diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 81696cd310..e6293265fe 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -16069,6 +16069,11 @@ "source_path": "windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/gov", + "redirect_document_id": true }, { "source_path": "windows/security/threat-protection/windows-defender-antivirus/office-365-windows-defender-antivirus.md", diff --git a/education/developers.yml b/education/developers.yml index 9e21b6d27f..6533d8c51c 100644 --- a/education/developers.yml +++ b/education/developers.yml @@ -18,16 +18,16 @@ additionalContent: # Card - title: UWP apps for education summary: Learn how to write universal apps for education. - url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/ + url: https://docs.microsoft.com/windows/uwp/apps-for-education/ # Card - title: Take a test API summary: Learn how web applications can use the API to provide a locked down experience for taking tests. - url: https://docs.microsoft.com/en-us/windows/uwp/apps-for-education/take-a-test-api + url: https://docs.microsoft.com/windows/uwp/apps-for-education/take-a-test-api # Card - title: Office Education Dev center summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app - url: https://dev.office.com/industry-verticals/edu + url: https://developer.microsoft.com/office/edu # Card - title: Data Streamer summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application. - url: https://docs.microsoft.com/en-us/microsoft-365/education/data-streamer \ No newline at end of file + url: https://docs.microsoft.com/microsoft-365/education/data-streamer diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md new file mode 100644 index 0000000000..3c22125793 --- /dev/null +++ b/education/includes/education-content-updates.md @@ -0,0 +1,11 @@ + + + + +## Week of October 19, 2020 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 10/22/2020 | [Microsoft 365 Education Documentation for developers](/education/developers) | modified | +| 10/22/2020 | [Windows 10 editions for education customers](/education/windows/windows-editions-for-education-customers) | modified | diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 80555a4b90..4197cf6869 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -30,10 +30,10 @@ Windows 10, version 1607 introduces two editions designed for the unique needs o Windows 10 Pro Education builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools. Windows 10 Pro Education is effectively a variant of Windows 10 Pro that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). -For Cortana[1](#footnote1), +For Cortana[1](#footnote1): - If you're using version 1607, Cortana is removed. -- If you're using new devices with version 1703, Cortana is turned on by default. -- If you're upgrading from version 1607 to version 1703, Cortana will be enabled. +- If you're using new devices with version 1703 or later, Cortana is turned on by default. +- If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled. You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). @@ -49,10 +49,10 @@ Customers who deploy Windows 10 Pro are able to configure the product to have si Windows 10 Education builds on Windows 10 Enterprise and provides the enterprise-grade manageability and security desired by many schools. Windows 10 Education is effectively a variant of Windows 10 Enterprise that provides education-specific default settings. These default settings disable tips, tricks and suggestions & Microsoft Store suggestions. More detailed information on these default settings is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). -For Cortana1, +For Cortana1: - If you're using version 1607, Cortana1 is removed. -- If you're using new devices with version 1703, Cortana is turned on by default. -- If you're upgrading from version 1607 to version 1703, Cortana will be enabled. +- If you're using new devices with version 1703 or later, Cortana is turned on by default. +- If you're upgrading from version 1607 to version 1703 or later, Cortana will be enabled. You can use the **AllowCortana** policy to turn Cortana off. For more information, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index 24ec842c6c..a7fff81d4b 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -18,10 +18,10 @@ ms.date: 10/17/2017 # Add unsigned app to code integrity policy > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. > > Following are the major changes we are making to the service: -> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download. +> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). > - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. > @@ -32,7 +32,7 @@ ms.date: 10/17/2017 > - Download root cert > - Download history of your signing operations > -> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration. +> For any questions, please contact us at DGSSMigration@microsoft.com. **Applies to** diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index a3e5be63f9..a891ecd541 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -18,10 +18,10 @@ ms.date: 10/17/2017 # Device Guard signing > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. > > Following are the major changes we are making to the service: -> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download. +> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). > - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. > @@ -32,7 +32,7 @@ ms.date: 10/17/2017 > - Download root cert > - Download history of your signing operations > -> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration. +> For any questions, please contact us at DGSSMigration@microsoft.com. **Applies to** diff --git a/store-for-business/includes/store-for-business-content-updates.md b/store-for-business/includes/store-for-business-content-updates.md new file mode 100644 index 0000000000..168974c2fa --- /dev/null +++ b/store-for-business/includes/store-for-business-content-updates.md @@ -0,0 +1,12 @@ + + + + +## Week of October 26, 2020 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 10/27/2020 | [Add unsigned app to code integrity policy (Windows 10)](/microsoft-store/add-unsigned-app-to-code-integrity-policy) | modified | +| 10/27/2020 | [Device Guard signing (Windows 10)](/microsoft-store/device-guard-signing-portal) | modified | +| 10/27/2020 | [Sign code integrity policy with Device Guard signing (Windows 10)](/microsoft-store/sign-code-integrity-policy-with-device-guard-signing) | modified | diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index e0acead8f1..6512584c76 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -18,10 +18,10 @@ ms.date: 10/17/2017 # Sign code integrity policy with Device Guard signing > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. > > Following are the major changes we are making to the service: -> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download. +> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). > - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. > @@ -32,7 +32,7 @@ ms.date: 10/17/2017 > - Download root cert > - Download history of your signing operations > -> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration. +> For any questions, please contact us at DGSSMigration@microsoft.com. **Applies to** diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 09bd474c3e..abbb5fac56 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -32,6 +32,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index f25c37dce5..13ee43e312 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -63,7 +63,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu 4. Click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. > [!TIP] - > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. + > When you connect to the remote PC, enter your account name in this format: AzureAD\yourloginid@domain.com. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. > [!Note] > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index ffd1c9d266..c81879ba3f 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -32,6 +32,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 45de1ade9b..f4a048f445 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -53,7 +53,7 @@ As indicated in the diagram, Microsoft continues to provide support for deep man With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can: -- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune). +- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/). - Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages). @@ -69,7 +69,7 @@ You can envision user and device management as falling into these two categories - **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices: - - For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://blogs.technet.microsoft.com/ad/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/), all from the cloud.
Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. + - For corporate devices, they can set up corporate access with [Azure AD Join](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-overview/). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud.
Azure AD Join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices/) to add their work account to Windows, then access work resources on the device. @@ -135,6 +135,6 @@ There are a variety of steps you can take to begin the process of modernizing de ## Related topics -- [What is Intune?](https://docs.microsoft.com/intune/introduction-intune) +- [What is Intune?](https://docs.microsoft.com//mem/intune/fundamentals/what-is-intune) - [Windows 10 Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) - [Windows 10 Configuration service Providers](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference) diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index adc08ab268..e875d5d3a7 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -1,5 +1,6 @@ # [Mobile device management](index.md) ## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md) +### [Change history for MDM documentation](change-history-for-mdm-documentation.md) ## [Mobile device enrollment](mobile-device-enrollment.md) ### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) #### [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md) @@ -174,6 +175,7 @@ #### [ADMX_AddRemovePrograms](policy-csp-admx-addremoveprograms.md) #### [ADMX_AppCompat](policy-csp-admx-appcompat.md) #### [ADMX_AuditSettings](policy-csp-admx-auditsettings.md) +#### [ADMX_Bits](policy-csp-admx-bits.md) #### [ADMX_CipherSuiteOrder](policy-csp-admx-ciphersuiteorder.md) #### [ADMX_COM](policy-csp-admx-com.md) #### [ADMX_Cpls](policy-csp-admx-cpls.md) @@ -197,30 +199,39 @@ #### [ADMX_nca](policy-csp-admx-nca.md) #### [ADMX_NCSI](policy-csp-admx-ncsi.md) #### [ADMX_Netlogon](policy-csp-admx-netlogon.md) +#### [ADMX_NetworkConnections](policy-csp-admx-networkconnections.md) #### [ADMX_OfflineFiles](policy-csp-admx-offlinefiles.md) #### [ADMX_PeerToPeerCaching](policy-csp-admx-peertopeercaching.md) #### [ADMX_PerformanceDiagnostics](policy-csp-admx-performancediagnostics.md) +#### [ADMX_PowerShellExecutionPolicy](policy-csp-admx-powershellexecutionpolicy.md) #### [ADMX_Reliability](policy-csp-admx-reliability.md) #### [ADMX_Scripts](policy-csp-admx-scripts.md) #### [ADMX_sdiageng](policy-csp-admx-sdiageng.md) #### [ADMX_Securitycenter](policy-csp-admx-securitycenter.md) +#### [ADMX_Sensors](policy-csp-admx-sensors.md) #### [ADMX_Servicing](policy-csp-admx-servicing.md) #### [ADMX_SharedFolders](policy-csp-admx-sharedfolders.md) #### [ADMX_Sharing](policy-csp-admx-sharing.md) #### [ADMX_ShellCommandPromptRegEditTools](policy-csp-admx-shellcommandpromptregedittools.md) #### [ADMX_Smartcard](policy-csp-admx-smartcard.md) #### [ADMX_Snmp](policy-csp-admx-snmp.md) +#### [ADMX_StartMenu](policy-csp-admx-startmenu.md) +#### [ADMX_Taskbar](policy-csp-admx-taskbar.md) #### [ADMX_tcpip](policy-csp-admx-tcpip.md) #### [ADMX_Thumbnails](policy-csp-admx-thumbnails.md) #### [ADMX_TPM](policy-csp-admx-tpm.md) #### [ADMX_UserExperienceVirtualization](policy-csp-admx-userexperiencevirtualization.md) #### [ADMX_W32Time](policy-csp-admx-w32time.md) +#### [ADMX_WCM](policy-csp-admx-wcm.md) #### [ADMX_WinCal](policy-csp-admx-wincal.md) #### [ADMX_WindowsAnytimeUpgrade](policy-csp-admx-windowsanytimeupgrade.md) #### [ADMX_WindowsConnectNow](policy-csp-admx-windowsconnectnow.md) +#### [ADMX_WindowsExplorer](policy-csp-admx-windowsexplorer.md) #### [ADMX_WindowsMediaDRM](policy-csp-admx-windowsmediadrm.md) #### [ADMX_WindowsMediaPlayer](policy-csp-admx-windowsmediaplayer.md) +#### [ADMX_WindowsStore](policy-csp-admx-windowsstore.md) #### [ADMX_WinInit](policy-csp-admx-wininit.md) +#### [ADMX_wlansvc](policy-csp-admx-wlansvc.md) #### [ApplicationDefaults](policy-csp-applicationdefaults.md) #### [ApplicationManagement](policy-csp-applicationmanagement.md) #### [AppRuntime](policy-csp-appruntime.md) @@ -229,7 +240,7 @@ #### [Audit](policy-csp-audit.md) #### [Authentication](policy-csp-authentication.md) #### [Autoplay](policy-csp-autoplay.md) -#### [Bitlocker](policy-csp-bitlocker.md) +#### [BitLocker](policy-csp-bitlocker.md) #### [BITS](policy-csp-bits.md) #### [Bluetooth](policy-csp-bluetooth.md) #### [Browser](policy-csp-browser.md) @@ -274,6 +285,7 @@ #### [MixedReality](policy-csp-mixedreality.md) #### [MSSecurityGuide](policy-csp-mssecurityguide.md) #### [MSSLegacy](policy-csp-msslegacy.md) +#### [Multitasking](policy-csp-multitasking.md) #### [NetworkIsolation](policy-csp-networkisolation.md) #### [Notifications](policy-csp-notifications.md) #### [Power](policy-csp-power.md) diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 7a9545e09a..455f749b5b 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -52,6 +52,7 @@ This node specifies the username for a new local user account. This setting can This node specifies the password for a new local user account. This setting can be managed remotely. Supported operation is Add. +GET operation is not supported. This setting will report as failed when deployed from the Endpoint Manager. **Users/_UserName_/LocalUserGroup** This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely. diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md new file mode 100644 index 0000000000..b1d4002955 --- /dev/null +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -0,0 +1,1084 @@ +--- +title: Change history for MDM documentation +description: This article lists new and updated articles for Mobile Device Management. +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 10/19/2020 +--- + +# Change history for Mobile Device Management documentation + +This article lists new and updated articles for the Mobile Device Management (MDM) documentation. Updated articles are those that had content addition, removal, or corrections—minor fixes, such as correction of typos, style, or formatting issues are not listed. + +## November 2020 + +|New or updated article | Description| +|--- | ---| +| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policy:
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | + +## October 2020 + +|New or updated article | Description| +|--- | ---| +| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies
- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
- [Update/DisableWUfBSafeguards](policy-csp-update.md#update-disablewufbsafeguards)
- [WindowsSandbox/AllowAudioInput](policy-csp-windowssandbox.md#windowssandbox-allowaudioinput)
- [WindowsSandbox/AllowClipboardRedirection](policy-csp-windowssandbox.md#windowssandbox-allowclipboardredirection)
- [WindowsSandbox/AllowNetworking](policy-csp-windowssandbox.md#windowssandbox-allownetworking)
- [WindowsSandbox/AllowPrinterRedirection](policy-csp-windowssandbox.md#windowssandbox-allowprinterredirection)
- [WindowsSandbox/AllowVGPU](policy-csp-windowssandbox.md#windowssandbox-allowvgpu)
- [WindowsSandbox/AllowVideoInput](policy-csp-windowssandbox.md#windowssandbox-allowvideoinput) | + +## September 2020 + +|New or updated article | Description| +|--- | ---| +|[NetworkQoSPolicy CSP](networkqospolicy-csp.md)|Updated support information of the NetworkQoSPolicy CSP.| +|[Policy CSP - LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:
- RecoveryConsole_AllowAutomaticAdministrativeLogon
- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways
- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible
- DomainMember_DisableMachineAccountPasswordChanges
- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems
| + +## August 2020 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - System](policy-csp-system.md)|Removed the following policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing
| + +## July 2020 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - System](policy-csp-system.md)|Added the following new policy settings:
- System/AllowDesktopAnalyticsProcessing
- System/AllowMicrosoftManagedDesktopProcessing
- System/AllowUpdateComplianceProcessing
- System/AllowWUfBCloudProcessing


Updated the following policy setting:
- System/AllowCommercialDataPipeline
| + +## June 2020 + +|New or updated article | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added SKU support table for **AllowStandardUserEncryption**.| +|[Policy CSP - NetworkIsolation](policy-csp-networkisolation.md)|Updated the description from Boolean to Integer for the following policy settings:
EnterpriseIPRangesAreAuthoritative, EnterpriseProxyServersAreAuthoritative.| + +## May 2020 + +|New or updated article | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.| +|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with additional details. Added policy timeline table. + +## February 2020 + +|New or updated article | Description| +|--- | ---| +|[CertificateStore CSP](certificatestore-csp.md)
[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)|Added details about SubjectName value.| + +## January 2020 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - Defender](policy-csp-defender.md)|Added descriptions for supported actions for Defender/ThreatSeverityDefaultAction.| + +## November 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added option 5 in the supported values list for DeliveryOptimization/DOGroupIdSource.| +|[DiagnosticLog CSP](diagnosticlog-csp.md)|Added substantial updates to this CSP doc.| + +## October 2019 + +|New or updated article | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Added the following new nodes:
ConfigureRecoveryPasswordRotation, RotateRecoveryPasswords, RotateRecoveryPasswordsStatus, RotateRecoveryPasswordsRequestID.| +|[Defender CSP](defender-csp.md)|Added the following new nodes:
Health/TamperProtectionEnabled, Health/IsVirtualMachine, Configuration, Configuration/TamperProtection, Configuration/EnableFileHashComputation.| + +## September 2019 + +|New or updated article | Description| +|--- | ---| +|[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)|Added the following new node:
IsStub.| +|[Policy CSP - Defender](policy-csp-defender.md)|Updated the supported value list for Defender/ScheduleScanDay policy.| +|[Policy CSP - DeviceInstallation](policy-csp-deviceinstallation.md)|Added the following new policies:
DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs, DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs.| + +## August 2019 + +|New or updated article | Description| +|--- | ---| +|[DiagnosticLog CSP](diagnosticlog-csp.md)
[DiagnosticLog DDF](diagnosticlog-ddf.md)|Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelName/MaximumFileSize, Policy/Channels/ChannelName/SDDL, Policy/Channels/ChannelName/ActionWhenFull, Policy/Channels/ChannelName/Enabled, DiagnosticArchive, DiagnosticArchive/ArchiveDefinition, DiagnosticArchive/ArchiveResults.| +|[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)|Enhanced the article to include additional reference links and the following two topics:
Verify auto-enrollment requirements and settings, Troubleshoot auto-enrollment of devices.| + +## July 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP](policy-configuration-service-provider.md)|Added the following list:
Policies supported by HoloLens 2| +|[ApplicationControl CSP](applicationcontrol-csp.md)|Added new CSP in Windows 10, version 1903.| +|[PassportForWork CSP](passportforwork-csp.md)|Added the following new nodes in Windows 10, version 1903:
SecurityKey, SecurityKey/UseSecurityKeyForSignin| +|[Policy CSP - Privacy](policy-csp-privacy.md)|Added the following new policies:
LetAppsActivateWithVoice, LetAppsActivateWithVoiceAboveLock| +|Create a custom configuration service provider|Deleted the following documents from the CSP reference because extensibility via CSPs is not currently supported:
Create a custom configuration service provider
Design a custom configuration service provider
IConfigServiceProvider2
IConfigServiceProvider2::ConfigManagerNotification
IConfigServiceProvider2::GetNode
ICSPNode
ICSPNode::Add
ICSPNode::Clear
ICSPNode::Copy
ICSPNode::DeleteChild
ICSPNode::DeleteProperty
ICSPNode::Execute
ICSPNode::GetChildNodeNames
ICSPNode::GetProperty
ICSPNode::GetPropertyIdentifiers
ICSPNode::GetValue
ICSPNode::Move
ICSPNode::SetProperty
ICSPNode::SetValue
ICSPNodeTransactioning
ICSPValidate
Samples for writing a custom configuration service provider.| + +## June 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - DeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md)|Added the following new policies:
AllowDeviceHealthMonitoring, ConfigDeviceHealthMonitoringScope, ConfigDeviceHealthMonitoringUploadDestination.| +|[Policy CSP - TimeLanguageSettings](policy-csp-timelanguagesettings.md)|Added the following new policy:
ConfigureTimeZone.| + +## May 2019 + +|New or updated article | Description| +|--- | ---| +|[DeviceStatus CSP](devicestatus-csp.md)|Updated description of the following nodes:
DeviceStatus/Antivirus/SignatureStatus, DeviceStatus/Antispyware/SignatureStatus.| +|[EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md)|Added new CSP in Windows 10, version 1903.| +|[Policy CSP - DeliveryOptimization](policy-csp-deliveryoptimization.md)|Added the following new policies:
DODelayCacheServerFallbackBackground, DODelayCacheServerFallbackForeground.

Updated description of the following policies:
DOMinRAMAllowedToPeer, DOMinFileSizeToCache, DOMinDiskSizeAllowedToPeer.| +|[Policy CSP - Experience](policy-csp-experience.md)|Added the following new policy:
ShowLockOnUserTile.| +|[Policy CSP - InternetExplorer](policy-csp-internetexplorer.md)|Added the following new policies:
AllowEnhancedSuggestionsInAddressBar, DisableActiveXVersionListAutoDownload, DisableCompatView, DisableFeedsBackgroundSync, DisableGeolocation, DisableWebAddressAutoComplete, NewTabDefaultPage.| +|[Policy CSP - Power](policy-csp-power.md)|Added the following new policies:
EnergySaverBatteryThresholdOnBattery, EnergySaverBatteryThresholdPluggedIn, SelectLidCloseActionOnBattery, SelectLidCloseActionPluggedIn, SelectPowerButtonActionOnBattery, SelectPowerButtonActionPluggedIn, SelectSleepButtonActionOnBattery, SelectSleepButtonActionPluggedIn, TurnOffHybridSleepOnBattery, TurnOffHybridSleepPluggedIn, UnattendedSleepTimeoutOnBattery, UnattendedSleepTimeoutPluggedIn.| +|[Policy CSP - Search](policy-csp-search.md)|Added the following new policy:
AllowFindMyFiles.| +|[Policy CSP - ServiceControlManager](policy-csp-servicecontrolmanager.md)|Added the following new policy:
SvchostProcessMitigation.| +|[Policy CSP - System](policy-csp-system.md)|Added the following new policies:
AllowCommercialDataPipeline, TurnOffFileHistory.| +|[Policy CSP - Troubleshooting](policy-csp-troubleshooting.md)|Added the following new policy:
AllowRecommendations.| +|[Policy CSP - Update](policy-csp-update.md)|Added the following new policies:
AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.| +|[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:
AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.

