanning** window:
![turn on e-mail scanning window](images/defender-scanemailfiles.png)
5. Select **Enabled**.
6. Click **OK** to apply changes.
## Use WMI to disable email scans
You can write a WMI script or application to disable email scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
Use the **DisableEmailScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
**DisableEmailScanning**
Data type: **boolean**
Access type: Read-only
Disable email scanning.
## Use PowerShell to enable email scans
You can also enable email scanning using the following PowerShell parameter:
1. Open PowerShell or PowerShellIntegrated Scripting Environment (ISE).
2. Type **Set-MpPreference -DisableEmailScanning $false**.
Read more about this in:
- [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
- [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
## Manage archive scans in Windows Defender
You can use Windows Defender to scan archive files. Malware can install itself and hide in archive files, and although real-time protection offers you the best protection from malware, you can also scan archives stored on your PC or server with Windows Defender.
> **Important:** Archive scanning only applies to on-demand and scheduled scans, not on-access scans.
Archive scanning in Windows Defender is turned on by default. There are four ways you can manage scans through Windows Defender:
- *Group Policy* settings
- WMI
- PowerShell
- Endpoint Protection
> **Note:** Scanning archive files might increase the time required to complete a scan.
If you exclude an archive file type by using the **Extensions** box, Windows Defender will not scan files with that extension (no matter what the content is), even when you have selected the **Scan archive files** check box. For example, if you exclude .rar files but there<72>s a .r00 file that<61>s actually .rar content, it will still be scanned if archive scanning is enabled.
## Use *Group Policy* settings to enable archive scans
This policy setting allows you to turn on archive scanning.
Turn on email scanning with the following *Group Policy* settings:
1. Open the **Group Policy Editor**.
2. In the **Local Computer Policy** tree, expand **Computer Configuration**, then **Administrative Templates**, then **Windows Components**, then **Windows Defender**.
3. Click **Scan**.
4. Double-click **Scan archive files**.
This will open the **Scan archive files** window:
![scan archive files window](images/defender-scanarchivefiles.png)
5. Select **Enabled**.
6. Click **OK** to apply changes.
There are a number of archive scan settings in the **Scan** repository you can configure through *Group Policy*, for example:
- Maximum directory depth level into which archive files are unpacked during scanning
![specify the maximum depth to scan archive files window](images/defender-scanarchivedepth.png)
- Maximum size of archive files that will be scanned
![specify the maximum size of archive files to be scanned window](images/defender-scanarchivesize.png)
- Maximum percentage CPU utilization permitted during a scan
![specify the maximum percentage od cpu utilization during a scan window](images/defender-scanarchivecpu.png)
## Use WMI to disable archive scans
You can write a WMI script or application to disable archive scanning. Read more about [WMI in this article](https://msdn.microsoft.com/library/windows/desktop/dn439477.aspx), and read about [Windows Preference classes in this article](https://msdn.microsoft.com/library/windows/desktop/dn455323.aspx).
Use the **DisableArchiveScanning** property of the **MSFT\_MpPreference** class (part of the Windows DefenderWMI provider) to enable or disable this setting:
**DisableArchiveScanning**
Data type: **boolean**
Access type: Read-only
Disable archive scanning.
## Use PowerShell to enable archive scans
You can also enable archive scanning using the following PowerShell parameter:
1. Open PowerShell or PowerShellISE.
2. Type **Set-MpPreference -DisableArchiveScanning $false**.
Read more about this in:
- [Scripting with Windows PowerShell](https://technet.microsoft.com/library/bb978526.aspx)
- [Defender Cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
## Use Endpoint Protection to configure archive scans
In Endpoint Protection, you can use the advanced scanning options to configure archive scanning. For more information, see [What are advanced scanning options?](https://technet.microsoft.com/library/ff823807.aspx)
## Related topics
- [Customize,<2C>initiate,<2C>and<6E>review<65>the<68>results<74>of<6F>Windows<77>Defender<65>AV<41>scans<6E>and<6E>remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

5
windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -37,8 +37,8 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
- Manual static proxy configuration:
- WinHTTP configured using netsh command
- Registry based configuration
- WinHTTP configured using netsh command Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy)
## Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
@ -61,7 +61,8 @@ The registry value `DisableEnterpriseAuthProxy` should be set to 1.
Use netsh to configure a system-wide static proxy.
> [!NOTE]
> This will affect all applications including Windows services which use WinHTTP with default proxy.
> - This will affect all applications including Windows services which use WinHTTP with default proxy.</br>
> - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration.
1. Open an elevated command-line:

37
windows/keep-secure/configure-remediation-windows-defender-antivirus.md
View File

@ -15,3 +15,40 @@ author: iaanw
# Configure remediation for Windows Defender AV scans
**Applies to**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**
- Group Policy
- System Center Configuration Manager
- PowerShell
- Windows Management Instrumentation (WMI)
- Microsoft Intune
Main | Allow antimalware service to startup with normal priority
Main | Allow antimalware service to remain running always
Scan | Create a system restore point
Main | Turn off routine remediation
Quarantine | Configure removal of items from Quarantine folder
Scan | Turn on removal of items from scan history folder
[Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed)
Threats | Specify threat alert levels at which default action should not be taken when detected
Threats | Specify threats upon which default action should not be taken when detected
https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings
https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-default-actions-settings

2
windows/keep-secure/deployment-vdi-windows-defender-antivirus.md
View File

@ -20,7 +20,7 @@ author: iaanw
**Audience**
- IT professionals
- Enterprise security administrators
**Manageability available with**

BIN
windows/keep-secure/images/defender/wdav-get-mpthreat.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/keep-secure/images/defender/wdav-get-mpthreatdetection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

6
windows/keep-secure/initialize-and-configure-ownership-of-the-tpm.md
View File

@ -112,7 +112,7 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
5. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
## <a href="" id="turn-on-or-turn-off"></a>Turn on or turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511)
## <a href="" id="turn-on-or-turn-off"></a>Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511)
Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
@ -148,9 +148,9 @@ If you want to stop using the services that are provided by the TPM, you can use
- If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
### Change the TPM Owner Password (Windows 10, version 1607 or earlier only)
### Change the TPM Owner Password (available only with Windows 10, version 1607 and earlier versions)
If you have the owner password available, see [Change the TPM Owner Password](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/change-the-tpm-owner-password), you can use TPM.msc to change the TPM Owner Password.
If you have the [owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) available, you can use TPM.msc to change the TPM Owner Password.
1. Open the TPM MMC (tpm.msc).

78
windows/keep-secure/review-scan-results-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Review the results of Windows Defender AV scans
description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
keywords:
keywords: scan results, remediation, full scan, quick scan
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -13,3 +13,79 @@ author: iaanw
---
# Review Windows Defender AV scan results
**Applies to:**
- Windows 10
**Audience**
- Enterprise security administrators
**Manageability available with**
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center app
After Windows Defender Antivirus has completed a scan, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. You can also define
**Use Configuration Manager to review Windows Defender AV scan results:**
See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
**Use the Windows Defender Security app to review Windows Defender AV scan results:**
1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label.
- Click **See full history** for any of the sections to see previous detections and the action taken. You can also clear the list.
- Information about the last scan is displayed at the bottom of the page.
**Use PowerShell cmdlets to review Windows Defender AV scan results:**
The following cmdlet will return each detection on the endpoint. If there are multiple detection of the same threat, each detection will be listed separately, based on the time of each detection:
```PowerShell
Get-MpThreatDetection
```
![IMAGEALT](images/defender/wdav-get-mpthreatdetection.png)
You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
If you want to list threat detections, but combine detections of the same threat into a single item, you can use the following cmdlet:
```PowerShell
Get-MpThreat
```
![IMAGEALT](images/defender/wdav-get-mpthreat.png)
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to review Windows Defender AV scan results:**
Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) classes.
**Use Microsoft Intune to review Windows Defender AV scan results:**
See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Monitor Endpoint Protection](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).
## Related topics
- [Customize,<2C>initiate,<2C>and<6E>review<65>the<68>results<74>of<6F>Windows<77>Defender<65>AV<41>scans<6E>and<6E>remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