Removed the following policy:
SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart. This policy is replaced by AllowAutomaticRestartSignOn.| + +## April 2019 + +| New or updated article | Description | +|-------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) | Added the following warning at the end of the Overview section:
Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. | +| [Policy CSP - UserRights](policy-csp-userrights.md) | Added a note stating if you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag () to wrap the data fields. | + +## March 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - Storage](policy-csp-storage.md)|Updated ADMX Info of the following policies:
AllowStorageSenseGlobal, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseCloudContentDehydrationThreshold, ConfigStorageSenseDownloadsCleanupThreshold, ConfigStorageSenseGlobalCadence, ConfigStorageSenseRecycleBinCleanupThreshold.

Updated description of ConfigStorageSenseDownloadsCleanupThreshold.| + +## February 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP](policy-configuration-service-provider.md)|Updated supported policies for Holographic.| + +## January 2019 + +|New or updated article | Description| +|--- | ---| +|[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.| +|[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.| +|[Mobile device management](index.md)|Updated information about MDM Security Baseline.| + +## December 2018 + +|New or updated article | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.| + +## September 2018 + +|New or updated article | Description| +|--- | ---| +|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).| +|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.| + +## August 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
BitLocker CSP

Added support for Windows 10 Pro starting in the version 1809.

+
Office CSP

Added FinalStatus setting in Windows 10, version 1809.

+
RemoteWipe CSP

Added new settings in Windows 10, version 1809.

+
TenantLockdown CSP

Added new CSP in Windows 10, version 1809.

+
WindowsDefenderApplicationGuard CSP

Added new settings in Windows 10, version 1809.

+
Policy DDF file

Posted an updated version of the Policy DDF for Windows 10, version 1809.

+
Policy CSP

Added the following new policies in Windows 10, version 1809:

+
    +
  • Browser/AllowFullScreenMode
    • +
  • Browser/AllowPrelaunch
    • +
  • Browser/AllowPrinting
    • +
  • Browser/AllowSavingHistory
    • +
  • Browser/AllowSideloadingOfExtensions
    • +
  • Browser/AllowTabPreloading
    • +
  • Browser/AllowWebContentOnNewTabPage
    • +
  • Browser/ConfigureFavoritesBar
    • +
  • Browser/ConfigureHomeButton
    • +
  • Browser/ConfigureKioskMode
    • +
  • Browser/ConfigureKioskResetAfterIdleTimeout
    • +
  • Browser/ConfigureOpenMicrosoftEdgeWith
    • +
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
    • +
  • Browser/PreventCertErrorOverrides
    • +
  • Browser/SetHomeButtonURL
    • +
  • Browser/SetNewTabPageURL
    • +
  • Browser/UnlockHomeButton
    • +
  • Experience/DoNotSyncBrowserSettings
    • +
  • Experience/PreventUsersFromTurningOnBrowserSyncing
    • +
  • Kerberos/UPNNameHints
    • +
  • Privacy/AllowCrossDeviceClipboard
    • +
  • Privacy/DisablePrivacyExperience
    • +
  • Privacy/UploadUserActivities
    • +
  • System/AllowDeviceNameInDiagnosticData
    • +
  • System/ConfigureMicrosoft365UploadEndpoint
    • +
  • System/DisableDeviceDelete
    • +
  • System/DisableDiagnosticDataViewer
    • +
  • Storage/RemovableDiskDenyWriteAccess
    • +
  • Update/UpdateNotificationLevel
    • +
+

Start/DisableContextMenus - added in Windows 10, version 1803.

+

RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.

+
+ +## July 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
AssignedAccess CSP

Added the following note:

+
    +
  • You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
    • +
+
PassportForWork CSP

Added new settings in Windows 10, version 1809.

+
EnterpriseModernAppManagement CSP

Added NonRemovable setting under AppManagement node in Windows 10, version 1809.

+
Win32CompatibilityAppraiser CSP

Added new configuration service provider in Windows 10, version 1809.

+
WindowsLicensing CSP

Added S mode settings and SyncML examples in Windows 10, version 1809.

+
SUPL CSP

Added 3 new certificate nodes in Windows 10, version 1809.

+
Defender CSP

Added a new node Health/ProductStatus in Windows 10, version 1809.

+
BitLocker CSP

Added a new node AllowStandardUserEncryption in Windows 10, version 1809.

+
DevDetail CSP

Added a new node SMBIOSSerialNumber in Windows 10, version 1809.

+
Policy CSP

Added the following new policies in Windows 10, version 1809:

+
    +
  • ApplicationManagement/LaunchAppAfterLogOn
    • +
  • ApplicationManagement/ScheduleForceRestartForUpdateFailures
    • +
  • Authentication/EnableFastFirstSignIn (Preview mode only)
    • +
  • Authentication/EnableWebSignIn (Preview mode only)
    • +
  • Authentication/PreferredAadTenantDomainName
    • +
  • Defender/CheckForSignaturesBeforeRunningScan
    • +
  • Defender/DisableCatchupFullScan
    • +
  • Defender/DisableCatchupQuickScan
    • +
  • Defender/EnableLowCPUPriority
    • +
  • Defender/SignatureUpdateFallbackOrder
    • +
  • Defender/SignatureUpdateFileSharesSources
    • +
  • DeviceGuard/ConfigureSystemGuardLaunch
    • +
  • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
    • +
  • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
    • +
  • DeviceInstallation/PreventDeviceMetadataFromNetwork
    • +
  • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
    • +
  • DmaGuard/DeviceEnumerationPolicy
    • +
  • Experience/AllowClipboardHistory
    • +
  • Security/RecoveryEnvironmentAuthentication
    • +
  • TaskManager/AllowEndTask
    • +
  • WindowsDefenderSecurityCenter/DisableClearTpmButton
    • +
  • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
    • +
  • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
    • +
  • WindowsLogon/DontDisplayNetworkSelectionUI
    • +
+

Recent changes:

+
    +
  • DataUsage/SetCost3G - deprecated in Windows 10, version 1809.
    • +
+
+ +## June 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Wifi CSP

Added a new node WifiCost in Windows 10, version 1809.

+
Diagnose MDM failures in Windows 10

Recent changes:

+
    +
  • Added procedure for collecting logs remotely from Windows 10 Holographic.
    • +
  • Added procedure for downloading the MDM Diagnostic Information log.
    • +
+
BitLocker CSP

Added new node AllowStandardUserEncryption in Windows 10, version 1809.

+
Policy CSP

Recent changes:

+
    +
  • AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration - removed from docs. Not supported.
    • +
  • AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.
    • +
  • AccountPoliciesAccountLockoutPolicy/ResetAccountLockoutCounterAfter - removed from docs. Not supported.
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_LetEveryonePermissionsApplyToAnonymousUsers - removed from docs. Not supported.
    • +
  • System/AllowFontProviders is not supported in HoloLens (1st gen) Commercial Suite.
    • +
  • Security/RequireDeviceEncryption is supported in the Home SKU.
    • +
  • Start/StartLayout - added a table of SKU support information.
    • +
  • Start/ImportEdgeAssets - added a table of SKU support information.
    • +
+

Added the following new policies in Windows 10, version 1809:

+
    +
  • Update/EngagedRestartDeadlineForFeatureUpdates
    • +
  • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
    • +
  • Update/EngagedRestartTransitionScheduleForFeatureUpdates
    • +
  • Update/SetDisablePauseUXAccess
    • +
  • Update/SetDisableUXWUAccess
    • +
+
WiredNetwork CSPNew CSP added in Windows 10, version 1809. +
+ +## May 2018 + + ++++ + + + + + + + + + + + +
New or updated articleDescription
Policy DDF file

Updated the DDF files in the Windows 10 version 1703 and 1709.

+ +
+ +## April 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
WindowsDefenderApplicationGuard CSP

Added the following node in Windows 10, version 1803:

+
    +
  • Settings/AllowVirtualGPU
    • +
  • Settings/SaveFilesToHost
    • +
+
NetworkProxy CSP

Added the following node in Windows 10, version 1803:

+
    +
  • ProxySettingsPerUser
    • +
+
Accounts CSP

Added a new CSP in Windows 10, version 1803.

+
MDM Migration Analysis Tool (MMAT)

Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.

+
CSP DDF files download

Added the DDF download of Windows 10, version 1803 configuration service providers.

+
Policy CSP

Added the following new policies for Windows 10, version 1803:

+
    +
  • Bluetooth/AllowPromptedProximalConnections
    • +
  • KioskBrowser/EnableEndSessionButton
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers
    • +
+
+ +## March 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
eUICCs CSP

Added the following node in Windows 10, version 1803:

+
    +
  • IsEnabled
    • +
+
DeviceStatus CSP

Added the following node in Windows 10, version 1803:

+
    +
  • OS/Mode
    • +
+
Understanding ADMX-backed policies

Added the following videos:

+ +
AccountManagement CSP

Added a new CSP in Windows 10, version 1803.

+
RootCATrustedCertificates CSP

Added the following node in Windows 10, version 1803:

+
    +
  • UntrustedCertificates
    • +
+
Policy CSP

Added the following new policies for Windows 10, version 1803:

+
    +
  • ApplicationDefaults/EnableAppUriHandlers
    • +
  • ApplicationManagement/MSIAllowUserControlOverInstall
    • +
  • ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
    • +
  • Connectivity/AllowPhonePCLinking
    • +
  • Notifications/DisallowCloudNotification
    • +
  • Notifications/DisallowTileNotification
    • +
  • RestrictedGroups/ConfigureGroupMembership
    • +
+

The following existing policies were updated:

+
    +
  • Browser/AllowCookies - updated the supported values. There are 3 values - 0, 1, 2.
    • +
  • InternetExplorer/AllowSiteToZoneAssignmentList - updated the description and added an example SyncML
    • +
  • TextInput/AllowIMENetworkAccess - introduced new suggestion services in Japanese IME in addition to cloud suggestion.
    • +
+

Added a new section:

+ +
Policy CSP - Bluetooth

Added new section ServicesAllowedList usage guide.

+
MultiSIM CSP

Added SyncML examples and updated the settings descriptions.

+
RemoteWipe CSP

Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.

+
+ +## February 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Policy CSP

Added the following new policies for Windows 10, version 1803:

+
    +
  • Display/DisablePerProcessDpiForApps
    • +
  • Display/EnablePerProcessDpi
    • +
  • Display/EnablePerProcessDpiForApps
    • +
  • Experience/AllowWindowsSpotlightOnSettings
    • +
  • TextInput/ForceTouchKeyboardDockedState
    • +
  • TextInput/TouchKeyboardDictationButtonAvailability
    • +
  • TextInput/TouchKeyboardEmojiButtonAvailability
    • +
  • TextInput/TouchKeyboardFullModeAvailability
    • +
  • TextInput/TouchKeyboardHandwritingModeAvailability
    • +
  • TextInput/TouchKeyboardNarrowModeAvailability
    • +
  • TextInput/TouchKeyboardSplitModeAvailability
    • +
  • TextInput/TouchKeyboardWideModeAvailability
    • +
      +
VPNv2 ProfileXML XSD

Updated the XSD and Plug-in profile example for VPNv2 CSP.

+
AssignedAccess CSP

Added the following nodes in Windows 10, version 1803:

+
    +
  • Status
    • +
  • ShellLauncher
    • +
  • StatusConfiguration
    • +
+

Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.

+
MultiSIM CSP

Added a new CSP in Windows 10, version 1803.

+
EnterpriseModernAppManagement CSP

Added the following node in Windows 10, version 1803:

+
    +
  • MaintainProcessorArchitectureOnUpdate
    • +
+
+ +## January 2018 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Policy CSP

Added the following new policies for Windows 10, version 1803:

+
    +
  • Browser/AllowConfigurationUpdateForBooksLibrary
    • +
  • Browser/AlwaysEnableBooksLibrary
    • +
  • Browser/EnableExtendedBooksTelemetry
    • +
  • Browser/UseSharedFolderForBooks
    • +
  • DeliveryOptimization/DODelayBackgroundDownloadFromHttp
    • +
  • DeliveryOptimization/DODelayForegroundDownloadFromHttp
    • +
  • DeliveryOptimization/DOGroupIdSource
    • +
  • DeliveryOptimization/DOPercentageMaxBackDownloadBandwidth
    • +
  • DeliveryOptimization/DOPercentageMaxForeDownloadBandwidth
    • +
  • DeliveryOptimization/DORestrictPeerSelectionBy
    • +
  • DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth
    • +
  • DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth
    • +
  • KioskBrowser/BlockedUrlExceptions
    • +
  • KioskBrowser/BlockedUrls
    • +
  • KioskBrowser/DefaultURL
    • +
  • KioskBrowser/EnableHomeButton
    • +
  • KioskBrowser/EnableNavigationButtons
    • +
  • KioskBrowser/RestartOnIdleTime
    • +
  • LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon
    • +
  • LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia
    • +
  • LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters
    • +
  • LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
    • +
  • LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
    • +
  • LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
    • +
  • LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
    • +
  • RestrictedGroups/ConfigureGroupMembership
    • +
  • Search/AllowCortanaInAAD
    • +
  • Search/DoNotUseWebResults
    • +
  • Security/ConfigureWindowsPasswords
    • +
  • System/FeedbackHubAlwaysSaveDiagnosticsLocally
    • +
  • SystemServices/ConfigureHomeGroupListenerServiceStartupMode
    • +
  • SystemServices/ConfigureHomeGroupProviderServiceStartupMode
    • +
  • SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode
    • +
  • SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode
    • +
  • TaskScheduler/EnableXboxGameSaveTask
    • +
  • TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode
    • +
  • Update/ConfigureFeatureUpdateUninstallPeriod
    • +
  • UserRights/AccessCredentialManagerAsTrustedCaller
    • +
  • UserRights/AccessFromNetwork
    • +
  • UserRights/ActAsPartOfTheOperatingSystem
    • +
  • UserRights/AllowLocalLogOn
    • +
  • UserRights/BackupFilesAndDirectories
    • +
  • UserRights/ChangeSystemTime
    • +
  • UserRights/CreateGlobalObjects
    • +
  • UserRights/CreatePageFile
    • +
  • UserRights/CreatePermanentSharedObjects
    • +
  • UserRights/CreateSymbolicLinks
    • +
  • UserRights/CreateToken
    • +
  • UserRights/DebugPrograms
    • +
  • UserRights/DenyAccessFromNetwork
    • +
  • UserRights/DenyLocalLogOn
    • +
  • UserRights/DenyRemoteDesktopServicesLogOn
    • +
  • UserRights/EnableDelegation
    • +
  • UserRights/GenerateSecurityAudits
    • +
  • UserRights/ImpersonateClient
    • +
  • UserRights/IncreaseSchedulingPriority
    • +
  • UserRights/LoadUnloadDeviceDrivers
    • +
  • UserRights/LockMemory
    • +
  • UserRights/ManageAuditingAndSecurityLog
    • +
  • UserRights/ManageVolume
    • +
  • UserRights/ModifyFirmwareEnvironment
    • +
  • UserRights/ModifyObjectLabel
    • +
  • UserRights/ProfileSingleProcess
    • +
  • UserRights/RemoteShutdown
    • +
  • UserRights/RestoreFilesAndDirectories
    • +
  • UserRights/TakeOwnership
    • +
  • WindowsDefenderSecurityCenter/DisableAccountProtectionUI
    • +
  • WindowsDefenderSecurityCenter/DisableDeviceSecurityUI
    • +
  • WindowsDefenderSecurityCenter/HideRansomwareDataRecovery
    • +
  • WindowsDefenderSecurityCenter/HideSecureBoot
    • +
  • WindowsDefenderSecurityCenter/HideTPMTroubleshooting
    • +
+

Added the following policies the were added in Windows 10, version 1709

+
    +
  • DeviceLock/MinimumPasswordAge
    • +
  • Settings/AllowOnlineTips
    • +
  • System/DisableEnterpriseAuthProxy
    • +
+

Security/RequireDeviceEncryption - updated to show it is supported in desktop.

+
BitLocker CSP

Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.

+
EnterpriseModernAppManagement CSP

Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.

+
DMClient CSP

Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:

+
    +
  • AADSendDeviceToken
    • +
  • BlockInStatusPage
    • +
  • AllowCollectLogsButton
    • +
  • CustomErrorText
    • +
  • SkipDeviceStatusPage
    • +
  • SkipUserStatusPage
    • +
+
Defender CSP

Added new node (OfflineScan) in Windows 10, version 1803.

+
UEFI CSP

Added a new CSP in Windows 10, version 1803.

+
Update CSP

Added the following nodes in Windows 10, version 1803:

+
    +
  • Rollback
    • +
  • Rollback/FeatureUpdate
    • +
  • Rollback/QualityUpdateStatus
    • +
  • Rollback/FeatureUpdateStatus
    • +
+
+ +## December 2017 + + ++++ + + + + + + + + + + + +
New or updated articleDescription
Configuration service provider reference

Added new section CSP DDF files download

+
+ +## November 2017 + + ++++ + + + + + + + + + + + +
New or updated articleDescription
Policy CSP

Added the following policies for Windows 10, version 1709:

+
    +
  • Authentication/AllowFidoDeviceSignon
    • +
  • Cellular/LetAppsAccessCellularData
    • +
  • Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
    • +
  • Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
    • +
  • Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
    • +
  • Start/HidePeopleBar
    • +
  • Storage/EnhancedStorageDevices
    • +
  • Update/ManagePreviewBuilds
    • +
  • WirelessDisplay/AllowMdnsAdvertisement
    • +
  • WirelessDisplay/AllowMdnsDiscovery
    • +
+

Added missing policies from previous releases:

+
    +
  • Connectivity/DisallowNetworkConnectivityActiveTest
    • +
  • Search/AllowWindowsIndexer
    • +
+
+ +## October 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Policy DDF file

Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.

+
Policy CSP

Updated the following policies:

+
    +
  • Defender/ControlledFolderAccessAllowedApplications - string separator is |.
    • +
  • Defender/ControlledFolderAccessProtectedFolders - string separator is |.
    • +
+
eUICCs CSP

Added new CSP in Windows 10, version 1709.

+
AssignedAccess CSP

Added SyncML examples for the new Configuration node.

+
DMClient CSP

Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.

+
+ +## September 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Policy CSP

Added the following new policies for Windows 10, version 1709:

+
    +
  • Authentication/AllowAadPasswordReset
    • +
  • Handwriting/PanelDefaultModeDocked
    • +
  • Search/AllowCloudSearch
    • +
  • System/LimitEnhancedDiagnosticDataWindowsAnalytics
    • +
+

Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.

+
AssignedAccess CSP

Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.

+
Microsoft Store for Business and Microsoft Store

Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

+
The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2

The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

+
    +
  • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
    • +
  • ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
    • +
  • DomainName - fully qualified domain name if the device is domain-joined.
    • +
+

For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.

+
EnterpriseAPN CSP

Added a SyncML example.

+
VPNv2 CSP

Added RegisterDNS setting in Windows 10, version 1709.

+
Enroll a Windows 10 device automatically using Group Policy

Added new topic to introduce a new Group Policy for automatic MDM enrollment.

+
MDM enrollment of Windows-based devices

New features in the Settings app:

+
    +
  • User sees installation progress of critical policies during MDM enrollment.
    • +
  • User knows what policies, profiles, apps MDM has configured
    • +
  • IT helpdesk can get detailed MDM diagnostic information using client tools
    • +
+

For details, see Managing connections and Collecting diagnostic logs

+
+ +## August 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated articleDescription
Enable ADMX-backed policies in MDM

Added new step-by-step guide to enable ADMX-backed policies.

+
Mobile device enrollment

Added the following statement:

+
    +
  • Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
    • +
+
CM_CellularEntries CSP

Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

+
EnterpriseDataProtection CSP

Updated the Settings/EDPEnforcementLevel values to the following:

+
    +
  • 0 (default) – Off / No protection (decrypts previously protected data).
    • +
  • 1 – Silent mode (encrypt and audit only).
    • +
  • 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
    • +
  • 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
    • +
+
AppLocker CSP

Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.

+
DeviceManageability CSP

Added the following settings in Windows 10, version 1709:

+
    +
  • Provider/ProviderID/ConfigInfo
    • +
  • Provider/ProviderID/EnrollmentInfo
    • +
+
Office CSP

Added the following setting in Windows 10, version 1709:

+
    +
  • Installation/CurrentStatus
    • +
+
BitLocker CSPAdded information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. +
Firewall CSPUpdated the CSP and DDF topics. Here are the changes: +
    +
  • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
    • +
  • Changed some data types from integer to bool.
    • +
  • Updated the list of supported operations for some settings.
    • +
  • Added default values.
    • +
+
Policy DDF fileAdded another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies: +
    +
  • Browser/AllowMicrosoftCompatibilityList
    • +
  • Update/DisableDualScan
    • +
  • Update/FillEmptyContentUrls
    • +
+
Policy CSP

Added the following new policies for Windows 10, version 1709:

+
    +
  • Browser/ProvisionFavorites
    • +
  • Browser/LockdownFavorites
    • +
  • ExploitGuard/ExploitProtectionSettings
    • +
  • Games/AllowAdvancedGamingServices
    • +
  • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
    • +
  • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
    • +
  • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
    • +
  • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
    • +
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
    • +
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
    • +
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
    • +
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
    • +
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
    • +
  • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
    • +
  • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
    • +
  • Privacy/EnableActivityFeed
    • +
  • Privacy/PublishUserActivities
    • +
  • Update/DisableDualScan
    • +
  • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
    • +
+

Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.

+

Changed the names of the following policies:

+
    +
  • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
    • +
  • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
    • +
  • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess
    • +
+

Added links to the additional ADMX-backed BitLocker policies.

+

There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:

+
    +
  • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
    • +
  • Start/HideAppList
    • +
+
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 7a91385e10..a6ac91e10f 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -118,7 +118,8 @@ Requirements: > [!NOTE] > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. - > The default behavior for older releases is to revert to **User Credential**. + > The default behavior for older releases is to revert to **User Credential**. + > **Device Credential** is not supported for enrollment type when you have a ConfigMgr Agent on your device. When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 79545b45cc..81f161b9b1 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -15,7 +15,9 @@ ms.topic: conceptual The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to leverage an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will leverage the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and installation happens on the background and not impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. If you are a Mobile Device Management (MDM) Provider and would like to support eSIM Management on Windows, you should do the following: - Onboard to Azure Active Directory -- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, please contact them and learn more about their onboarding. If you would like to support multiple mobile operators, [orchestrator providers]( https://www.idemia.com/esim-management-facilitation) are there to act as a proxy that will handle MDM onboarding as well as mobile operator onboarding. Their main [role]( https://www.idemia.com/smart-connect-hub) is to enable the process to be as painless but scalable to all parties. +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding as well as mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: + - [HPE’s Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) + - [IDEMIA’s The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) - Assess solution type that you would like to provide your customers - Batch/offline solution - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 1fae08c646..bf8a5ea5ad 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -248,10 +248,10 @@ Sample syncxml to provision the firewall settings to evaluate

Value type is string. Supported operations are Add, Get, Replace, and Delete.

**FirewallRules/*FirewallRuleName*/LocalAddressRanges** -

Comma separated list of local addresses covered by the rule. The default value is "". Valid tokens include:

+

Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:

 -

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897

+

Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897

Version 10.0.16299

@@ -2520,7 +2659,7 @@ The following tables are organized by cryptographic algorithms with their modes,
  • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)

    • AES Val#4897

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

    Version 10.0.16299

    @@ -2559,288 +2698,288 @@ The following tables are organized by cryptographic algorithms with their modes,
  • AAD Length: 0-65536

    • AES Val#4897

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

    Version 10.0.16299

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB128 ( e/d; 128 , 192 , 256 );

    -

    OFB ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB128 (e/d; 128, 192, 256);

    +

    OFB (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

    Version 10.0.15063

    -

    KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    +

    KW (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    AES Val#4624

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

    Version 10.0.15063

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    AES Val#4624

     

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

    Version 10.0.15063

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    -

    CFB128 ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

    -

    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

    -

    IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

    +

    CFB128 (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

    +

    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

    +

    IV Generated: (External); PT Lengths Tested: (0, 1024, 8, 1016); AAD Lengths tested: (0, 1024, 8, 1016); 96BitIV_Supported

    GMAC_Supported

    -

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    +

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

    Version 10.0.15063

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

    Version 7.00.2872

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

    Version 8.00.6246

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

    Version 7.00.2872

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

    Version 8.00.6246

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB128 ( e/d; 128 , 192 , 256 );

    -

    OFB ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB128 (e/d; 128, 192, 256);

    +

    OFB (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

    Version 10.0.14393

    -

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    +

    ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256)

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    +(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); AAD Lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96BitIV_Supported
    GMAC_Supported

    -

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    +

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

    Version 10.0.14393

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
    Version 10.0.14393 -

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

    +

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 192, 256, 320, 2048)

    AES Val#4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

    Version 10.0.14393

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    AES Val#4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

    Version 10.0.14393

    -

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    +

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    AES Val#3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

    Version 10.0.10586

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    AES Val#3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

    Version 10.0.10586

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
    Version 10.0.10586 -

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    +

    ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256)

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    +(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); AAD Lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested: (0, 0); 96BitIV_Supported
    GMAC_Supported

    -

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    +

    XTS((KS: XTS_128((e/d) (f)) KS: XTS_256((e/d) (f))

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629

    Version 10.0.10586

    -

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    +

    KW  (AE, AD, AES-128, AES-192, AES-256, FWD, 128, 256, 192, 320, 2048)

    AES Val#3497

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

    Version 10.0.10240

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    AES Val#3497

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

    Version 10.0.10240

    -

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    -IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    +

    ECB (e/d; 128, 192, 256); CBC (e/d; 128, 192, 256); CFB8 (e/d; 128, 192, 256); CFB128 (e/d; 128, 192, 256); CTR (int only; 128, 192, 256)

    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC(Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    +(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    +IV Generated:  (Externally); PT Lengths Tested:  (0, 1024, 8, 1016); AAD Lengths tested:  (0, 1024, 8, 1016); IV Lengths Tested:  (0, 0); 96BitIV_Supported
    GMAC_Supported

    -

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    +

    XTS((KS: XTS_128((e/d)(f)) KS: XTS_256((e/d)(f))

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
    Version 10.0.10240 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
    Version 10.0.10240 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

    Version 6.3.9600

    -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    AES Val#2832

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

    Version 6.3.9600

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    -

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

    -

    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

    -

    IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 0 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)

    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 192; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16) (KS: 256; Block Size(s): Full/Partial; Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 0 Max: 16)

    +

    GCM (KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)

    +

    (KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)

    +

    IV Generated:  (Externally); PT Lengths Tested:  (0, 128, 1024, 8, 1016); AAD Lengths tested:  (0, 128, 1024, 8, 1016); IV Lengths Tested:  (8, 1024); 96BitIV_Supported;
    OtherIVLen_Supported
    GMAC_Supported

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

    Version 6.3.9600

    -

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    +

    CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0-0, 2^16) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16)
    AES Val#2197

    -

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
    +

    CMAC (Generation/Verification) (KS: 128; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 192; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16) (KS: 256; Block Size(s); Msg Len(s) Min: 0 Max: 2^16; Tag Len(s) Min: 16 Max: 16)
    AES Val#2197

    -

    GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    -(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    -IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
    +

    GCM(KS: AES_128(e/d) Tag Length(s): 128 120 112 104 96) (KS: AES_192(e/d) Tag Length(s): 128 120 112 104 96)
    +(KS: AES_256(e/d) Tag Length(s): 128 120 112 104 96)
    +IV Generated: (Externally); PT Lengths Tested: (0, 128, 1024, 8, 1016); AAD Lengths tested: (0, 128, 1024, 8, 1016); IV Lengths Tested: (8, 1024); 96BitIV_Supported
    GMAC_Supported

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216 -

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    CCM (KS: 256) (Assoc. Data Len Range: 0 - 0, 2^16 ) (Payload Length Range: 0 - 32 (Nonce Length(s): 12 (Tag Length(s): 16)

    AES Val#2196

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    -

    CFB128 ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

    +

    CFB128 (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196 -CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    +CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 – 0, 2^16 ) (Payload Length Range: 0 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    AES Val#1168

    Windows Server 2008 R2 and SP1 CNG algorithms #1187

    Windows 7 Ultimate and SP1 CNG algorithms #1178

    -CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
    +CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
    AES Val#1168 Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

     

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168

    GCM

    GMAC

    -Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed +Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168, vendor-affirmed -CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) +CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 ) Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760 -CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 ) +CCM (KS: 128, 192, 256) (Assoc. Data Len Range: 0 - 0, 2^16 ) (Payload Length Range: 1 - 32 (Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    Windows Server 2008 CNG algorithms #757

    Windows Vista Ultimate SP1 CNG algorithms #756

    -

    CBC ( e/d; 128 , 256 );

    -

    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

    +

    CBC (e/d; 128, 256);

    +

    CCM (KS: 128, 256) (Assoc. Data Len Range: 0 - 8) (Payload Length Range: 4 - 32 (Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16)

    Windows Vista Ultimate BitLocker Drive Encryption #715

    Windows Vista Ultimate BitLocker Drive Encryption #424

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CFB8 (e/d; 128, 192, 256);

    Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

    Windows Vista Symmetric Algorithm Implementation #553

    -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    -

    CTR ( int only; 128 , 192 , 256 )

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    +

    CTR (int only; 128, 192, 256)

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023 -

    ECB ( e/d; 128 , 192 , 256 );

    -

    CBC ( e/d; 128 , 192 , 256 );

    +

    ECB (e/d; 128, 192, 256);

    +

    CBC (e/d; 128, 192, 256);

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

    @@ -2891,7 +3030,7 @@ Deterministic Random Bit Generator (DRBG)

    Prerequisite: AES #4903

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

    Version 10.0.16299

    @@ -2930,74 +3069,74 @@ Deterministic Random Bit Generator (DRBG)

    Prerequisite: AES #4897

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

    Version 10.0.16299

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ] +CTR_DRBG: [Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4627)]

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

    Version 10.0.15063

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#4624)]

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

    Version 10.0.15063

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4434)]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

    Version 7.00.2872

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4433)]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

    Version 8.00.6246

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4431)]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

    Version 7.00.2872

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4430)]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

    Version 8.00.6246

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ] -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

    +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#4074)] +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

    Version 10.0.14393

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#4064)]

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

    Version 10.0.14393

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#3629)]

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

    Version 10.0.10586

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#3497)]

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

    Version 10.0.10240

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#2832)]

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

    Version 6.3.9600

    -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: (AES-256) (AES Val#2197)] Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258 -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#2023)] Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193 -CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ] +CTR_DRBG:[Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: (AES-256) (AES Val#1168)] Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23 @@ -3133,16 +3272,16 @@ Deterministic Random Bit Generator (DRBG)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

    Version 10.0.16299

    FIPS186-4:

    -

    PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    -

    KeyPairGen:   [ (2048,256) ; (3072,256) ]

    -

    SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

    -

    SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    PQG(gen)PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]

    +

    PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    +

    KeyPairGen:   [(2048,256); (3072,256)]

    +

    SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ]

    +

    SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    SHS: Val#3790

    DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

    @@ -3150,16 +3289,16 @@ Deterministic Random Bit Generator (DRBG) FIPS186-4:
    -PQG(ver)PARMS TESTED:       [ (1024,160) SHA( 1 ); ]
    -SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
    +PQG(ver)PARMS TESTED:       [(1024,160) SHA(1); ]
    +SIG(ver)PARMS TESTED:   [(1024,160) SHA(1); ]
    SHS: Val# 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

    Version 7.00.2872

    FIPS186-4:
    -PQG(ver)PARMS TESTED:       [ (1024,160) SHA( 1 ); ]
    -SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
    +PQG(ver)PARMS TESTED:       [(1024,160) SHA(1); ]
    +SIG(ver)PARMS TESTED:   [(1024,160) SHA(1); ]
    SHS: Val#3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

    Version 8.00.6246

    @@ -3167,12 +3306,12 @@ SHS:

    FIPS186-4:
    PQG(gen)    PARMS TESTED: [
    -(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    -PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    -KeyPairGen:    [ (2048,256) ; (3072,256) ]
    -SIG(gen)PARMS TESTED:   [ (2048,256)
    -SHA( 256 ); (3072,256) SHA( 256 ); ]
    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +(2048,256)SHA(256); (3072,256) SHA(256)]
    +PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +KeyPairGen:    [(2048,256); (3072,256)]
    +SIG(gen)PARMS TESTED:   [(2048,256)
    +SHA(256); (3072,256) SHA(256); ]
    +SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    SHS: Val# 3347
    DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

    @@ -3180,9 +3319,9 @@ DRBG:

    FIPS186-4:
    -PQG(gen)    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
    -KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +PQG(gen)PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)] PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +KeyPairGen:    [(2048,256); (3072,256)] SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ]
    +SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    SHS: Val# 3047
    DRBG: Val# 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

    @@ -3190,10 +3329,10 @@ DRBG:

    FIPS186-4:
    -PQG(gen)    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    -PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    -KeyPairGen:    [ (2048,256) ; (3072,256) ]
    -SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +PQG(gen)PARMS TESTED:   [(2048,256)SHA(256); (3072,256) SHA(256)]
    +PQG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]
    +KeyPairGen:    [(2048,256); (3072,256)]
    +SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ] SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    SHS: Val# 2886
    DRBG: Val# 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

    @@ -3202,12 +3341,12 @@ DRBG:

    FIPS186-4:
    PQG(gen)    PARMS TESTED:   [
    -(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    -PQG(ver)PARMS TESTED:   [ (2048,256)
    -SHA( 256 ); (3072,256) SHA( 256 ) ]
    -KeyPairGen:    [ (2048,256) ; (3072,256) ]
    -SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    -SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +(2048,256)SHA(256); (3072,256) SHA(256)]
    +PQG(ver)PARMS TESTED:   [(2048,256)
    +SHA(256); (3072,256) SHA(256)]
    +KeyPairGen:    [(2048,256); (3072,256)]
    +SIG(gen)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256); ]
    +SIG(ver)PARMS TESTED:   [(2048,256) SHA(256); (3072,256) SHA(256)]

    SHS: Val# 2373
    DRBG: Val# 489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

    @@ -3220,10 +3359,10 @@ DRBG: #1903
    DRBG: #258

    FIPS186-4:
    -PQG(gen)PARMS TESTED    : [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    -PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    -SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    -SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    +PQG(gen)PARMS TESTED: [(2048,256)SHA(256); (3072,256) SHA(256)]
    +PQG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
    +SIG(gen)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256); ]
    +SIG(ver)PARMS TESTED: [(2048,256) SHA(256); (3072,256) SHA(256)]
    SHS: #1903
    DRBG: #258
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

    @@ -3445,7 +3584,7 @@ SHS: SHA-1 (BYTE)

    Prerequisite: SHS #4009, DRBG #1733

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

    Version 10.0.16299

    @@ -3615,7 +3754,7 @@ SHS: SHA-1 (BYTE)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

    Version 10.0.16299

    @@ -3649,12 +3788,12 @@ SHS: SHA-1 (BYTE)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

    Version 10.0.16299

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 TestingCandidates )
    +PKG: CURVES(P-256 P-384 TestingCandidates)
    SHS: Val#3790
    DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

    @@ -3662,10 +3801,10 @@ DRBG: FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    SHS:     Val#3790
    DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

    @@ -3673,10 +3812,10 @@ DRBG: FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    SHS:     Val#3790
    DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

    @@ -3684,10 +3823,10 @@ DRBG: FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
    SHS:    Val# 3649
    DRBG:Val# 1430

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

    @@ -3695,10 +3834,10 @@ PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )
    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512))
    SHS:Val#3648
    DRBG:Val# 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

    @@ -3706,21 +3845,21 @@ PKG: CURVES( P-256 P-384 P-521 ExtraRandomBits )

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 TestingCandidates )
    -PKV: CURVES( P-256 P-384 )
    -SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

    +PKG: CURVES(P-256 P-384 TestingCandidates)
    +PKV: CURVES(P-256 P-384)
    +SigGen: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES(P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384))

    SHS: Val# 3347
    DRBG: Val# 1222

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

    Version 10.0.14393

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -PKV: CURVES( P-256 P-384 P-521 )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +PKV: CURVES(P-256 P-384 P-521)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    SHS: Val# 3347
    DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

    @@ -3728,9 +3867,9 @@ DRBG:

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    SHS: Val# 3047
    DRBG: Val# 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

    @@ -3738,9 +3877,9 @@ DRBG:

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    SHS: Val# 2886
    DRBG: Val# 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

    @@ -3748,9 +3887,9 @@ DRBG:

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))

    SHS: Val#2373
    DRBG: Val# 489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

    @@ -3758,16 +3897,16 @@ DRBG:

    FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    +PKG: CURVES(P-256 P-384 P-521)
    SHS:     #1903
    DRBG: #258
    -SIG(ver):CURVES( P-256 P-384 P-521 )
    +SIG(ver):CURVES(P-256 P-384 P-521)
    SHS: #1903
    DRBG: #258

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    SHS: #1903
    DRBG: #258
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

    @@ -3775,16 +3914,16 @@ Some of the previously validated components for this validation have been remove

    FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    +PKG: CURVES(P-256 P-384 P-521)
    SHS: Val#1773
    DRBG: Val# 193
    -SIG(ver): CURVES( P-256 P-384 P-521 )
    +SIG(ver): CURVES(P-256 P-384 P-521)
    SHS: Val#1773
    DRBG: Val# 193

    FIPS186-4:
    -PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    -SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    -SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +PKG: CURVES(P-256 P-384 P-521 ExtraRandomBits)
    +SigGen: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES(P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512))
    SHS: Val#1773
    DRBG: Val# 193
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

    @@ -3792,10 +3931,10 @@ Some of the previously validated components for this validation have been remove FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    +PKG: CURVES(P-256 P-384 P-521)
    SHS: Val#1081
    DRBG: Val# 23
    -SIG(ver): CURVES( P-256 P-384 P-521 )
    +SIG(ver): CURVES(P-256 P-384 P-521)
    SHS: Val#1081
    DRBG: Val# 23
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141. @@ -3804,9 +3943,9 @@ Some of the previously validated components for this validation have been remove FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    +PKG: CURVES(P-256 P-384 P-521)
    SHS: Val#753
    -SIG(ver): CURVES( P-256 P-384 P-521 )
    +SIG(ver): CURVES(P-256 P-384 P-521)
    SHS: Val#753
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.

    Windows Server 2008 CNG algorithms #83

    @@ -3814,10 +3953,10 @@ Some of the previously validated components for this validation have been remove FIPS186-2:
    -PKG: CURVES    ( P-256 P-384 P-521 )
    +PKG: CURVES(P-256 P-384 P-521)
    SHS: Val#618
    RNG: Val# 321
    -SIG(ver): CURVES( P-256 P-384 P-521 )
    +SIG(ver): CURVES(P-256 P-384 P-521)
    SHS: Val#618
    RNG: Val# 321
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60. @@ -3886,7 +4025,7 @@ Some of the previously validated components for this validation have been remove

    Prerequisite: SHS #4009

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

    Version 10.0.16299

    @@ -3979,160 +4118,160 @@ Some of the previously validated components for this validation have been remove

    Prerequisite: SHS #4009

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

    Version 10.0.16299

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3790

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3790

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3790

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

    Version 10.0.15063

    -

    HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA1(Key Sizes Ranges Tested: KSBS) SHS Val#3790

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3790

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3790

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS Val#3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

    Version 10.0.15063

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3652

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3652

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3652

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#3652

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

    Version 7.00.2872

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3651

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3651

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3651

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#3651

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

    Version 8.00.6246

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val# 3649

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val# 3649

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val# 3649

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal# 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

    Version 7.00.2872

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#3648

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#3648

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#3648

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

    Version 8.00.6246

    -

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    +

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    SHS Val# 3347

    -

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    +

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    SHS Val# 3347

    -

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    +

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    SHS Val# 3347

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

    Version 10.0.14393

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val# 3347

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val# 3347

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val# 3347

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS Val# 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

    Version 10.0.14393

    -

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    +

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    SHS Val# 3047

    -

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    +

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    SHS Val# 3047

    -

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    +

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    SHS Val# 3047

    -

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    +

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    SHS Val# 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

    Version 10.0.10586

    -

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    +

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    SHSVal# 2886

    -

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    +

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    SHSVal# 2886

    -

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    +

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
     SHSVal# 2886

    -

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    +

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    SHSVal# 2886

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

    Version 10.0.10240

    -

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    +

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS)
    SHS Val#2373

    -

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    +

    HMAC-SHA256 (Key Size Ranges Tested:  KSBS)
    SHS Val#2373

    -

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    +

    HMAC-SHA384 (Key Size Ranges Tested:  KSBS)
    SHS Val#2373

    -

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    +

    HMAC-SHA512 (Key Size Ranges Tested:  KSBS)
    SHS Val#2373

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

    Version 6.3.9600

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS Val#2764

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS Val#2764

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS Val#2764

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS Val#2764

    Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

    Version 5.2.29344

    HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

    +

    HMAC-SHA256 (Key Size Ranges Tested: KS#1902

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHS#1902

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHS#1902

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHS#1902

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHS#1902

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)

    SHS#1903

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS)

    SHS#1903

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS)

    SHS#1903

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS)

    SHS#1903

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    -

    Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#1773

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#1773

    +

    Tinker HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#1773

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#1773

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#1774

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#1774

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#1774

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#1774

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#1081

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#1081

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#1081

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#1081

    Windows Server 2008 R2 and SP1 CNG algorithms #686

    Windows 7 and SP1 CNG algorithms #677

    Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

    @@ -4140,108 +4279,108 @@ SHS

    HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSVal#1081

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#816

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#816

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#816

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#816

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSVal#753

    Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#753

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#753

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS)SHS Val#753

    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

    Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS)SHSVal#618

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#618

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#618

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#618

    Windows Vista Enhanced Cryptographic Provider (RSAENH) #297 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#785

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

    Windows XP, vendor-affirmed

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#783

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#783

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#783

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#783

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#613

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#613

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#613

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#613

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#610 Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287 -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#753