105
windows/keep-secure/run-scan-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Run and customize on-demand scans in Windows Defender AV
description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
keywords:
keywords: scan, on-demand, dos, intune, instant scan
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -16,44 +16,93 @@ author: iaanw
# Configure and run Windows Defender AV scans
# Configure and run on-demand Windows Defender AV scans
**Applies to:**
- Windows 10
IT professionals can use a command-line utility to run a Windows Defender scan.
**Audience**
The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
- Enterprise security administrators
This utility can be handy when you want to automate the use of Windows Defender.
**Manageability available with**
**To run a quick scan from the command line**
- Windows Defender AV mpcmdrun utility
- PowerShell
- Windows Management Instrumentation (WMI)
- System Center Configuration Manager
- Microsoft Intune
- Windows Defender Security Center app
1. Click **Start**, type **cmd**, and press **Enter**.
2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
```
C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
```
The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
The utility also provides other commands that you can run:
## Quick scan versus full scan
```
MpCmdRun.exe [command] [-options]
Quick scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
**Use the mpcmdrum.exe command-line utility to run a scan:**
Use the following `-scan` parameter:
```DOS
mpcmdrun.exe -scan -scantype 1
```
Command | Description
:---|:---
\- ? / -h | Displays all available options for the tool
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing
\-GetFiles | Collects support information
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
\-AddDynamicSignature [-Path] | Loads a dynamic signature
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
<br>
The command-line utility provides detailed information on the other commands supported by the tool.
See [Use<EFBFBD>the<EFBFBD>mpcmdrun.exe<78>commandline<6E>tool<6F>to<74>configure<72>and<6E>manage<67>Windows<77>Defender<65>Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the tool and additional parameters, including starting a full scan or defining paths.
**Use Configuration Manager to run a scan:**
See [Antimalware and firewall tasks: How to perform an on-demance scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan.
**Use the Windows Defender Security Center app to run a scan:**
See [Run a scan in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
**Use PowerShell cmdlets to run a scan:**
Use the following cmdlet:
```PowerShell
Start-MpScan
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to run a scan:**
Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/en-us/library/dn455324(v=vs.85).aspx#methods) class.
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
**Use Microsoft Intune to run a scan:**
See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune: Run a malware scan](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#run-a-malware-scan-or-update-malware-definitions-on-a-computer) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details.
## Related topics
- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Configure scheduled scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

204
windows/keep-secure/scheduled-catch-up-scans-windows-defender-antivirus.md
View File

@ -1,7 +1,7 @@
---
title: Schedule regular scans with Windows Defender AV
description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
keywords:
keywords: schedule scan, daily, weekly, time, scheduled, recurring, regular
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -22,7 +22,7 @@ author: iaanw
**Audience**
- Network administrators
- Enterprise security administrators
**Manageability available with**
@ -37,7 +37,197 @@ author: iaanw
> By default, Windows Defender AV will check for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default.
RANDOMIZE
In addition to always-on real-time protection and [on-demand](run-scan-windows-defender-antivirus.md) scans, you can set up regular, scheduled scans.
You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur.
This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intunespecify-scan-schedule-settings).
To configure the Group Policy settings described in this topic:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics.
## Quick scan versus full scan
When you set up scheduled scans, you can set up whether the scan should be a full or quick scan.
Quick scans look at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders.
Combined with [always-on real-time protection capability](configure-real-time-protection-windows-defender-antivirus.md) - which reviews files when they are opened and closed, and whenever a user navigates to a folder - a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware.
In most instances, this means a quick scan is adequate to find malware that wasn't picked up by real-time protection.
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md).
## Set up scheduled scans
Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans.
**Use Group Policy to schedule scans:**
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Specify the scan type to use for a scheduled scan | Quick scan
Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
Main | Randomize scheduled task times | Randomize the start time of the scan to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments | Enabled
**Use PowerShell cmdlets to schedule scans:**
Use the following cmdlets:
```PowerShell
Set-MpPreference -ScanParameters
Set-MpPreference -ScanScheduleDay
Set-MpPreference -ScanScheduleTime
Set-MpPreference -RandomizeScheduleTaskTimes
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to schedule scans:**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
```
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
## Start scheduled scans only when the endpoint is not in use
You can set the scheduled scan to only occur when the endpoint is turned on but not in use with Group Policy, PowerShell, or WMI.
**Use Group Policy to schedule scans**
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled
**Use PowerShell cmdlets:**
Use the following cmdlets:
```PowerShell
Set-MpPreference -ScanOnlyIfIdleEnabled
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI):**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
```
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
<a id="remed"></a>
## Configure when full scans should be run to complete remediation
Some threats may require a full scan to complete their removal and remediation. You can schedule when these scans should occur with Group Policy, PowerShell, or WMI.
**Use Group Policy to schedule remediation-required scans**
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never
Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
**Use PowerShell cmdlets:**
Use the following cmdlets:
```PowerShell
Set-MpPreference -RemediationScheduleDay
Set-MpPreference -RemediationScheduleTime
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI):**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
```
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
## Set up daily quick scans
You can enable a daily quick scan that can be run in addition to your other scheduled scans with Group Policy, PowerShell, or WMI.
**Use Group Policy to schedule daily scans:**
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never
Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am
**Use PowerShell cmdlets to schedule daily scans:**
Use the following cmdlets:
```PowerShell
Set-MpPreference Set-MpPreference -ScanScheduleQuickTime
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
**Use Windows Management Instruction (WMI) to schedule daily scans:**
Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
SignatureFallbackOrder
SignatureDefinitionUpdateFileSharesSouce
```
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
## Enable scans after protection updates
You can force a scan to occur after every [protection update](manage-protection-updates-windows-defender-antivirus.md) with Group Policy.
**Use Group Policy to schedule scans after protection updates**
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Signature updates | Turn on scan after signature update | A scan will occur immediately after a new protection update is downloaded | Enabled
@ -45,6 +235,10 @@ RANDOMIZE
## Related topics
- [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
- [Configure and run on-demand Windows Defender AV scans](run-scan-windows-defender-antivirus.md)
- [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
- [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
- [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