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#753

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#753

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#753

    Windows Server 2008 CNG algorithms #413

    Windows Vista Ultimate SP1 CNG algorithms #412

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSVal#737

    Windows Vista Ultimate BitLocker Drive Encryption #386 -

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#618

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#618

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#618

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#618

    Windows Vista CNG algorithms #298 -

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#589

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS)SHSVal#589

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#589

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#589

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267 -

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#578

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#578

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#578

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#578

    Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSVal#495

    Windows Vista BitLocker Drive Encryption #199 -HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364 +HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#364

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

    Windows XP, vendor-affirmed

    -

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

    -

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    -

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    -

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    +

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS) SHSVal#305

    +

    HMAC-SHA256 (Key Size Ranges Tested: KSBS) SHSVal#305

    +

    HMAC-SHA384 (Key Size Ranges Tested: KSBS) SHSVal#305

    +

    HMAC-SHA512 (Key Size Ranges Tested: KSBS) SHSVal#305

    Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31 @@ -4325,7 +4464,7 @@ SHS #4009, ECDSA #1252, DRBG #1733

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149

    Version 10.0.16299

    @@ -4778,11 +4917,11 @@ SHS #4009, DSA #1301, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

    Version 10.0.16299

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration) SCHEMES [FullUnified (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC)]

    SHS Val#3790
    DSA Val#1135
    DRBG Val#1556

    @@ -4790,15 +4929,15 @@ DRBG -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (FB: SHA256) (FC: SHA256)] [dhStatic (No_KC < KARole(s): Initiator / Responder>) (FB: SHA256 HMAC) (FC: SHA256   HMAC)]
    SHS     Val#3790
    DSA Val#1223
    DRBG Val#1555

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

    SHS Val#3790
    ECDSA Val#1133
    @@ -4807,29 +4946,29 @@ DRBG -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB: SHA256) (FC: SHA256)] [dhStatic (No_KC < KARole(s): Initiator / Responder>) (FB: SHA256 HMAC) (FC: SHA256   HMAC)]
    SHS     Val# 3649
    DSA Val#1188
    DRBG Val#1430

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

    Version 7.00.2872

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhHybridOneFlow ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    -[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhHybridOneFlow (No_KC < KARole(s): Initiator / Responder>) (FB:SHA256 HMAC) (FC: SHA256   HMAC)]
    +[dhStatic (No_KC < KARole(s): Initiator / Responder>) (FB:SHA256 HMAC) (FC: SHA256   HMAC)]
    SHS Val#3648
    DSA Val#1187
    DRBG Val#1429

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES [EphemeralUnified (No_KC) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256   SHA256   HMAC) (ED: P-384   SHA384   HMAC) (EE: P-521   HMAC (SHA512, HMAC_SHA512))]

    SHS Val#3648
    ECDSA Val#1072
    @@ -4838,70 +4977,70 @@ DRBG -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
    -SCHEMES  [ FullUnified  ( No_KC  < KARole(s): Initiator / Responder > < KDF: CONCAT > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration)
    +SCHEMES  [FullUnified  (No_KC  < KARole(s): Initiator / Responder > < KDF: CONCAT >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC)]

    SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

    Version 10.0.14393

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
    -SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  < KARole(s): Initiator / Responder > ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation)
    +SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  < KARole(s): Initiator / Responder >) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]

    SHS Val# 3347 DSA Val#1098 DRBG Val#1217

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH  ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH  (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

    SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

    Version 10.0.14393

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  < KARole(s): Initiator / Responder > ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  < KARole(s): Initiator / Responder >) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]

    SHS Val# 3047 DSA Val#1024 DRBG Val#955

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH  ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH  (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

    SHS Val# 3047 ECDSA Val#760 DRBG Val#955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

    Version 10.0.10586

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  < KARole(s): Initiator / Responder > ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  < KARole(s): Initiator / Responder >) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]

    SHS Val# 2886 DSA Val#983 DRBG Val#868

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH  ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH  (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

    SHS Val# 2886 ECDSA Val#706 DRBG Val#868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

    Version 10.0.10240

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    -( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  < KARole(s): Initiator / Responder > ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation) SCHEMES  [dhEphem  (KARole(s): Initiator / Responder)
    +(FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FB:  SHA256) (FC:  SHA256)] [dhStatic (No_KC  < KARole(s): Initiator / Responder >) (FB:  SHA256 HMAC) (FC:  SHA256   HMAC)]

    SHS Val#2373 DSA Val#855 DRBG Val#489

    -

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH  ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    -[ StaticUnified ( No_KC  < KARole(s): Initiator / Responder > ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration) SCHEMES  [EphemeralUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH  (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]
    +[StaticUnified (No_KC  < KARole(s): Initiator / Responder >) (EC:  P-256   SHA256   HMAC) (ED:  P-384   SHA384   HMAC) (EE:  P-521   HMAC (SHA512, HMAC_SHA512))]

    SHS Val#2373 ECDSA Val#505 DRBG Val#489

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

    Version 6.3.9600

    -

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    -( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
    -[ dhStatic ( No_KC < KARole(s): Initiator / Responder> ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
    +

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation) SCHEMES [dhEphem (KARole(s): Initiator / Responder)
    +(FA: SHA256) (FB: SHA256) (FC: SHA256)]
    +[dhOneFlow (KARole(s): Initiator / Responder) (FA: SHA256) (FB: SHA256) (FC: SHA256)]
    +[dhStatic (No_KC < KARole(s): Initiator / Responder>) (FA: SHA256 HMAC) (FB: SHA256 HMAC) (FC: SHA256 HMAC)]
    SHS #1903 DSA Val#687 DRBG #258

    -

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    -[ OnePassDH( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
    -[ StaticUnified ( No_KC < KARole(s): Initiator / Responder> ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration) SCHEMES [EphemeralUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512)))]
    +[OnePassDH(No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256) (ED: P-384 SHA384) (EE: P-521 (SHA512, HMAC_SHA512)))]
    +[StaticUnified (No_KC < KARole(s): Initiator / Responder>) (EC: P-256 SHA256 HMAC) (ED: P-384 SHA384 HMAC) (EE: P-521 HMAC (SHA512, HMAC_SHA512))]

    SHS #1903 ECDSA Val#341 DRBG #258

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36 @@ -4960,7 +5099,7 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)

    K prerequisite: DRBG #1733, KAS #149

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

    Version 10.0.16299

    @@ -5017,11 +5156,11 @@ SP 800-108 Key-Based Key Derivation Functions (KBKDF)

    K prerequisite: KAS #146

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

    Version 10.0.16299

    -CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
    +CTR_Mode: (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))

    KAS Val#128
    DRBG Val#1556
    @@ -5030,7 +5169,7 @@ MAC -CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
    +CTR_Mode: (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    KAS     Val#127
    AES Val#4624
    @@ -5040,37 +5179,37 @@ MAC -

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    CTR_Mode:  (Llength(Min20 Max64) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA384]) LocationCounter([BeforeFixedData]) rlength([32]))

    KAS Val#93 DRBG Val#1222 MAC Val#2661

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

    Version 10.0.14393

    -

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

    Version 10.0.14393

    -

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

    Version 10.0.10586

    -

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    CTR_Mode:  (Llength(Min20 Max64) MACSupported([CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

    Version 10.0.10240

    -

    CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    CTR_Mode:  (Llength(Min0 Max0) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    DRBG Val#489 MAC Val#1773

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

    Version 6.3.9600

    -

    CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    CTR_Mode: (Llength(Min0 Max4) MACSupported([HMACSHA1] [HMACSHA256] [HMACSHA512]) LocationCounter([BeforeFixedData]) rlength([32]))

    DRBG #258 HMAC Val#1345

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3 @@ -5092,12 +5231,12 @@ Random Number Generator (RNG)

    FIPS 186-2 General Purpose

    -

    [ (x-Original); (SHA-1) ]

    +

    [(x-Original); (SHA-1)]

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110 FIPS 186-2
    -[ (x-Original); (SHA-1) ]     +[(x-Original); (SHA-1)]

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

    Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

    @@ -5105,16 +5244,16 @@ Random Number Generator (RNG)

    FIPS 186-2
    -[ (x-Change Notice); (SHA-1) ]

    +[(x-Change Notice); (SHA-1)]

    FIPS 186-2 General Purpose
    -[ (x-Change Notice); (SHA-1) ]

    +[(x-Change Notice); (SHA-1)]

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

    Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

    Windows Vista RNG implementation #321

    FIPS 186-2 General Purpose
    -[ (x-Change Notice); (SHA-1) ]     +[(x-Change Notice); (SHA-1)]

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

    @@ -5123,7 +5262,7 @@ Random Number Generator (RNG) FIPS 186-2
    -[ (x-Change Notice); (SHA-1) ]     +[(x-Change Notice); (SHA-1)]

    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314

    @@ -5228,7 +5367,7 @@ Random Number Generator (RNG)

    Prerequisite: SHS #4009, DRBG #1733

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

    Version 10.0.16299

    @@ -5263,7 +5402,7 @@ Random Number Generator (RNG)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

    Version 10.0.16299

    @@ -5637,7 +5776,7 @@ Random Number Generator (RNG)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

    Version 10.0.16299

    @@ -5707,34 +5846,34 @@ Random Number Generator (RNG)

    Prerequisite: SHS #4009, DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

    Version 10.0.16299

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))
    SHA Val#3790

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

    Version 10.0.15063

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    SHA Val#3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

    Version 10.0.15063

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    +186-4KEY(gen): FIPS186-4_Fixed_e (10001);
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    SHA Val#3790
    DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

    @@ -5743,11 +5882,11 @@ DRBG: FIPS186-4:
    186-4KEY(gen):
    -PGM(ProbRandom:     ( 2048 , 3072 ) PPTT:( C.2 )
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    +PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    SHA     Val#3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

    Version 10.0.15063

    @@ -5755,14 +5894,14 @@ SHA

    FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1    Val#3652
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3652
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

    FIPS186-4:
    -ALG[ANSIX9.31]     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
    -SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +ALG[ANSIX9.31] Sig(Gen): (2048 SHA(1)) (3072 SHA(1))
    +SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    SHA Val#3652

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

    Version 7.00.2872

    @@ -5770,27 +5909,27 @@ SHA

    FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1    Val#3651
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3651
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

    FIPS186-4:
    -ALG[ANSIX9.31]     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
    -SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +ALG[ANSIX9.31] Sig(Gen): (2048 SHA(1)) (3072 SHA(1))
    +SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA(1)) (2048 SHA(1)) (3072 SHA(1))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    SHA Val#3651

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

    Version 8.00.6246

    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256Val# 3649, SHA-384Val# 3649, SHA-512Val# 3649
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val# 3649, SHA-256Val# 3649, SHA-384Val# 3649, SHA-512Val# 3649

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e (10001) ;
    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +186-4KEY(gen): FIPS186-4_Fixed_e (10001);
    +PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    SHA Val# 3649
    DRBG: Val# 1430

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

    @@ -5798,13 +5937,13 @@ DRBG:

    FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 4096 , SHS: SHA-256    Val#3648, SHA-384Val#3648, SHA-512Val#3648
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096, SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e (10001) ;
    -PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
    -ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +186-4KEY(gen): FIPS186-4_Fixed_e (10001);
    +PGM(ProbRandom: (2048, 3072) PPTT:(C.2)
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))
    SHA Val#3648
    DRBG: Val# 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

    @@ -5812,231 +5951,231 @@ DRBG:

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    -Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(1, 256, 384)) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SIG(Ver) (1024 SHA(1, 256, 384)) (2048 SHA(1, 256, 384))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48)))

    SHA Val# 3347

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

    Version 10.0.14393

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    +186-4KEY(gen): FIPS186-4_Fixed_e (10001);
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

    SHA Val# 3347 DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

    Version 10.0.14393

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    SHA Val#3346

    soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

    Version 10.0.14393

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
    +SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    SHA Val# 3347 DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

    Version 10.0.14393

    FIPS186-4:
    -[RSASSA-PSS]: Sig(Gen):     (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    -

    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    +

    Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    SHA Val# 3347 DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

    Version 10.0.14393

    FIPS186-4:
    -186-4KEY(gen)    :  FIPS186-4_Fixed_e ( 10001 ) ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    +186-4KEY(gen):  FIPS186-4_Fixed_e (10001);
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

    SHA Val# 3047 DRBG: Val# 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

    Version 10.0.10586

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    SHA Val#3048

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

    Version 10.0.10586

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
    +SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    SHA Val# 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

    Version 10.0.10586

    FIPS186-4:
    -[RSASSA-PSS]: Sig(Gen)    : (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    -Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    +Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    SHA Val# 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

    Version 10.0.10586

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    +186-4KEY(gen): FIPS186-4_Fixed_e (10001);
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

    SHA Val# 2886 DRBG: Val# 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

    Version 10.0.10240

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    SHA Val#2871

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

    Version 10.0.10240

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    SHA Val#2871

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

    Version 10.0.10240

    FIPS186-4:
    -[RSASSA-PSS]:     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    -Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    +Sig(Ver): (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    SHA Val# 2886

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

    Version 10.0.10240

    FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e ;
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    +186-4KEY(gen): FIPS186-4_Fixed_e;
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)

    SHA Val#2373 DRBG: Val# 489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

    Version 6.3.9600

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +ALG[RSASSA-PKCS1_V1_5] SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    SHA Val#2373

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

    Version 6.3.9600

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5    ] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
    +SIG(Ver) (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512))

    SHA Val#2373

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

    Version 6.3.9600

    FIPS186-4:
    -[RSASSA-PSS]:     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    - Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))
    + Sig(Ver): (1024 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(62))) (2048 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64))) (3072 SHA(1 SaltLen(20), 256 SaltLen(32), 384 SaltLen(48), 512 SaltLen(64)))

    SHA Val#2373

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

    Version 6.3.9600

    FIPS186-4:
    -ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
    -SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
    -[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    -Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA(256, 384, 512-256)) (3072 SHA(256, 384, 512-256))
    +SIG(Ver) (1024 SHA(1, 256, 384, 512-256)) (2048 SHA(1, 256, 384, 512-256)) (3072 SHA(1, 256, 384, 512-256))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA(256, 384, 512)) (3072 SHA(256, 384, 512))
    +Sig(Ver): (1024 SHA(1, 256, 384, 512)) (2048 SHA(1, 256, 384, 512)) (3072 SHA(1, 256, 384, 512, 512))
    SHA #1903

    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134 FIPS186-4:
    -186-4KEY(gen):     FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
    -PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
    +186-4KEY(gen): FIPS186-4_Fixed_e, FIPS186-4_Fixed_e_Value
    +PGM(ProbPrimeCondition): 2048, 3072 PPTT:(C.3)
    SHA #1903 DRBG: #258 Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133 FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
    +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: #258
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132. Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132 FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1774
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052. Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052 FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
    +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: Val# 193
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051. Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051 FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568. Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568 FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.

    Windows Server 2008 R2 and SP1 CNG algorithms #567

    Windows 7 and SP1 CNG algorithms #560

    FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
    +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 DRBG: Val# 23
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559. Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559 FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557. Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557 FIPS186-2:
    ALG[ANSIX9.31]:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395. Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395 FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#783
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371. Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371 FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.

    Windows Server 2008 CNG algorithms #358

    Windows Vista SP1 CNG algorithms #357

    @@ -6044,81 +6183,81 @@ Some of the previously validated components for this validation have been remove FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#753
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.

    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

    Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354

    FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
    +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353. Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353 FIPS186-2:
    -ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
    +ALG[ANSIX9.31]: Key(gen)(MOD: 2048, 3072, 4096 PubKey Values: 65537 RNG: Val# 321
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258. Windows Vista RSA key generation implementation #258 FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    -ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    +ALG[RSASSA-PSS]: SIG(gen); 2048, 3072, 4096, SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257. Windows Vista CNG algorithms #257 FIPS186-2:
    -ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255. Windows Vista Enhanced Cryptographic Provider (RSAENH) #255 FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#613
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245. Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245 FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#589
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230. Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230 FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#578
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222. Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222 FIPS186-2:
    ALG[RSASSA-PKCS1_V1_5]:
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#364
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81. Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81 FIPS186-2:
    ALG[ANSIX9.31]:
    -SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
    -ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
    -SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
    +SIG(ver); 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#305
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048, 3072, 4096, SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
    +SIG(ver): 1024, 1536, 2048, 3072, 4096, SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52. Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52 @@ -6209,7 +6348,7 @@ Some of the previously validated components for this validation have been remove
  • Supports Empty Message
    • -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

    Version 10.0.16299

    @@ -6495,106 +6634,106 @@ Version 6.3.9600
  • Keying Option: 1
    • -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

    Version 10.0.16299

    -TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, ) +TECB(KO 1 e/d,); TCBC(KO 1 e/d,); TCFB8(KO 1 e/d,); TCFB64(KO 1 e/d,)

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

    Version 10.0.15063

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, )

    +

    TECB(KO 1 e/d,);

    +

    TCBC(KO 1 e/d,)

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

    Version 8.00.6246

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, )

    +

    TECB(KO 1 e/d,);

    +

    TCBC(KO 1 e/d,)

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

    Version 8.00.6246

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    CTR ( int only )

    +

    TECB(KO 1 e/d,);

    +

    TCBC(KO 1 e/d,);

    +

    CTR (int only)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

    Version 7.00.2872

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, )

    +

    TECB(KO 1 e/d,);

    +

    TCBC(KO 1 e/d,)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

    Version 8.00.6246

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    TCFB8( KO 1 e/d, ) ;

    -

    TCFB64( KO 1 e/d, )

    +

    TECB(KO 1 e/d,);

    +

    TCBC(KO 1 e/d,);

    +

    TCFB8(KO 1 e/d,);

    +

    TCFB64(KO 1 e/d,)

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227

    Version 10.0.14393

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    TCFB8( KO 1 e/d, ) ;

    -

    TCFB64( KO 1 e/d, )

    +

    TECB(KO 1 e/d,);

    +

    TCBC(KO 1 e/d,);

    +

    TCFB8(KO 1 e/d,);

    +

    TCFB64(KO 1 e/d,)

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024

    Version 10.0.10586

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    TCFB8( KO 1 e/d, ) ;

    -

    TCFB64( KO 1 e/d, )

    +

    TECB(KO 1 e/d,);

    +

    TCBC(KO 1 e/d,);

    +

    TCFB8(KO 1 e/d,);

    +

    TCFB64(KO 1 e/d,)

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969

    Version 10.0.10240

    -

    TECB( KO 1 e/d, ) ;

    -

    TCBC( KO 1 e/d, ) ;

    -

    TCFB8( KO 1 e/d, ) ;

    -

    TCFB64( KO 1 e/d, )

    +

    TECB(KO 1 e/d,);

    +

    TCBC(KO 1 e/d,);

    +

    TCFB8(KO 1 e/d,);

    +

    TCFB64(KO 1 e/d,)

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

    Version 6.3.9600

    -

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 ) ;

    -

    TCFB64( e/d; KO 1,2 )

    +

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2);

    +

    TCFB64(e/d; KO 1, 2)

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387 -

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 )

    +

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2)

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386 -

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 )

    +

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2)

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846 -

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 )

    +

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2)

    Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656 -

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 ) ;

    -

    TCFB8( e/d; KO 1,2 )

    +

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2);

    +

    TCFB8(e/d; KO 1, 2)

    Windows Vista Symmetric Algorithm Implementation #549 @@ -6603,8 +6742,8 @@ Version 6.3.9600

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

    -

    TECB( e/d; KO 1,2 ) ;

    -

    TCBC( e/d; KO 1,2 )

    +

    TECB(e/d; KO 1, 2);

    +

    TCBC(e/d; KO 1, 2)

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

    @@ -6707,7 +6846,7 @@ Version 6.3.9600
  • Padding Algorithms: PKCS 1.5
    • -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

    Version 10.0.16299

    @@ -6988,7 +7127,7 @@ Version 6.3.9600

    Prerequisite: DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

    Version 10.0.16299

    @@ -6998,7 +7137,7 @@ Version 6.3.9600
  • Modulus Size: 2048 (bits)
    • -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

    Version 10.0.16299

    @@ -7009,7 +7148,7 @@ Version 6.3.9600
  • Padding Algorithms: PKCS 1.5
    • -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

    Version 10.0.16299

    @@ -7022,7 +7161,7 @@ Version 6.3.9600

    Prerequisite: DRBG #1730

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

    Version 10.0.16299

    @@ -7032,7 +7171,7 @@ Version 6.3.9600
  • Modulus Size: 2048 (bits)
    • -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

    Version 10.0.16299

     

    @@ -7044,7 +7183,7 @@ Version 6.3.9600
  • Padding Algorithms: PKCS 1.5
    • -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

    Version 10.0.16299

    @@ -7110,20 +7249,20 @@ Version 6.3.9600

    Prerequisite: SHS #4009, HMAC #3267

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    Version 10.0.16299

    FIPS186-4 ECDSA

    Signature Generation of hash sized messages

    -

    ECDSA SigGen Component: CURVES( P-256 P-384 P-521 )

    +

    ECDSA SigGen Component: CURVES(P-256 P-384 P-521)

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
    Version 10.0. 15063

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
    Version 10.0. 15063

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
    Version 10.0.14393

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
    Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
    Version 10.0.10586

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
    @@ -7139,7 +7278,7 @@ Version 10.0.15063

    Version 10.0.15063

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
    Version 10.0.15063

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
    Version 10.0.14393

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
    Version 10.0.14393

    @@ -7158,7 +7297,7 @@ Version 6.3.9600

    Version 10.0.15063

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
    Version 10.0.15063

    -

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
    Version 10.0.14393

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
    Version 10.0.14393

    @@ -7170,7 +7309,7 @@ Version  10.0.10240

    SP800-135

    Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS

    -

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update; Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    Version 10.0.16299

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
    Version 10.0.15063

    @@ -7184,7 +7323,7 @@ Version 10.0.14393

    Version 10.0.10586

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
    Version  10.0.10240

    -

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry, and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
    Version 6.3.9600

    diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index b4f683756c..4ddfd7b193 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -17,20 +17,20 @@ ms.topic: conceptual --- # Threat Protection -[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. +[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. ->[!TIP] +> [!TIP] > Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/).

    Microsoft Defender ATP

    - - - - - - + + + + + + - @@ -178,7 +177,7 @@ The following steps assume that you have completed all the required steps in [Be You can now run queries in the Micro Focus ArcSight console. -Microsoft Defender ATP detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. +Defender for Endpoint detections will appear as discrete events, with "Microsoft” as the vendor and “Windows Defender ATP” as the device name. ## Troubleshooting Micro Focus ArcSight connection @@ -204,7 +203,7 @@ Microsoft Defender ATP detections will appear as discrete events, with "Microsof > Verify that the connector is running by stopping the process again. Then start the connector again, and no browser window should appear. ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure Splunk to pull Microsoft Defender ATP detections](configure-splunk.md) -- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) +- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md) +- [Configure Splunk to pull Defender for Endpoint detections](configure-splunk.md) +- [Pull Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index 6a3872d1b2..f8d91cd3e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -27,11 +27,11 @@ ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs **Applies to** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). +If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Defender for Endpoint), [automated investigation and remediation capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) can save your security operations team time and effort. As outlined in [this blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/enhance-your-soc-with-microsoft-defender-atp-automatic/ba-p/848946), these capabilities mimic the ideal steps that a security analyst takes to investigate and remediate threats. [Learn more about automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). -To configure automated investigation and remediation, you [turn on the features](#turn-on-automated-investigation-and-remediation), and then you [set up device groups](#set-up-device-groups). +To configure automated investigation and remediation, [turn on the features](#turn-on-automated-investigation-and-remediation), and then [set up device groups](#set-up-device-groups). ## Turn on automated investigation and remediation diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md index 8946b66493..206e5721b3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md @@ -17,12 +17,12 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure Conditional Access in Microsoft Defender ATP +# Configure Conditional Access in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) This section guides you through all the steps you need to take to properly implement Conditional Access. @@ -54,7 +54,7 @@ It's important to note the required roles to access these portals and implement Take the following steps to enable Conditional Access: - Step 1: Turn on the Microsoft Intune connection from Microsoft Defender Security Center -- Step 2: Turn on the Microsoft Defender ATP integration in Intune +- Step 2: Turn on the Defender for Endpoint integration in Intune - Step 3: Create the compliance policy in Intune - Step 4: Assign the policy - Step 5: Create an Azure AD Conditional Access policy @@ -66,7 +66,7 @@ Take the following steps to enable Conditional Access: 3. Click **Save preferences**. -### Step 2: Turn on the Microsoft Defender ATP integration in Intune +### Step 2: Turn on the Defender for Endpoint integration in Intune 1. Sign in to the [Azure portal](https://portal.azure.com). 2. Select **Device compliance** > **Microsoft Defender ATP**. 3. Set **Connect Windows 10.0.15063+ devices to Microsoft Defender Advanced Threat Protection** to **On**. @@ -107,4 +107,4 @@ Take the following steps to enable Conditional Access: For more information, see [Enable Microsoft Defender ATP with Conditional Access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection). ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index 18ba591b16..f7ccfe871b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -23,12 +23,12 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) -You can configure Microsoft Defender ATP to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. +You can configure Defender for Endpoint to send email notifications to specified recipients for new alerts. This feature enables you to identify a group of individuals who will immediately be informed and can act on alerts based on their severity. > [!NOTE] > Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. @@ -57,7 +57,7 @@ You can create rules that determine the devices and alert severities to send ema - **Include device information** - Includes the device name in the email alert body. >[!NOTE] - > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Microsoft Defender ATP data. + > This information might be processed by recipient mail servers that ar not in the geographic location you have selected for your Defender for Endpoint data. - **Devices** - Choose whether to notify recipients for alerts on all devices (Global administrator role only) or on selected device groups. For more information, see [Create and manage device groups](machine-groups.md). - **Alert severity** - Choose the alert severity level. @@ -92,9 +92,9 @@ This section lists various issues that you may encounter when using email notifi **Solution:** Make sure that the notifications are not blocked by email filters: -1. Check that the Microsoft Defender ATP email notifications are not sent to the Junk Email folder. Mark them as Not junk. -2. Check that your email security product is not blocking the email notifications from Microsoft Defender ATP. -3. Check your email application rules that might be catching and moving your Microsoft Defender ATP email notifications. +1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk. +2. Check that your email security product is not blocking the email notifications from Defender for Endpoint. +3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications. ## Related topics - [Update data retention settings](data-retention-settings.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index 36703ec3a4..5360517315 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -27,12 +27,12 @@ ms.date: 04/24/2018 - Group Policy -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsgp-abovefoldlink) > [!NOTE] @@ -41,6 +41,14 @@ ms.date: 04/24/2018 > For Windows Server 2019, you may need to replace NT AUTHORITY\Well-Known-System-Account with NT AUTHORITY\SYSTEM of the XML file that the Group Policy preference creates. ## Onboard devices using Group Policy + +[![Image of the PDF showing the various deployment paths](images/onboard-gp.png)](images/onboard-gp.png#lightbox) + + +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint. + + + 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -68,9 +76,9 @@ ms.date: 04/24/2018 9. Click **OK** and close any open GPMC windows. >[!TIP] -> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md). -## Additional Microsoft Defender ATP configuration settings +## Additional Defender for Endpoint configuration settings For each device, you can state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. @@ -226,5 +234,5 @@ With Group Policy there isn’t an option to monitor deployment of policies on t - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP devices](run-detection-test.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Run a detection test on a newly onboarded Microsoft Defender for Endpoint devices](run-detection-test.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index 439c8e61f3..0a97fbf1e3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -25,13 +25,13 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) -You can use mobile device management (MDM) solutions to configure devices. Microsoft Defender ATP supports MDMs by providing OMA-URIs to create policies to manage devices. +You can use mobile device management (MDM) solutions to configure devices. Defender for Endpoint supports MDMs by providing OMA-URIs to create policies to manage devices. -For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). +For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). ## Before you begin If you're using Microsoft Intune, you must have the device MDM Enrolled. Otherwise, settings will not be applied successfully. @@ -40,9 +40,13 @@ For more information on enabling MDM with Microsoft Intune, see [Device enrollme ## Onboard devices using Microsoft Intune +[![Image of the PDF showing onboarding devices to Defender for Endpoint using Microsoft Intune](images/onboard-intune.png) ](images/onboard-intune-big.png#lightbox) + +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint. + Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection). -For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). +For more information on using Defender for Endpoint CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). > [!NOTE] @@ -51,9 +55,10 @@ For more information on using Microsoft Defender ATP CSP see, [WindowsAdvancedTh >[!TIP] -> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that a device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md). +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender ATP. ## Offboard and monitor devices using Mobile Device Management tools For security reasons, the package used to Offboard devices will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a device will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. @@ -93,5 +98,5 @@ For more information on Microsoft Intune policy settings see, [Windows 10 policy - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index 2f52d63533..ba65815551 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -26,21 +26,21 @@ ms.topic: article - macOS - Linux -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) -Microsoft Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. +Defender for Endpoint provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Microsoft Defender Security Center and better protect your organization's network. -You'll need to know the exact Linux distros and macOS versions that are compatible with Microsoft Defender ATP for the integration to work. For more information, see: -- [Microsoft Defender ATP for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements) -- [Microsoft Defender ATP for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements). +You'll need to know the exact Linux distros and macOS versions that are compatible with Defender for Endpoint for the integration to work. For more information, see: +- [Microsoft Defender for Endpoint for Linux system requirements](microsoft-defender-atp-linux.md#system-requirements) +- [Microsoft Defender for Endpoint for Mac system requirements](microsoft-defender-atp-mac.md#system-requirements). ## Onboarding non-Windows devices You'll need to take the following steps to onboard non-Windows devices: 1. Select your preferred method of onboarding: - - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). + - For macOS devices, you can choose to onboard through Microsoft Defender ATP or through a third-party solution. For more information, see [Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). - For other non-Windows devices choose **Onboard non-Windows devices through third-party integration**. 1. In the navigation pane, select **Interoperability** > **Partners**. Make sure the third-party solution is listed. @@ -56,7 +56,7 @@ You'll need to take the following steps to onboard non-Windows devices: ## Offboard non-Windows devices -1. Follow the third-party's documentation to disconnect the third-party solution from Microsoft Defender ATP. +1. Follow the third-party's documentation to disconnect the third-party solution from Microsoft Defender for Endpoint. 2. Remove permissions for the third-party solution in your Azure AD tenant. 1. Sign in to the [Azure portal](https://portal.azure.com). @@ -69,4 +69,4 @@ You'll need to take the following steps to onboard non-Windows devices: - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard servers](configure-server-endpoints.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) -- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index 2372dd38c5..38ec7959c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -25,11 +25,11 @@ ms.date: 02/07/2020 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Microsoft Endpoint Configuration Manager current branch - System Center 2012 R2 Configuration Manager ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) ## Supported client operating systems @@ -52,6 +52,14 @@ Starting in Configuration Manager version 2002, you can onboard the following op ### Onboard devices using System Center Configuration Manager + +[![Image of the PDF showing the various deployment paths](images/onboard-config-mgr.png)](images/onboard-config-mgr.png#lightbox) + + +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Microsoft Defender for Endpoint. + + + 1. Open the Configuration Manager configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): a. In the navigation pane, select **Settings** > **Onboarding**. @@ -69,10 +77,10 @@ Starting in Configuration Manager version 2002, you can onboard the following op a. Choose a predefined device collection to deploy the package to. > [!NOTE] -> Microsoft Defender ATP doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. +> Defender for Endpoint doesn't support onboarding during the [Out-Of-Box Experience (OOBE)](https://answers.microsoft.com/en-us/windows/wiki/windows_10/how-to-complete-the-windows-10-out-of-box/47e3f943-f000-45e3-8c5c-9d85a1a0cf87) phase. Make sure users complete OOBE after running Windows installation or upgrading. >[!TIP] -> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md). > > Note that it is possible to create a detection rule on a Configuration Manager application to continuously check if a device has been onboarded. An application is a different type of object than a package and program. > If a device is not yet onboarded (due to pending OOBE completion or any other reason), Configuration Manager will retry to onboard the device until the rule detects the status change. @@ -182,13 +190,13 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create ## Monitor device configuration -If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Microsoft Defender ATP dashboard in the Configuration Manager console. For more information, see [Microsoft Defender Advanced Threat Protection - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor). +If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Defender for Endpoint - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor). If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts: 1. Confirming the configuration package has been correctly deployed and is running (or has successfully run) on the devices in your network. -2. Checking that the devices are compliant with the Microsoft Defender ATP service (this ensures the device can complete the onboarding process and can continue to report data to the service). +2. Checking that the devices are compliant with the Defender for Endpoint service (this ensures the device can complete the onboarding process and can continue to report data to the service). ### Confirm the configuration package has been correctly deployed @@ -200,7 +208,7 @@ If you're using System Center 2012 R2 Configuration Manager, monitoring consists 4. Review the status indicators under **Completion Statistics** and **Content Status**. - If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). + If there are failed deployments (devices with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the devices. For more information, see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md). ![Configuration Manager showing successful deployment with no errors](images/sccm-deployment.png) @@ -224,4 +232,4 @@ For more information, see [Introduction to compliance settings in System Center - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index 70821568d1..acfdb668c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -25,14 +25,14 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) -You can also manually onboard individual devices to Microsoft Defender ATP. You might want to do this first when testing the service before you commit to onboarding all devices in your network. +You can also manually onboard individual devices to Defender for Endpoint. You might want to do this first when testing the service before you commit to onboarding all devices in your network. > [!IMPORTANT] > This script has been optimized for use on up to 10 devices. @@ -40,6 +40,13 @@ You can also manually onboard individual devices to Microsoft Defender ATP. You > To deploy at scale, use [other deployment options](configure-endpoints.md). For example, you can deploy an onboarding script to more than 10 devices in production with the script available in [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md). ## Onboard devices + +[![Image of the PDF showing the various deployment paths](images/onboard-script.png)](images/onboard-script.png#lightbox) + + +Check out the [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) to see the various paths in deploying Defender for Endpoint. + + 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): 1. In the navigation pane, select **Settings** > **Onboarding**. @@ -65,11 +72,11 @@ You can also manually onboard individual devices to Microsoft Defender ATP. You 5. Press the **Enter** key or click **OK**. -For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md). +For information on how you can manually validate that the device is compliant and correctly reports sensor data see, [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md). >[!TIP] -> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). +> After onboarding the device, you can choose to run a detection test to verify that an device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint endpoint](run-detection-test.md). ## Configure sample collection settings For each device, you can set a configuration value to state whether samples can be collected from the device when a request is made through Microsoft Defender Security Center to submit a file for deep analysis. @@ -144,5 +151,5 @@ Monitoring can also be done directly on the portal, or by using the different de - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](run-detection-test.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index 03c9870858..fc7c7e1d3c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -27,28 +27,28 @@ ms.date: 04/16/2020 - Virtual desktop infrastructure (VDI) devices >[!WARNING] -> Microsoft Defender ATP support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported. +> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-user scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However single session scenarios on Windows Virtual Desktop are fully supported. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configvdi-abovefoldlink) ## Onboard non-persistent virtual desktop infrastructure (VDI) devices [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -Microsoft Defender ATP supports non-persistent VDI session onboarding. +Defender for Endpoint supports non-persistent VDI session onboarding. >[!Note] ->To onboard non-persistent VDI sessions, VDI devices must be on Windows 10. +>To onboard non-persistent VDI sessions, VDI devices must be Windows 10 or Windows Server 2019. > ->While other Windows versions might work, only Windows 10 is supported. +>While other Windows versions might work, only Windows 10 and Windows Server 2019 are supported. There might be associated challenges when onboarding VDIs. The following are typical challenges for this scenario: -- Instant early onboarding of a short-lived sessions, which must be onboarded to Microsoft Defender ATP prior to the actual provisioning. +- Instant early onboarding of a short-lived sessions, which must be onboarded to Defender for Endpoint prior to the actual provisioning. - The device name is typically reused for new sessions. -VDI devices can appear in Microsoft Defender ATP portal as either: +VDI devices can appear in Defender for Endpoint portal as either: - Single entry for each device. Note that in this case, the *same* device name must be configured when the session is created, for example using an unattended answer file. @@ -57,7 +57,7 @@ Note that in this case, the *same* device name must be configured when the sessi The following steps will guide you through onboarding VDI devices and will highlight steps for single and multiple entries. >[!WARNING] -> For environments where there are low resource configurations, the VDI boot procedure might slow the Microsoft Defender ATP sensor onboarding. +> For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding. 1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Microsoft Defender Security Center](https://securitycenter.windows.com/): @@ -126,7 +126,7 @@ For more information on DISM commands and offline servicing, please refer to the If offline servicing is not a viable option for your non-persistent VDI environment, the following steps should be taken to ensure consistency and sensor health: -1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Microsoft Defender ATP sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script). +1. After booting the master image for online servicing or patching, run an offboarding script to turn off the Defender for Endpoint sensor. For more information, see [Offboard devices using a local script](configure-endpoints-script.md#offboard-devices-using-a-local-script). 2. Ensure the sensor is stopped by running the command below in a CMD window: @@ -153,4 +153,4 @@ If offline servicing is not a viable option for your non-persistent VDI environm - [Onboard Windows 10 devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) - [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) - [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md index b77d79c856..00ee7a17a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md @@ -25,10 +25,10 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - [Microsoft 365 Endpoint data loss prevention (DLP)](/microsoft-365/compliance/endpoint-dlp-learn-about) -Devices in your organization must be configured so that the Microsoft Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization. +Devices in your organization must be configured so that the Defender for Endpoint service can get sensor data from them. There are various methods and deployment tools that you can use to configure the devices in your organization. The following deployment tools and methods are supported: @@ -47,4 +47,4 @@ Topic | Description [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpoints-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md index db418af7ff..17e8cb3039 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink). +> Want to experience Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink). [Attack surface reduction (ASR) rules](./attack-surface-reduction.md) identify and prevent typical malware exploits. They control when and how potentially malicious code can run. For example, they can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, and block processes that run from USB drives. @@ -52,5 +52,5 @@ For more information about ASR rule deployment in Microsoft 365 security center, **Related topics** * [Ensure your devices are configured properly](configure-machines.md) -* [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) -* [Monitor compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) +* [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md) +* [Monitor compliance to the Microsoft Defender for Endpoint security baseline](configure-machines-security-baseline.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index eb72937f89..b207e1fb84 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -17,15 +17,15 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get devices onboarded to Microsoft Defender ATP +# Get devices onboarded to Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) Each onboarded device adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a device can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks. @@ -35,17 +35,17 @@ Before you can track and manage onboarding of devices: ## Discover and track unprotected devices -The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 devices. +The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 devices that have actually onboarded to Defender for Endpoint against the total number of Intune-managed Windows 10 devices. ![Device configuration management Onboarding card](images/secconmgmt_onboarding_card.png)
    *Card showing onboarded devices compared to the total number of Intune-managed Windows 10 device* >[!NOTE] ->If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your devices. +>If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Defender for Endpoint onboarding and assign that profile to your devices. ## Onboard more devices with Intune profiles -Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 devices](onboard-configure.md). For Intune-managed devices, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select devices, effectively onboarding these devices to the service. +Defender for Endpoint provides several convenient options for [onboarding Windows 10 devices](onboard-configure.md). For Intune-managed devices, however, you can leverage Intune profiles to conveniently deploy the Defender for Endpoint sensor to select devices, effectively onboarding these devices to the service. From the **Onboarding** card, select **Onboard more devices** to create and assign a profile on Intune. The link takes you to the device compliance page on Intune, which provides a similar overview of your onboarding state. @@ -53,21 +53,21 @@ From the **Onboarding** card, select **Onboard more devices** to create and assi *Microsoft Defender ATP device compliance page on Intune device management* >[!TIP] ->Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**. +>Alternatively, you can navigate to the Defender for Endpoint onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**. >[!NOTE] > If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**. -From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the devices you want to onboard. To do this, you can either: +From the device compliance page, create a configuration profile specifically for the deployment of the Defender for Endpoint sensor and assign that profile to the devices you want to onboard. To do this, you can either: - Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile. - Create the device configuration profile from scratch. -For more information, [read about using Intune device configuration profiles to onboard devices to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile). +For more information, [read about using Intune device configuration profiles to onboard devices to Defender for Endpoint](https://docs.microsoft.com/intune/advanced-threat-protection#onboard-devices-by-using-a-configuration-profile). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) ## Related topics - [Ensure your devices are configured properly](configure-machines.md) -- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) +- [Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md index d8200f1502..e110a3d518 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md @@ -17,17 +17,17 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Increase compliance to the Microsoft Defender ATP security baseline +# Increase compliance to the Microsoft Defender for Endpoint security baseline [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) -Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection. +Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Defender for Endpoint security baseline sets Defender for Endpoint security controls to provide optimal protection. To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a). @@ -36,22 +36,22 @@ Before you can deploy and track compliance to security baselines: - [Ensure you have the necessary permissions](configure-machines.md#obtain-required-permissions) ## Compare the Microsoft Defender ATP and the Windows Intune security baselines -The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: +The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure devices running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Microsoft Defender Antivirus. In contrast, the Defender for Endpoint baseline provides settings that optimize all the security controls in the Defender for Endpoint stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see: - [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows) - [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp) -Ideally, devices onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released. +Ideally, devices onboarded to Defender for Endpoint are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Defender for Endpoint security baseline layered on top to optimally configure the Defender for Endpoint security controls. To benefit from the latest data on risks and threats and to minimize conflicts as baselines evolve, always apply the latest versions of the baselines across all products as soon as they are released. >[!NOTE] ->The Microsoft Defender ATP security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments. +>The Defender for Endpoint security baseline has been optimized for physical devices and is currently not recommended for use on virtual machine (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments. -## Monitor compliance to the Microsoft Defender ATP security baseline +## Monitor compliance to the Defender for Endpoint security baseline -The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Microsoft Defender ATP security baseline. +The **Security baseline** card on [device configuration management](configure-machines.md) provides an overview of compliance across Windows 10 devices that have been assigned the Defender for Endpoint security baseline. ![Security baseline card](images/secconmgmt_baseline_card.png)
    -*Card showing compliance to the Microsoft Defender ATP security baseline* +*Card showing compliance to the Defender for Endpoint security baseline* Each device is given one of the following status types: @@ -65,20 +65,20 @@ To review specific devices, select **Configure security baseline** on the card. >[!NOTE] >You might experience discrepancies in aggregated data displayed on the device configuration management page and those displayed on overview screens in Intune. -## Review and assign the Microsoft Defender ATP security baseline +## Review and assign the Microsoft Defender for Endpoint security baseline -Device configuration management monitors baseline compliance only of Windows 10 devices that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to devices on Intune device management. +Device configuration management monitors baseline compliance only of Windows 10 devices that have been specifically assigned the Microsoft Defender for Endpoint security baseline. You can conveniently review the baseline and assign it to devices on Intune device management. 1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed. >[!TIP] - > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**. + > Alternatively, you can navigate to the Defender for Endpoint security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines > Microsoft Defender ATP baseline**. 2. Create a new profile. - ![Microsoft Defender ATP security baseline overview on Intune](images/secconmgmt_baseline_intuneprofile1.png)
    - *Microsoft Defender ATP security baseline overview on Intune* + ![Microsoft Defender for Endpoint security baseline overview on Intune](images/secconmgmt_baseline_intuneprofile1.png)
    + *Microsoft Defender for Endpoint security baseline overview on Intune* 3. During profile creation, you can review and adjust specific settings on the baseline. @@ -98,9 +98,9 @@ Device configuration management monitors baseline compliance only of Windows 10 >[!TIP] >Security baselines on Intune provide a convenient way to comprehensively secure and protect your devices. [Learn more about security baselines on Intune](https://docs.microsoft.com/intune/security-baselines). ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) ## Related topics - [Ensure your devices are configured properly](configure-machines.md) -- [Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md) +- [Get devices onboarded to Microsoft Defender for Endpoint](configure-machines-onboarding.md) - [Optimize ASR rule deployment and detections](configure-machines-asr.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index 1b1b0495eb..9b830a3988 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -23,14 +23,14 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint ](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink) With properly configured devices, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your devices: -- Onboard to Microsoft Defender ATP -- Meet or exceed the Microsoft Defender ATP security baseline configuration +- Onboard to Microsoft Defender for Endpoint +- Meet or exceed the Defender for Endpoint security baseline configuration - Have strategic attack surface mitigations in place Click **Configuration management** from the navigation menu to open the Device configuration management page. @@ -56,7 +56,7 @@ Before you can ensure your devices are configured properly, enroll them to Intun >To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign). >[!TIP] ->To optimize device management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). +>To optimize device management through Intune, [connect Intune to Defender for Endpoint](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). ## Obtain required permissions By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage and assign the device configuration profiles needed for onboarding devices and deploying the security baseline. @@ -77,8 +77,8 @@ If you have been assigned other roles, ensure you have the necessary permissions ## In this section Topic | Description :---|:--- -[Get devices onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune. -[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices. +[Get devices onboarded to Defender for Endpoint](configure-machines-onboarding.md)| Track onboarding status of Intune-managed devices and onboard more devices through Intune. +[Increase compliance to the Defender for Endpoint security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed devices. [Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 23f1b28355..3ce240d781 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -26,20 +26,20 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Before you begin > [!NOTE] > Discuss the eligibility requirements with your Microsoft Technical Service provider and account team before you apply to the managed threat hunting service. -Ensure that you have Microsoft Defender ATP deployed in your environment with devices enrolled, and not just on a laboratory set-up. +Ensure that you have Defender for Endpoint deployed in your environment with devices enrolled, and not just on a laboratory set-up. -Microsoft Defender ATP customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. +Defender for Endpoint customers need to apply for the Microsoft Threat Experts managed threat hunting service to get proactive Targeted Attack Notifications and to collaborate with experts on demand. Experts on Demand is an add-on service. Targeted Attack Notifications are always included after you have been accepted into Microsoft Threat Experts managed threat hunting service. If you are not enrolled yet and would like to experience its benefits, go to **Settings** > **General** > **Advanced features** > **Microsoft Threat Experts** to apply. Once accepted, you will get the benefits of Targeted Attack Notifications, and start a 90-day trial of Experts on Demand. Contact your Microsoft representative to get a full Experts on-Demand subscription. ## Register to Microsoft Threat Experts managed threat hunting service -If you're already a Microsoft Defender ATP customer, you can apply through the Microsoft Defender ATP portal. +If you're already a Defender for Endpoint customer, you can apply through the Microsoft Defender for Endpoint portal. 1. From the navigation pane, go to **Settings > General > Advanced features > Microsoft Threat Experts**. @@ -59,7 +59,7 @@ If you're already a Microsoft Defender ATP customer, you can apply through the M ## Receive targeted attack notification from Microsoft Threat Experts You can receive targeted attack notification from Microsoft Threat Experts through the following medium: -- The Microsoft Defender ATP portal's **Alerts** dashboard +- The Defender for Endpoint portal's **Alerts** dashboard - Your email, if you choose to configure it To receive targeted attack notifications through email, create an email notification rule. @@ -116,7 +116,7 @@ Watch this video for a quick overview of the Microsoft Services Hub. **Alert information** - We see a new type of alert for a living-off-the-land binary: [AlertID]. Can you tell us something more about this alert and how we can investigate further? - We’ve observed two similar attacks, which try to execute malicious PowerShell scripts but generate different alerts. One is "Suspicious PowerShell command line" and the other is "A malicious file was detected based on indication provided by O365". What is the difference? -- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Microsoft Defender ATP see these attempts? What type of sign-ins are being monitored? +- I receive an odd alert today for abnormal number of failed logins from a high profile user’s device. I cannot find any further evidence around these sign-in attempts. How can Defender for Endpoint see these attempts? What type of sign-ins are being monitored? - Can you give more context or insights about this alert: “Suspicious behavior by a system utility was observed”. **Possible machine compromise** @@ -125,7 +125,7 @@ Watch this video for a quick overview of the Microsoft Services Hub. **Threat intelligence details** - We detected a phishing email that delivered a malicious Word document to a user. The malicious Word document caused a series of suspicious events, which triggered multiple Microsoft Defender alerts for [malware name] malware. Do you have any information on this malware? If yes, can you send me a link? -- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Microsoft Defender ATP provides against this threat actor? +- I recently saw a [social media reference, for example, Twitter or blog] post about a threat that is targeting my industry. Can you help me understand what protection Defender for Endpoint provides against this threat actor? **Microsoft Threat Experts’ alert communications** - Can your incident response team help us address the targeted attack notification that we got? diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md index 4455735f4f..e75588efda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) >[!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index fa877ecd83..dde5d47ec5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -44,7 +44,7 @@ The integration will allow MSSPs to take the following actions: - Get email notifications, and - Fetch alerts through security information and event management (SIEM) tools -Before MSSPs can take these actions, the MSSP customer will need to grant access to their Microsoft Defender ATP tenant so that the MSSP can access the portal. +Before MSSPs can take these actions, the MSSP customer will need to grant access to their Defender for Endpoint tenant so that the MSSP can access the portal. Typically, MSSP customers take the initial configuration steps to grant MSSPs access to their Windows Defender Security Central tenant. After access is granted, other configuration steps can be done by either the MSSP customer or the MSSP. @@ -54,7 +54,7 @@ In general, the following configuration steps need to be taken: - **Grant the MSSP access to Microsoft Defender Security Center**
    -This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Microsoft Defender ATP tenant. +This action needs to be done by the MSSP customer. It grants the MSSP access to the MSSP customer's Defender for Endpoint tenant. - **Configure alert notifications sent to MSSPs**
    diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 12c3637695..6abe8ff951 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -26,13 +26,13 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsscript-abovefoldlink) -The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. +The Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Defender for Endpoint service. -The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service. +The embedded Defender for Endpoint sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Defender for Endpoint cloud service. >[!TIP] >For organizations that use forward proxies as a gateway to the Internet, you can use network protection to investigate behind a proxy. For more information, see [Investigate connection events that occur behind forward proxies](investigate-behind-proxy.md). @@ -44,7 +44,7 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe - Web Proxy Auto-discovery Protocol (WPAD) > [!NOTE] - > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Defender for Endpoint URL exclusions in the proxy, see [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). - Manual static proxy configuration: - Registry based configuration @@ -52,16 +52,16 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe ## Configure the proxy server manually using a registry-based static proxy -Configure a registry-based static proxy to allow only Microsoft Defender ATP sensor to report diagnostic data and communicate with Microsoft Defender ATP services if a computer is not be permitted to connect to the Internet. +Configure a registry-based static proxy to allow only Defender for Endpoint sensor to report diagnostic data and communicate with Defender for Endpoint services if a computer is not be permitted to connect to the Internet. The static proxy is configurable through Group Policy (GP). The group policy can be found under: - Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service - Set it to **Enabled** and select **Disable Authenticated Proxy usage**: - ![Image of Group Policy setting](images/atp-gpo-proxy1.png) + ![Image of Group Policy setting1](images/atp-gpo-proxy1.png) - **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**: - Configure the proxy:
    - ![Image of Group Policy setting](images/atp-gpo-proxy2.png) + ![Image of Group Policy setting2](images/atp-gpo-proxy2.png) The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`. @@ -105,15 +105,16 @@ netsh winhttp reset proxy See [Netsh Command Syntax, Contexts, and Formatting](https://docs.microsoft.com/windows-server/networking/technologies/netsh/netsh-contexts) to learn more. -## Enable access to Microsoft Defender ATP service URLs in the proxy server +## Enable access to Microsoft Defender for Endpoint service URLs in the proxy server If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, add the domains listed in the downloadable sheet to the allowed domains list. +The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. -|**Item**|**Description**| +|**Spreadsheet of domains list**|**Description**| |:-----|:-----| -|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
    [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. +|![Thumb image for Microsoft Defender for Endpoint URLs spreadsheet](images/mdatp-urls.png)
    | Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