29
windows/keep-secure/use-group-policy-windows-defender-antivirus.md
View File

@ -13,3 +13,32 @@ author: iaanw
---
# Use Group Policy settings to configure and manage Windows Defender AV
**Applies to:**
- Windows 10, version 1703
You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender AV on your endpoints.
<!--
The table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable).
-->
In general, you can use the following procedure to configure or change Windows Defender AV group policy settings:
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object (GPO) you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender Antivirus**.
6. Expand the section that contains the setting you want to configure, double-click the setting to open it, and make configuration changes.
7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).
## Related topics
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

14
windows/keep-secure/use-intune-config-manager-windows-defender-antivirus.md
View File

@ -13,3 +13,17 @@ author: iaanw
---
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender AV.
In both cases, the protection will be labelled as Endpoint Protection, although the engine is the same as that used by Windows Defender AV.
See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager.
For Microsoft Intune, consult the [Help secure Windows PCs with Endpoint Protection for Microsoft Intune library](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune).
## Related topics
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

2
windows/keep-secure/use-powershell-cmdlets-windows-defender-antivirus.md
View File

@ -30,7 +30,7 @@ PowerShell cmdlets are most useful in Windows Server environments that don't rel
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
**Use Windows Defender PowerShell cmdlets**
**Use Windows Defender AV PowerShell cmdlets:**
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.

22
windows/keep-secure/use-wmi-windows-defender-antivirus.md
View File

@ -1,6 +1,6 @@
---
title: Configure Windows Defender AV with WMI
description: Use WMI scripts to configure Windows Defender AV
description: Use WMI scripts to configure Windows Defender AV.
keywords: wmi, scripts, windows management instrumentation, configuration
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@ -12,5 +12,23 @@ localizationpriority: medium
author: iaanw
---
# Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV
# Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV
**Applies to:**
- Windows 10
Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
Read more about WMI at the [Microsoft Develop Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx).
Windows Defender AV has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md).
The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender AV, and includes example scripts.
## Related topics
- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

1
windows/keep-secure/windows-defender-security-center-antivirus.md
View File

@ -79,6 +79,7 @@ This section describes how to perform some of the most common tasks when reviewi
> [!NOTE]
> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
<a id="scan"></a>
**Run a scan with the Windows Defender Security Center app**
1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.

18
windows/whats-new/whats-new-windows-10-version-1703.md
View File

@ -114,15 +114,9 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
- **Other features**
- [Check sensor health state](../keep-secure/check-sensor-status-windows-defender-advanced-threat-protection.md) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues.
You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
### Windows Defender Antivirus
New features for Windows Defender Antivirus (AV) in Windows 10, version 1703 include:
- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md)
- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md).
The new library includes information on:
@ -136,6 +130,15 @@ Some of the highlights of the new library include:
- [Evaluation guide for Windows Defender AV](../keep-secure/evaluate-windows-defender-antivirus.md)
- [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](../keep-secure/deployment-vdi-windows-defender-antivirus.md)
New features for Windows Defender AV in Windows 10, version 1703 include:
- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md)
- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
- [Windows Defender Antivirus protection in the Windows Defender Security Center app](../keep-secure/windows-defender-security-center-antivirus.md)
In Windows 10, version 1607, we [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment in version 1703 with [updated beahvior monitoring and always-on real-time protection](.../keep-secure/configure-real-time-protection-windows-defender-antivirus.md).
You can read more about ransomware mitigations and detection capability in Windows Defender AV in the [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) and at the [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/).
### Device Guard and Credential Guard
@ -227,4 +230,3 @@ Update Compliance helps you to keep Windows 10 devices in your organization secu
Update Compliance is a solution built using OMS Logs and Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues.
For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](../manage/update-compliance-monitor.md).