    [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the domains listed in the above table from HTTPS scanning. @@ -127,11 +128,11 @@ If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the > [!NOTE] -> If you are using Microsoft Defender Antivirus in your environment, please refer to the following article for details on allowing connections to the Microsoft Defender Antivirus cloud service: https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus +> If you are using Microsoft Defender Antivirus in your environment, see [Configure network connections to the Microsoft Defender Antivirus cloud service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus). -If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. +If a proxy or firewall is blocking anonymous traffic, as Defender for Endpoint sensor is connecting from system context, make sure anonymous traffic is permitted in the previously listed URLs. -### Log analytics agent requirements +### Microsoft Monitoring Agent (MMA) - proxy and firewall requirements for older versions of Windows client or Windows Server The information below list the proxy and firewall configuration information required to communicate with Log Analytics agent (often referred to as Microsoft Monitoring Agent) for the previous versions of Windows such as Windows 7 SP1, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2, and Windows Server 2016. @@ -141,30 +142,36 @@ The information below list the proxy and firewall configuration information requ |*.oms.opinsights.azure.com |Port 443 |Outbound|Yes | |*.blob.core.windows.net |Port 443 |Outbound|Yes | -## Microsoft Defender ATP service backend IP range - -If your network devices don't support the URLs added to an "allow" list in the prior section, you can use the following information. - -Microsoft Defender ATP is built on Azure cloud, deployed in the following regions: - -- \+\ -- \+\ -- \+\ -- \+\ -- \+\ -- \+\ -- \+\ - -You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/download/details.aspx?id=56519). > [!NOTE] > As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. +## Confirm Microsoft Monitoring Agent (MMA) Service URL Requirements + +Please see the following guidance to eliminate the wildcard (*) requirement for your specific environment when using the Microsoft Monitoring Agent (MMA) for previous versions of Windows. + +1. Onboard a previous operating system with the Microsoft Monitoring Agent (MMA) into Defender for Endpoint (for more information, see [Onboard previous versions of Windows on Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2010326) and [Onboard Windows servers](configure-server-endpoints.md#windows-server-2008-r2-sp1-windows-server-2012-r2-and-windows-server-2016). + +2. Ensure the machine is successfully reporting into the Microsoft Defender Security Center portal. + +3. Run the TestCloudConnection.exe tool from “C:\Program Files\Microsoft Monitoring Agent\Agent” to validate the connectivity and to see the required URLs for your specific workspace. + +4. Check the Microsoft Defender for Endpoint URLs list for the complete list of requirements for your region (please refer to the Service URLs [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)). + +![Image of administrator in Windows PowerShell](images/admin-powershell.png) + +The wildcards (*) used in *.ods.opinsights.azure.com, *.oms.opinsights.azure.com, and *.agentsvc.azure-automation.net URL endpoints can be replaced with your specific Workspace ID. The Workspace ID is specific to your environment and workspace and can be found in the Onboarding section of your tenant within the Microsoft Defender Security Center portal. + +The *.blob.core.windows.net URL endpoint can be replaced with the URLs shown in the “Firewall Rule: *.blob.core.windows.net” section of the test results. + +> [!NOTE] +> In the case of onboarding via Azure Security Center (ASC), multiple workspaces maybe used. You will need to perform the TestCloudConnection.exe procedure above on an onboarded machine from each workspace (to determine if there are any changes to the *.blob.core.windows.net URLs between the workspaces). + ## Verify client connectivity to Microsoft Defender ATP service URLs -Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. +Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Defender for Endpoint service URLs. -1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Microsoft Defender ATP sensor is running on. +1. Download the [MDATP Client Analyzer tool](https://aka.ms/mdatpanalyzer) to the PC where Defender for Endpoint sensor is running on. 2. Extract the contents of MDATPClientAnalyzer.zip on the device. @@ -189,7 +196,7 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 5. Extract the *MDATPClientAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*. 6. Open *MDATPClientAnalyzerResult.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

    - The tool checks the connectivity of Microsoft Defender ATP service URLs that Microsoft Defender ATP client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Microsoft Defender ATP services. For example: + The tool checks the connectivity of Defender for Endpoint service URLs that Defender for Endpoint client is configured to interact with. It then prints the results into the *MDATPClientAnalyzerResult.txt* file for each URL that can potentially be used to communicate with the Defender for Endpoint services. For example: ```text Testing URL : https://xxx.microsoft.com/xxx @@ -200,18 +207,18 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover 5 - Command line proxy: Doesn't exist ``` -If at least one of the connectivity options returns a (200) status, then the Microsoft Defender ATP client can communicate with the tested URL properly using this connectivity method.

    +If at least one of the connectivity options returns a (200) status, then the Defender for Endpoint client can communicate with the tested URL properly using this connectivity method.

    -However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. +However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Defender for Endpoint service URLs in the proxy server](#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). The URLs you'll use will depend on the region selected during the onboarding procedure. > [!NOTE] > The Connectivity Analyzer tool is not compatible with ASR rule [Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction#attack-surface-reduction-rules). You will need to temporarily disable this rule to run the connectivity tool. > [!NOTE] -> When the TelemetryProxyServer is set, in Registry or via Group Policy, Microsoft Defender ATP will fall back to direct if it can't access the defined proxy. +> When the TelemetryProxyServer is set, in Registry or via Group Policy, Defender for Endpoint will fall back to direct if it can't access the defined proxy. ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 38b47a18f9..ad4b3d8853 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Onboard Windows servers to the Microsoft Defender ATP service +# Onboard Windows servers to the Microsoft Defender for Endpoint service [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -30,40 +30,52 @@ ms.topic: article - Windows Server (SAC) version 1803 and later - Windows Server 2019 and later - Windows Server 2019 core edition -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configserver-abovefoldlink) -Microsoft Defender ATP extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. +Defender for Endpoint extends support to also include the Windows Server operating system. This support provides advanced attack detection and investigation capabilities seamlessly through the Microsoft Defender Security Center console. -The service supports the onboarding of the following Windows servers: -- Windows Server 2008 R2 SP1 -- Windows Server 2012 R2 -- Windows Server 2016 -- Windows Server (SAC) version 1803 and later -- Windows Server 2019 and later -- Windows Server 2019 core edition - -For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). +For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Defender for Endpoint](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines). ## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 -You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Microsoft Defender ATP by using any of the following options: +You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 to Defender for Endpoint by using any of the following options: -- **Option 1**: [Onboard through Microsoft Defender Security Center](#option-1-onboard-windows-servers-through-microsoft-defender-security-center) +- **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma) - **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center) -- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later (only for Windows Server 2012 R2 and Windows Server 2016)](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) +- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) + + +After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + > [!NOTE] -> Microsoft defender ATP standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). +> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). -### Option 1: Onboard Windows servers through Microsoft Defender Security Center -Perform the following steps to onboard Windows servers through Microsoft Defender Security Center: +### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) +You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). + +If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. + +In general, you'll need to take the following steps: +1. Fulfill the onboarding requirements outlined in **Before you begin** section. +2. Turn on server monitoring from Microsoft Defender Security center. +3. Install and configure MMA for the server to report sensor data to Defender for Endpoint. +4. Configure and update System Center Endpoint Protection clients. + + +> [!TIP] +> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Defender for Endpoint endpoint](run-detection-test.md). + + +#### Before you begin +Perform the following steps to fulfill the onboarding requirements: - For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix: - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) @@ -77,36 +89,10 @@ Perform the following steps to onboard Windows servers through Microsoft Defende > [!NOTE] > This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2008 R2 SP1 and Windows Server 2012 R2. - - [Turn on server monitoring from Microsoft Defender Security Center](#turn-on-server-monitoring-from-the-microsoft-defender-security-center-portal). - - - If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Microsoft Defender ATP workspace through Multihoming support. - - Otherwise, [install and configure MMA to report sensor data to Microsoft Defender ATP](#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp). For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). - -> [!TIP] -> After onboarding the device, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender ATP endpoint](run-detection-test.md). - -### Configure and update System Center Endpoint Protection clients - -Microsoft Defender ATP integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. - -The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). - -- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. - - -### Turn on Server monitoring from the Microsoft Defender Security Center portal - -1. In the navigation pane, select **Settings** > **Device management** > **Onboarding**. - -2. Select **Windows Server 2008 R2 SP1, 2012 R2 and 2016** as the operating system. - -3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment setup. When the setup completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. -### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender ATP +### Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Microsoft Defender for Endpoint 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). @@ -115,16 +101,21 @@ The following steps are required to enable this integration: On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). -3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](configure-proxy-internet.md). -Once completed, you should see onboarded Windows servers in the portal within an hour. -### Configure Windows server proxy and Internet connectivity settings +### Configure Windows server proxy and Internet connectivity settings if needed +If your servers need to use a proxy to communicate with Defender for Endpoint, use one of the following methods to configure the MMA to use the proxy server: -- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the OMS Gateway. -- If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that you [enable access to Microsoft Defender ATP service URLs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). + +- [Configure the MMA to use a proxy server](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#install-agent-using-setup-wizard) + +- [Configure Windows to use a proxy server for all connections](configure-proxy-internet.md) + +If a proxy or firewall is in use, please ensure that servers can access all of the Microsoft Defender ATP service URLs directly and without SSL interception. For more information, see [enable access to Defender for Endpoint service URLs](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). Use of SSL interception will prevent the system from communicating with the Defender for Endpoint service. + +Once completed, you should see onboarded Windows servers in the portal within an hour. ### Option 2: Onboard Windows servers through Azure Security Center 1. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Device management** > **Onboarding**. @@ -133,10 +124,15 @@ Once completed, you should see onboarded Windows servers in the portal within an 3. Click **Onboard Servers in Azure Security Center**. -4. Follow the onboarding instructions in [Microsoft Defender Advanced Threat Protection with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). +4. Follow the onboarding instructions in [Microsoft Defender for Endpoint with Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp). + +After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). ### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later -You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender Advanced Threat Protection in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). +You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint + in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). + +After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods: @@ -153,7 +149,7 @@ You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windo Support for Windows Server, provide deeper insight into activities happening on the Windows server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. -1. Configure Microsoft Defender ATP onboarding settings on the Windows server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md). +1. Configure Defender for Endpoint onboarding settings on the Windows server. For more information, see [Onboard Windows 10 devices](configure-endpoints.md). 2. If you're running a third-party antimalware solution, you'll need to apply the following Microsoft Defender AV passive mode settings. Verify that it was configured correctly: @@ -182,52 +178,63 @@ Support for Windows Server, provide deeper insight into activities happening on For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus). ## Integration with Azure Security Center -Microsoft Defender ATP can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Microsoft Defender ATP to provide improved threat detection for Windows Servers. +Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. The following capabilities are included in this integration: -- Automated onboarding - Microsoft Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). +- Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). > [!NOTE] > Automated onboarding is only applicable for Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016. -- Windows servers monitored by Azure Security Center will also be available in Microsoft Defender ATP - Azure Security Center seamlessly connects to the Microsoft Defender ATP tenant, providing a single view across clients and servers. In addition, Microsoft Defender ATP alerts will be available in the Azure Security Center console. +- Windows servers monitored by Azure Security Center will also be available in Defender for Endpoint - Azure Security Center seamlessly connects to the Defender for Endpoint tenant, providing a single view across clients and servers. In addition, Defender for Endpoint alerts will be available in the Azure Security Center console. - Server investigation - Azure Security Center customers can access Microsoft Defender Security Center to perform detailed investigation to uncover the scope of a potential breach. > [!IMPORTANT] -> - When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is automatically created (in the US for US users, in the EU for European and UK users).
    -Data collected by Microsoft Defender ATP is stored in the geo-location of the tenant as identified during provisioning. -> - If you use Microsoft Defender ATP before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. +> - When you use Azure Security Center to monitor servers, a Defender for Endpoint tenant is automatically created (in the US for US users, in the EU for European and UK users).
    +Data collected by Defender for Endpoint is stored in the geo-location of the tenant as identified during provisioning. +> - If you use Defender for Endpoint before using Azure Security Center, your data will be stored in the location you specified when you created your tenant even if you integrate with Azure Security Center at a later time. > - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant.
    Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. +## Configure and update System Center Endpoint Protection clients + +Defender for Endpoint integrates with System Center Endpoint Protection. The integration provides visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. + +The following steps are required to enable this integration: +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie). + +- Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. + + + ## Offboard Windows servers You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices. For other Windows server versions, you have two options to offboard Windows servers from the service: - Uninstall the MMA agent -- Remove the Microsoft Defender ATP workspace configuration +- Remove the Defender for Endpoint workspace configuration > [!NOTE] > Offboarding causes the Windows server to stop sending sensor data to the portal but data from the Windows server, including reference to any alerts it has had will be retained for up to 6 months. ### Uninstall Windows servers by uninstalling the MMA agent -To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Microsoft Defender ATP workspace. After offboarding the agent, the Windows server will no longer send sensor data to Microsoft Defender ATP. +To offboard the Windows server, you can uninstall the MMA agent from the Windows server or detach it from reporting to your Defender for Endpoint workspace. After offboarding the agent, the Windows server will no longer send sensor data to Defender for Endpoint. For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). -### Remove the Microsoft Defender ATP workspace configuration +### Remove the Defender for Endpoint workspace configuration To offboard the Windows server, you can use either of the following methods: -- Remove the Microsoft Defender ATP workspace configuration from the MMA agent +- Remove the Defender for Endpoint workspace configuration from the MMA agent - Run a PowerShell command to remove the configuration -#### Remove the Microsoft Defender ATP workspace configuration from the MMA agent +#### Remove the Defender for Endpoint workspace configuration from the MMA agent 1. In the **Microsoft Monitoring Agent Properties**, select the **Azure Log Analytics (OMS)** tab. -2. Select the Microsoft Defender ATP workspace, and click **Remove**. +2. Select the Defender for Endpoint workspace, and click **Remove**. - ![Image of Microsoft Monitoring Agen Properties](images/atp-mma.png) + ![Image of Microsoft Monitoring Agent Properties](images/atp-mma.png) #### Run a PowerShell command to remove the configuration @@ -253,5 +260,5 @@ To offboard the Windows server, you can use either of the following methods: - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard non-Windows devices](configure-endpoints-non-windows.md) - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md) -- [Run a detection test on a newly onboarded Microsoft Defender ATP device](run-detection-test.md) -- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) +- [Run a detection test on a newly onboarded Defender for Endpoint device](run-detection-test.md) +- [Troubleshooting Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 2767826ed6..62e2e5f5b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -24,35 +24,34 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) ## Pull detections using security information and events management (SIEM) tools >[!NOTE] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. ->-The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). +>- [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections. +>- [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. +>-The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). -Microsoft Defender ATP supports security information and event management (SIEM) tools to pull detections. Microsoft Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. +Defender for Endpoint supports security information and event management (SIEM) tools to pull detections. Defender for Endpoint exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to pull detections from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. - -Microsoft Defender ATP currently supports the following specific SIEM solution tools through a dedicated SIEM integration model: +Defender for Endpoint currently supports the following specific SIEM solution tools through a dedicated SIEM integration model: - IBM QRadar - Micro Focus ArcSight -Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://df.securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details. +Other SIEM solutions (such as Splunk, RSA NetWitness) are supported through a different integration model based on the new Alert API. For more information, view the [Partner application](https://securitycenter.microsoft.com/interoperability/partners) page and select the Security Information and Analytics section for full details. -To use either of these supported SIEM tools you'll need to: +To use either of these supported SIEM tools, you'll need to: -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) +- [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md) - Configure the supported SIEM tool: - - [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) - - Configure IBM QRadar to pull Microsoft Defender ATP detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). + - [Configure HP ArcSight to pull Defender for Endpoint detections](configure-arcsight.md) + - Configure IBM QRadar to pull Defender for Endpoint detections For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/com.ibm.dsm.doc/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). -For more information on the list of fields exposed in the Detection API see, [Microsoft Defender ATP Detection fields](api-portal-mapping.md). +For more information on the list of fields exposed in the Detection API see, [Defender for Endpoint Detection fields](api-portal-mapping.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md index 69775ff5c3..99a86d51e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md @@ -18,17 +18,17 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Connected applications in Microsoft Defender ATP +# Connected applications in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Connected applications integrates with the Microsoft Defender ATP platform using APIs. +Connected applications integrates with the Defender for Endpoint platform using APIs. -Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over which APIs can be accessed using the corresponding app. +Applications use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender for Endpoint APIs. In addition, Azure Active Directory (Azure AD) applications allow tenant admins to set explicit control over which APIs can be accessed using the corresponding app. You'll need to follow [these steps](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro) to use the APIs with the connected application. @@ -37,7 +37,7 @@ From the left navigation menu, select **Partners & APIs** > **Connected AAD appl ## View connected application details -The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender ATP in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days. +The Connected applications page provides information about the Azure AD applications connected to Microsoft Defender for Endpoint in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days. ![Image of connected apps](images/connected-apps.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md index 252019ef63..b8af068443 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md @@ -17,15 +17,15 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Contact Microsoft Defender ATP support +# Contact Microsoft Defender for Endpoint support [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -Microsoft Defender ATP has recently upgraded the support process to offer a more modern and advanced support experience. +Defender for Endpoint has recently upgraded the support process to offer a more modern and advanced support experience. The new widget allows customers to: - Find solutions to common problems @@ -68,7 +68,7 @@ In case the suggested articles are not sufficient, you can open a service reques ## Open a service request -Learn how to open support tickets by contacting Microsoft Defender ATP support. +Learn how to open support tickets by contacting Defender for Endpoint support. diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index e4e8f5ec72..8112a5f3e8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb audience: ITPro -ms.date: 08/25/2020 +ms.date: 11/05/2020 ms.reviewer: v-maave manager: dansimp ms.custom: asr @@ -24,13 +24,13 @@ ms.custom: asr **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## What is controlled folder access? Controlled folder access helps you protect your valuable data from malicious apps and threats, like ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019 and Windows 10 clients, controlled folder access can be turned on using the Windows Security App or in Microsoft Endpoint Configuration Manager and Intune (for managed devices). -Controlled folder access works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). ## How does controlled folder access work? @@ -42,7 +42,7 @@ Apps can also be manually added to the trusted list via Configuration Manager an Controlled folder access is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware). In a ransomware attack, your files can get encrypted and held hostage. With controlled folder access in place, a notification appears on the computer where an app attempted to make changes to a file in a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. -The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. +The protected folders include common system folders (including boot sectors), and you can [add additional folders](customize-controlled-folders.md#protect-additional-folders). You can also [allow apps](customize-controlled-folders.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. You can use [audit mode](audit-windows-defender.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. @@ -54,9 +54,9 @@ Controlled folder access requires enabling [Microsoft Defender Antivirus real-ti ## Review controlled folder access events in the Microsoft Defender Security Center -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Defender for Endpoint provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. +You can query Microsoft Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. Example query: diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index e02de4aa8b..a5c286ef37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -21,14 +21,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description Creates new [Alert](alerts.md) on top of **Event**. -
    **Microsoft Defender ATP Event** is required for the alert creation. +
    **Microsoft Defender for Endpoint Event** is required for the alert creation.
    You will need to supply 3 parameters from the Event in the request: **Event Time**, **Machine ID** and **Report ID**. See example below.
    You can use an event found in Advanced Hunting API or Portal.
    If there existing an open alert on the same Device with the same Title, the new created alert will be merged with it. @@ -41,7 +41,7 @@ Creates new [Alert](alerts.md) on top of **Event**. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 4edd3585e2..17e23e40fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -25,7 +25,7 @@ ms.date: 09/20/2020 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Custom detection rules built from [advanced hunting](advanced-hunting-overview.md) queries let you proactively monitor various events and system states, including suspected breach activity and misconfigured devices. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. @@ -109,7 +109,7 @@ Your custom detection rule can automatically take actions on files or devices th These actions are applied to devices in the `DeviceId` column of the query results: -- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Microsoft Defender ATP service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) +- **Isolate device**—applies full network isolation, preventing the device from connecting to any application or service, except for the Defender for Endpoint service. [Learn more about device isolation](respond-machine-alerts.md#isolate-devices-from-the-network) - **Collect investigation package**—collects device information in a ZIP file. [Learn more about the investigation package](respond-machine-alerts.md#collect-investigation-package-from-devices) - **Run antivirus scan**—performs a full Microsoft Defender Antivirus scan on the device - **Initiate investigation**—starts an [automated investigation](automated-investigations.md) on the device diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md index 855bd65993..ef5088e134 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md @@ -24,7 +24,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Manage your existing [custom detection rules](custom-detection-rules.md) to ensure they are effectively finding threats and taking actions. Explore how to view the list of rules, check their previous runs, and review the alerts they have triggered. You can also run a rule on demand and modify it. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index 2773f28ed5..81ede44b00 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -21,7 +21,7 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!IMPORTANT] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index f35a4eefd9..b689c58a11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -21,7 +21,7 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients. diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index 081c5218c3..e0f6337ab6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -21,7 +21,7 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index f1483165c4..7932cfb153 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -16,7 +16,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual --- -# Verify data storage location and update data retention settings for Microsoft Defender ATP +# Verify data storage location and update data retention settings for Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -24,12 +24,12 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-gensettings-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-gensettings-abovefoldlink) -During the onboarding process, a wizard takes you through the data storage and retention settings of Microsoft Defender ATP. +During the onboarding process, a wizard takes you through the data storage and retention settings of Defender for Endpoint. After completing the onboarding, you can verify your selection in the data retention settings page. @@ -52,5 +52,5 @@ You can verify the data location by navigating to **Settings** > **Data retentio ## Related topics - [Update data retention settings](data-retention-settings.md) -- [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md) +- [Configure alert notifications in Defender for Endpoint](configure-email-notifications.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md index 6e76ce4bee..953b74c139 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md @@ -17,29 +17,30 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Microsoft Defender ATP data storage and privacy +# Microsoft Defender for Endpoint data storage and privacy [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -This section covers some of the most frequently asked questions regarding privacy and data handling for Microsoft Defender ATP. +This section covers some of the most frequently asked questions regarding privacy and data handling for Defender for Endpoint. > [!NOTE] -> This document explains the data storage and privacy details related to Microsoft Defender ATP. For more information related to Microsoft Defender ATP and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. +> This document explains the data storage and privacy details related to Defender for Endpoint. For more information related to Defender for Endpoint and other products and services like Microsoft Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. -## What data does Microsoft Defender ATP collect? -Microsoft Defender ATP will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. +## What data does Microsoft Defender for Endpoint collect? + +Microsoft Defender for Endpoint will collect and store information from your configured devices in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and device details (such as device identifiers, names, and the operating system version). Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578). -This data enables Microsoft Defender ATP to: +This data enables Defender for Endpoint to: - Proactively identify indicators of attack (IOAs) in your organization - Generate alerts if a possible attack was detected - Provide your security operations with a view into devices, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. @@ -47,16 +48,16 @@ This data enables Microsoft Defender ATP to: Microsoft does not use your data for advertising. ## Data protection and encryption -The Microsoft Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. +The Defender for Endpoint service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. -There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Microsoft Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). +There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Defender for Endpoint service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). In all scenarios, data is encrypted using 256-bit [AES encryption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum. ## Data storage location -Microsoft Defender ATP operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Microsoft Defender ATP uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service. +Defender for Endpoint operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Defender for Endpoint uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. @@ -79,21 +80,22 @@ Access to data for services deployed in Microsoft Azure Government data centers ## Is data shared with other customers? -No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides. +No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer-specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides. ## How long will Microsoft store my data? What is Microsoft’s data retention policy? **At service onboarding**
    -You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs. +You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of one month to six months to meet your company’s regulatory compliance needs. **At contract termination or expiration**
    Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. ## Can Microsoft help us maintain regulatory compliance? -Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Microsoft Defender ATP services against their own legal and regulatory requirements. Microsoft Defender ATP has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications. -By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. +Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Defender for Endpoint services against their own legal and regulatory requirements. Defender for Endpoint has achieved a number of certifications including ISO, SOC, FedRAMP High, and PCI and continues to pursue additional national, regional and industry-specific certifications. -For more information on the Microsoft Defender ATP certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/). +By providing customers with compliant, independently verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run. ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink) +For more information on the Defender for Endpoint certification reports, see [Microsoft Trust Center](https://servicetrust.microsoft.com/). + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-datastorage-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md index fa43e76e73..f84762a3a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md @@ -27,18 +27,18 @@ ms.date: 04/24/2018 - Windows Defender -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-defendercompat-abovefoldlink) -The Microsoft Defender Advanced Threat Protection agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning. +The Microsoft Defender for Endpoint agent depends on Microsoft Defender Antivirus for some capabilities such as file scanning. >[!IMPORTANT] ->Microsoft Defender ATP does not adhere to the Microsoft Defender Antivirus Exclusions settings. +>Defender for Endpoint does not adhere to the Microsoft Defender Antivirus Exclusions settings. -You must configure Security intelligence updates on the Microsoft Defender ATP devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). +You must configure Security intelligence updates on the Defender for Endpoint devices whether Microsoft Defender Antivirus is the active antimalware or not. For more information, see [Manage Microsoft Defender Antivirus updates and apply baselines](../microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md). If an onboarded device is protected by a third-party antimalware client, Microsoft Defender Antivirus on that endpoint will enter into passive mode. @@ -46,4 +46,4 @@ Microsoft Defender Antivirus will continue to receive updates, and the *mspeng.e The Microsoft Defender Antivirus interface will be disabled, and users on the device will not be able to use Microsoft Defender Antivirus to perform on-demand scans or configure most options. -For more information, see the [Microsoft Defender Antivirus and Microsoft Defender ATP compatibility topic](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). +For more information, see the [Microsoft Defender Antivirus and Defender for Endpoint compatibility topic](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md index 1dd2b90d07..123ce4959e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md index 000dafbddd..298867cbc0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-phases.md @@ -1,6 +1,6 @@ --- title: Deployment phases -description: Learn how deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service +description: Learn how to deploy Microsoft Defender ATP by preparing, setting up, and onboarding endpoints to that service keywords: deploy, prepare, setup, onboard, phase, deployment, deploying, adoption, configuring search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -24,47 +24,45 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -There are three phases in deploying Microsoft Defender ATP: +There are three phases in deploying Defender for Endpoint: -|Phase | Desription | +|Phase | Description | |:-------|:-----| -| ![Phase 1: Prepare](images/prepare.png)
    [Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Microsoft Defender ATP:

    - Stakeholders and sign-off
    - Environment considerations
    - Access
    - Adoption order +| ![Phase 1: Prepare](images/prepare.png)
    [Phase 1: Prepare](prepare-deployment.md)| Learn about what you need to consider when deploying Defender for Endpoint:

    - Stakeholders and sign-off
    - Environment considerations
    - Access
    - Adoption order | ![Phase 2: Setup](images/setup.png)
    [Phase 2: Setup](production-deployment.md)| Take the initial steps to access Microsoft Defender Security Center. You'll be guided on:

    - Validating the licensing
    - Completing the setup wizard within the portal
    - Network configuration| -| ![Phase 3: Onboard](images/onboard.png)
    [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. You'll be guided on:

    - Using Microsoft Endpoint Configuration Manager to onboard devices
    - Configure capabilities +| ![Phase 3: Onboard](images/onboard.png)
    [Phase 3: Onboard](onboarding.md) | Onboard devices to the service so the Microsoft Defender ATP service can get sensor data from them. - The deployment guide will guide you through the recommended path in deploying Microsoft Defender ATP. +The deployment guide will guide you through the recommended path in deploying Defender for Endpoint. + +If you're unfamiliar with the general deployment planning steps, check out the [Plan deployment](deployment-strategy.md) topic to get a high-level overview of the general deployment steps and methods. + -There are several methods you can use to onboard to the service. For information on other ways to onboard, see [Onboard devices to Microsoft Defender ATP](onboard-configure.md). ## In Scope The following is in scope for this deployment guide: -- Use of Microsoft Endpoint Configuration Manager to onboard endpoints into the service +- Use of Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager to onboard endpoints into the service and configure capabilities -- Enabling Microsoft Defender ATP endpoint protection platform (EPP) +- Enabling Defender for Endpoint endpoint detection and response (EDR) capabilities + +- Enabling Defender for Endpoint endpoint protection platform (EPP) capabilities - Next-generation protection - Attack surface reduction -- Enabling Microsoft Defender ATP endpoint detection and response (EDR) - capabilities including automatic investigation and remediation - -- Enabling Microsoft Defender ATP threat and vulnerability management (TVM) - ## Out of scope The following are out of scope of this deployment guide: -- Configuration of third-party solutions that might integrate with Microsoft - Defender ATP +- Configuration of third-party solutions that might integrate with Defender for Endpoint - Penetration testing in production environment diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md new file mode 100644 index 0000000000..8ad96f8300 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-rings.md @@ -0,0 +1,121 @@ +--- +title: Deploy Microsoft Defender ATP in rings +description: Learn how to deploy Microsoft Defender ATP in rings +keywords: deploy, rings, evaluate, pilot, insider fast, insider slow, setup, onboard, phase, deployment, deploying, adoption, configuring +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365solution-endpointprotect +- m365solution-overview +ms.topic: article +--- + +# Deploy Microsoft Defender ATP in rings + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) + + +Deploying Microsoft Defender ATP can be done using a ring-based deployment approach. + +The deployment rings can be applied in the following scenarios: +- [New deployments](#new-deployments) +- [Existing deployments](#existing-deployments) + +## New deployments + +![Image of deployment rings](images/deployment-rings.png) + + +A ring-based approach is a method of identifying a set of endpoints to onboard and verifying that certain criteria is met before proceeding to deploy the service to a larger set of devices. You can define the exit criteria for each ring and ensure that they are satisfied before moving on to the next ring. + +Adopting a ring-based deployment helps reduce potential issues that could arise while rolling out the service. By piloting a certain number of devices first, you can identify potential issues and mitigate potential risks that might arise. + + +Table 1 provides an example of the deployment rings you might use. + +**Table 1** + +|**Deployment ring**|**Description**| +|:-----|:-----| +Evaluate | Ring 1: Identify 50 systems for pilot testing +Pilot | Ring 2: Identify the next 50-100 endpoints in production environment
    +Full deployment | Ring 3: Roll out service to the rest of environment in larger increments + + + +### Exit criteria +An example set of exit criteria for these rings can include: +- Devices show up in the device inventory list +- Alerts appear in dashboard +- [Run a detection test](run-detection-test.md) +- [Run a simulated attack on a device](attack-simulations.md) + +### Evaluate +Identify a small number of test machines in your environment to onboard to the service. Ideally, these machines would be fewer than 50 endpoints. + + +### Pilot +Microsoft Defender ATP supports a variety of endpoints that you can onboard to the service. In this ring, identify several devices to onboard and based on the exit criteria you define, decide to proceed to the next deployment ring. + +The following table shows the supported endpoints and the corresponding tool you can use to onboard devices to the service. + +| Endpoint | Deployment tool | +|--------------|------------------------------------------| +| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md)
    NOTE: If you want to deploy more than 10 devices in a production environment, use the Group Policy method instead or the other supported tools listed below.
    [Group Policy](configure-endpoints-gp.md)
    [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md)
    [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
    [VDI scripts](configure-endpoints-vdi.md) | +| **macOS** | [Local script](mac-install-manually.md)
    [Microsoft Endpoint Manager](mac-install-with-intune.md)
    [JAMF Pro](mac-install-with-jamf.md)
    [Mobile Device Management](mac-install-with-other-mdm.md) | +| **Linux Server** | [Local script](linux-install-manually.md)
    [Puppet](linux-install-with-puppet.md)
    [Ansible](linux-install-with-ansible.md)| +| **iOS** | [App-based](ios-install.md) | +| **Android** | [Microsoft Endpoint Manager](android-intune.md) | + + + + +### Full deployment +At this stage, you can use the [Plan deployment](deployment-strategy.md) material to help you plan your deployment. + + +Use the following material to select the appropriate Microsoft Defender ATP architecture that best suites your organization. + +|**Item**|**Description**| +|:-----|:-----| +|[![Thumb image for Microsoft Defender ATP deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)
    [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures:
    • Cloud-native
    • Co-management
    • On-premise
    • Evaluation and local onboarding
      • + + + + +## Existing deployments + +### Windows endpoints +For Windows and/or Windows Servers, you select several machines to test ahead of time (before patch Tuesday) by using the **Security Update Validation program (SUVP)**. + +For more information, see: +- [What is the Security Update Validation Program](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-is-the-security-update-validation-program/ba-p/275767) +- [Software Update Validation Program and Microsoft Malware Protection Center Establishment - TwC Interactive Timeline Part 4](https://www.microsoft.com/security/blog/2012/03/28/software-update-validation-program-and-microsoft-malware-protection-center-establishment-twc-interactive-timeline-part-4/) + + +### Non-Windows endpoints +With macOS and Linux, you could take a couple of systems and run in the "InsidersFast" channel. + +>[!NOTE] +>Ideally at least one security admin and one developer so that you are able to find compatibility, performance and reliability issues before the build makes it into the "Production" channel. + +The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in insiders-fast are the first ones to receive updates and new features, followed later by insiders-slow and lastly by prod. + +![Image of insider rings](images/insider-rings.png) + +In order to preview new features and provide early feedback, it is recommended that you configure some devices in your enterprise to use either insiders-fast or insiders-slow. + +>[!WARNING] +>Switching the channel after the initial installation requires the product to be reinstalled. To switch the product channel: uninstall the existing package, re-configure your device to use the new channel, and follow the steps in this document to install the package from the new location. diff --git a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md index cd066db719..9c14158aa2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/deployment-strategy.md @@ -1,5 +1,5 @@ --- -title: Plan your Microsoft Defender ATP deployment strategy +title: Plan your Microsoft Defender ATP deployment description: Select the best Microsoft Defender ATP deployment strategy for your environment keywords: deploy, plan, deployment strategy, cloud native, management, on prem, evaluation, onboarding, local, group policy, gp, endpoint manager, mem search.product: eADQiWindows 10XVcnh @@ -16,34 +16,61 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Plan your Microsoft Defender ATP deployment strategy +# Plan your Microsoft Defender for Endpoint deployment [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) -Depending on the requirements of your environment, we've put together material to help guide you through the various options you can adopt to deploy Microsoft Defender ATP. +Depending on the requirements of your environment, we've put together material to help guide you through the various options you can adopt to deploy Defender for Endpoint. + +These are the general steps you need to take to deploy Defender for Endpoint: + +![Image of deployment flow](images/onboarding-flow-diagram.png) + +- Identify architecture +- Select deployment method +- Configure capabilities -You can deploy Microsoft Defender ATP using various management tools. In general the following management tools are supported: +## Step 1: Identify architecture +We understand that every enterprise environment is unique, so we've provided several options to give you the flexibility in choosing how to deploy the service. -- Group policy -- Microsoft Endpoint Configuration Manager -- Mobile Device Management tools -- Local script - - -## Microsoft Defender ATP deployment strategy - -Depending on your environment, some tools are better suited for certain architectures. +Depending on your environment, some tools are better suited for certain architectures. +Use the following material to select the appropriate Defender for Endpoint architecture that best suites your organization. |**Item**|**Description**| |:-----|:-----| -|[![Thumb image for Microsoft Defender ATP deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)
      [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures:
      • Cloud-native
      • Co-management
      • On-premise
      • Evaluation and local onboarding
        • +|[![Thumb image for Defender for Endpoint deployment strategy](images/mdatp-deployment-strategy.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf)
        [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.pdf) \| [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-deployment-strategy.vsdx) | The architectural material helps you plan your deployment for the following architectures:
        • Cloud-native
        • Co-management
        • On-premise
        • Evaluation and local onboarding
          • + + + +## Step 2: Select deployment method +Defender for Endpoint supports a variety of endpoints that you can onboard to the service. + +The following table lists the supported endpoints and the corresponding deployment tool that you can use so that you can plan the deployment appropriately. + +| Endpoint | Deployment tool | +|--------------|------------------------------------------| +| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md)
          [Group Policy](configure-endpoints-gp.md)
          [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md)
          [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
          [VDI scripts](configure-endpoints-vdi.md) | +| **macOS** | [Local script](mac-install-manually.md)
          [Microsoft Endpoint Manager](mac-install-with-intune.md)
          [JAMF Pro](mac-install-with-jamf.md)
          [Mobile Device Management](mac-install-with-other-mdm.md) | +| **Linux Server** | [Local script](linux-install-manually.md)
          [Puppet](linux-install-with-puppet.md)
          [Ansible](linux-install-with-ansible.md)| +| **iOS** | [App-based](ios-install.md) | +| **Android** | [Microsoft Endpoint Manager](android-intune.md) | + + + +## Step 3: Configure capabilities +After onboarding endpoints, configure the security capabilities in Defender for Endpoint so that you can maximize the robust security protection available in the suite. Capabilities include: + +- Endpoint detection and response +- Next-generation protection +- Attack surface reduction + ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md index 7b99cd69cd..8ab3495d50 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md +++ b/windows/security/threat-protection/microsoft-defender-atp/device-timeline-event-flag.md @@ -16,15 +16,15 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Microsoft Defender ATP device timeline event flags +# Microsoft Defender for Endpoint device timeline event flags [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Event flags in the Microsoft Defender ATP device timeline help you filter and organize specific events when you're investigate potential attacks. +Event flags in the Defender for Endpoint device timeline help you filter and organize specific events when you're investigate potential attacks. -The Microsoft Defender ATP device timeline provides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on the device. The list can sometimes be lengthy. Device timeline event flags help you track events that could be related. +The Defender for Endpoint device timeline provides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on the device. The list can sometimes be lengthy. Device timeline event flags help you track events that could be related. After you've gone through a device timeline, you can sort, filter, and export the specific events that you flagged. diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx index bd35122350..ded3b76626 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md index b5679d1756..5498350b55 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -28,18 +28,18 @@ ms.collection: **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## What is EDR in block mode? -When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is turned on, Microsoft Defender ATP blocks malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach. +When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is turned on, Defender for Endpoint blocks malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected, post breach. EDR in block mode is also integrated with [threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt). Your organization's security team will get a [security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) to turn EDR in block mode on if it isn't already enabled. :::image type="content" source="images/edrblockmode-TVMrecommendation.png" alt-text="recommendation to turn on EDR in block mode"::: > [!NOTE] -> EDR in block mode is currently in preview, available to organizations who have opted in to receive **[preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview)**. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. +> EDR in block mode is currently in preview, available to organizations who have opted in to receive **[preview features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/preview)**. To get the best protection, make sure to **[deploy Microsoft Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. ## What happens when something is detected? @@ -70,10 +70,10 @@ The following image shows an instance of unwanted software that was detected and |---------|---------| |Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | |Operating system |One of the following versions:
          - Windows 10 (all releases)
          - Windows Server 2016 or later | -|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
          - Microsoft 365 E5
          - Microsoft 365 E3 together with the Identity & Threat Protection offering

          See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | +|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
          - Microsoft 365 E5
          - Microsoft 365 E3 together with the Identity & Threat Protection offering

          See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | |Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.

          See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | -|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
          In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | -|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
          In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | +|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
          In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | +|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator.
          In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | > [!IMPORTANT] > To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are defined. @@ -87,11 +87,11 @@ No. EDR in block mode does not affect third-party antivirus protection running o ### Why do I need to keep Microsoft Defender Antivirus up to date? -Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date. +Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date. ### Why do we need cloud protection on? -Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models. +Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models. ## See also @@ -99,5 +99,5 @@ Cloud protection is needed to turn on the feature on the device. Cloud protectio [Behavioral blocking and containment](behavioral-blocking-containment.md) -[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus) +[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 36216eb833..603f751bdd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -32,7 +32,7 @@ Each ASR rule contains one of three settings: - Block: Enable the ASR rule - Audit: Evaluate how the ASR rule would impact your organization if enabled -To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. +To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) (Defender for Endpoint). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules. > [!TIP] > To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf). @@ -51,7 +51,7 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices. -You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Microsoft Defender ATP file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).) +You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Defender for Endpoint file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).) > [!IMPORTANT] > Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. @@ -84,7 +84,7 @@ The following is a sample for reference, using [GUID values for ASR rules](attac `OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules` -`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1` +`Value: 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=2|3B576869-A4EC-4529-8536-B80A7769E899=1|D4F940AB-401B-4EfC-AADC-AD5F3C50688A=2|D3E037E1-3EB8-44C8-A917-57927947596D=1|5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=0|BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1` The values to enable, disable, or enable in audit mode are: diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 2986e7ecf0..8af897f9a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -22,7 +22,7 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [Controlled folder access](controlled-folders.md) helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is included with Windows 10 and Windows Server 2019. @@ -134,4 +134,4 @@ Use `Disabled` to turn off the feature. * [Protect important folders with controlled folder access](controlled-folders.md) * [Customize controlled folder access](customize-controlled-folders.md) -* [Evaluate Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md) +* [Evaluate Microsoft Defender for Endpoint](../microsoft-defender-atp/evaluate-atp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 5707cf67b8..368d58eee8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -21,7 +21,7 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [Exploit protection](exploit-protection.md) helps protect against malware that uses exploits to infect devices and spread. Exploit protection consists of a number of mitigations that can be applied to either the operating system or individual apps. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index 2d96393904..4f9ad6dff7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -21,7 +21,7 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it. @@ -100,7 +100,7 @@ Use the following procedure to enable network protection on domain-joined comput 4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options: * **Block** - Users can't access malicious IP addresses and domains * **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains - * **Audit Mode** - If a user visits a malicious IP address or domain, an event won't be recorded in the Windows event log. However, the user won't be blocked from visiting the address. + * **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log. However, the user won't be blocked from visiting the address. > [!IMPORTANT] > To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index 8799a37ea2..c4e8e36cbe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -1,5 +1,5 @@ --- -title: Enable SIEM integration in Microsoft Defender ATP +title: Enable SIEM integration in Microsoft Defender for Endpoint description: Enable SIEM integration to receive detections in your security information and event management (SIEM) solution. keywords: enable siem connector, siem, connector, security information and events search.product: eADQiWindows 10XVcnh @@ -17,26 +17,33 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Enable SIEM integration in Microsoft Defender ATP +# Enable SIEM integration in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) -Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. +Enable security information and event management (SIEM) integration so you can pull detections from Microsoft Defender Security Center. Pull detections using your SIEM solution or by connecting directly to the detections REST API. >[!NOTE] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. ->- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). +>- [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections. +>- [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. +>- The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Prerequisites -- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles: Security Administrator and either Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal. + +- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is someone with the following roles: + + - Security Administrator and either Global Administrator + - Cloud Application Administrator + - Application Administrator + - Owner of the service principal + - During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site. ## Enabling SIEM integration @@ -47,7 +54,7 @@ Enable security information and event management (SIEM) integration so you can p >[!TIP] >If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability. -2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. +2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant. > [!WARNING] >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
          @@ -71,15 +78,15 @@ Enable security information and event management (SIEM) integration so you can p > [!NOTE] > You'll need to generate a new Refresh token every 90 days. -6. Follow the instructions for [creating an Azure AD app registration for Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts. +6. Follow the instructions for [creating an Azure AD app registration for Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp) and assign the correct permissions to it to read alerts. You can now proceed with configuring your SIEM solution or connecting to the detections REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive detections from Microsoft Defender Security Center. -## Integrate Microsoft Defender ATP with IBM QRadar -You can configure IBM QRadar to collect detections from Microsoft Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). +## Integrate Microsoft Defender for Endpoint with IBM QRadar +You can configure IBM QRadar to collect detections from Microsoft Defender for Endpoint. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). -## Related topics -- [Configure HP ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) -- [Microsoft Defender ATP Detection fields](api-portal-mapping.md) -- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) +## See also +- [Configure HP ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md) +- [Microsoft Defender for Endpoint Detection fields](api-portal-mapping.md) +- [Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md index 4d724bc3ca..9c552f4e9c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/endpoint-detection-response-mac-preview.md @@ -1,6 +1,6 @@ --- -title: Enable Microsoft Defender ATP Insider Device -description: Install and use Microsoft Defender ATP for Mac. +title: Enable Microsoft Defender for Endpoint Insider Device +description: Install and use Microsoft Defender for Endpoint (Mac). keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -19,19 +19,18 @@ ms.collection: ms.topic: conceptual --- -# Enable Microsoft Defender ATP Insider Device +# Enable Microsoft Defender for Endpoint Insider Device [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +To get preview features for Mac, you must set up your device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune). -Endpoint detection and response capabilities in Microsoft Defender ATP for Mac are now in preview. To get these and other preview features, you must set up your Mac device to be an "Insider" device as described in this article. For scale deployment, we recommend using [Jamf](#enable-the-insider-program-with-jamf) or [Intune](#enable-the-insider-program-with-intune). - ->[!IMPORTANT] ->Make sure you have enabled [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md) and [manual deployment](mac-install-manually.md) instructions. +> [!IMPORTANT] +> Make sure you have enabled [Microsoft Defender for Endpoint (Mac)](microsoft-defender-atp-mac.md#how-to-install-microsoft-defender-atp-for-mac), and pay attention to the “earlyPreview” flag. See documentation for [Jamf](mac-install-with-jamf.md), [Intune](mac-install-with-intune.md), and [manual deployment](mac-install-manually.md) instructions. ## Enable the Insider program with Jamf -1. Create configuration profile com.microsoft.wdav.plist with the following content: +1. Create configuration profile `com.microsoft.wdav.plist` with the following content: ```XML @@ -49,14 +48,14 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a 1. From the JAMF console, navigate to  **Computers > Configuration Profiles**, navigate to the configuration profile you'd like to use, then select  **Custom Settings**. -1. Create an entry with com.microsoft.wdav as the preference domain and upload the .plist created earlier. +1. Create an entry with `com.microsoft.wdav` as the preference domain and upload the `.plist` created earlier. > [!WARNING] > You must enter the correct preference domain (com.microsoft.wdav), otherwise the preferences will not be recognized by the product ## Enable the Insider program with Intune -1. Create configuration profile com.microsoft.wdav.plist with the following content: +1. Create configuration profile `com.microsoft.wdav.plist` with the following content: ```XML @@ -117,11 +116,11 @@ Endpoint detection and response capabilities in Microsoft Defender ATP for Mac a 1. Choose a name for the profile. Change  **Platform=macOS**  to  **Profile type=Custom**. Select  **Configure**. -1. Save the .plist created earlier as com.microsoft.wdav.xml. +1. Save the `.plist` created earlier as com.microsoft.wdav.xml. -1. Enter com.microsoft.wdav as the custom configuration profile name. +1. Enter `com.microsoft.wdav` as the custom configuration profile name. -1. Open the configuration profile and upload com.microsoft.wdav.xml. This file was created in step 1. +1. Open the configuration profile and upload `com.microsoft.wdav.xml`. This file was created in step 1. 1. Select  **OK**. @@ -148,19 +147,19 @@ For versions earlier than 100.78.0, run: ### Verify you are running the correct version -To get the latest version of the Microsoft Defender ATP for Mac, set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate). +To get the latest version of the Microsoft Defender for Endpoint (Mac), set the Microsoft AutoUpdate to “Fast Ring”. To get “Microsoft AutoUpdate”, download it from [Release history for Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/officeupdates/release-history-microsoft-autoupdate). -To verify you are running the correct version, run ‘mdatp --health’ on the device. +To verify you are running the correct version, run `mdatp --health` on the device. * The required version is 100.72.15 or later. -* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running ‘defaults read com.microsoft.autoupdate2’ from terminal. -* To change update settings use documentation in [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1). +* If the version is not as expected, verify that Microsoft Auto Update is set to automatically download and install updates by running `defaults read com.microsoft.autoupdate2` from the terminal. +* To change update settings, see [Update Office for Mac automatically](https://support.office.com/article/update-office-for-mac-automatically-bfd1e497-c24d-4754-92ab-910a4074d7c1). * If you are not using Office for Mac, download and run the AutoUpdate tool. ### A device still does not appear on Microsoft Defender Security Center -After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running ‘mdatp --connectivity-test’. +After a successful deployment and onboarding of the correct version, check that the device has connectivity to the cloud service by running `mdatp --connectivity-test`. -* Check that you enabled the early preview flag. In terminal run “mdatp –health” and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”. +* Check that you enabled the early preview flag. In the terminal, run `mdatp –health` and look for the value of “edrEarlyPreviewEnabled”. It should be “Enabled”. If you followed the manual deployment instructions, you were prompted to enable Kernel Extensions. Pay attention to the “System Extension note” in the [manual deployment documentation](mac-install-manually.md#application-installation-macos-1015-and-older-versions) and use the “Manual Deployment” section in the [troubleshoot kernel extension documentation](mac-support-kext.md#manual-deployment). diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md index 35dc0c89f1..b80ba00b38 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md @@ -1,7 +1,7 @@ --- -title: Evaluate Microsoft Defender Advanced Threat Protection +title: Evaluate Microsoft Defender for Endpoint ms.reviewer: -description: Evaluate the different security capabilities in Microsoft Defender ATP. +description: Evaluate the different security capabilities in Microsoft Defender for Endpoint. keywords: attack surface reduction, evaluate, next, generation, protection search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,16 +18,16 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Evaluate Microsoft Defender ATP +# Evaluate Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. +[Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. -You can evaluate Microsoft Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +You can evaluate Microsoft Defender for Endpoint in your organization by [starting your free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -You can also evaluate the different security capabilities in Microsoft Defender ATP by using the following instructions. +You can also evaluate the different security capabilities in Microsoft Defender for Endpoint by using the following instructions. ## Evaluate attack surface reduction @@ -48,4 +48,4 @@ Next gen protections help detect and block the latest threats. ## See Also -[Microsoft Defender Advanced Threat Protection overview](microsoft-defender-advanced-threat-protection.md) +[Microsoft Defender for Endpoint overview](microsoft-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index 1c8621e5f2..4fdbaae9b9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -21,7 +21,7 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Attack surface reduction rules help prevent actions typically used by malware to compromise devices or networks. Set attack surface reduction rules for devices running any of the following editions and versions of Windows: @@ -33,7 +33,7 @@ Attack surface reduction rules help prevent actions typically used by malware to Learn how to evaluate attack surface reduction rules by enabling audit mode to test the feature directly in your organization. > [!TIP] -> You can also visit the Microsoft Defender ATP demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +> You can also visit the Microsoft Defender for Endpoint demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## Use audit mode to measure impact diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md index da54fddecf..fb1a325c8e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md @@ -21,7 +21,7 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [Controlled folder access](controlled-folders.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 and Windows 10 clients. @@ -30,7 +30,7 @@ It is especially useful in helping protect against [ransomware](https://www.micr This article helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization. > [!TIP] -> You can also visit the Microsoft Defender ATP demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +> You can also visit the Microsoft Defender for Endpoint demo scenario website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. ## Use audit mode to measure impact @@ -68,5 +68,5 @@ See [Protect important folders with controlled folder access](controlled-folders ## See also * [Protect important folders with controlled folder access](controlled-folders.md) -* [Evaluate Microsoft Defender ATP]../(microsoft-defender-atp/evaluate-atp.md) +* [Evaluate Microsoft Defender for Endpoint](evaluate-atp.md) * [Use audit mode](audit-windows-defender.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md index 0b95bca029..a6dcacc047 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md @@ -23,14 +23,14 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [Exploit protection](exploit-protection.md) helps protect devices from malware that uses exploits to spread and infect other devices. Mitigation can be applied to either the operating system or to an individual app. Many of the features that were part of the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. (The EMET has reached its end of support.) This article helps you enable exploit protection in audit mode and review related events in Event Viewer. You can enable audit mode to see how mitigation works for certain apps in a test environment. By auditing exploit protection, you can see what *would* have happened if you had enabled exploit protection in your production environment. This way, you can help ensure exploit protection doesn't adversely affect your line-of-business apps, and you can see which suspicious or malicious events occur. > [!TIP] -> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works. +> You can also visit the Microsoft Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how exploit protection works. ## Enable exploit protection in audit mode diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md index 17edc7d5e5..1da3fe309f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md @@ -21,14 +21,14 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [Network protection](network-protection.md) helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -This article helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The sites in this evaluation article aren't malicious. They're specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain. +This article helps you evaluate network protection by enabling the feature and guiding you to a testing site. The sites in this evaluation article aren't malicious. They're specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain. > [!TIP] -> You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work. +> You can also visit the Microsoft Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work. ## Enable network protection in audit mode diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index 2f57d47778..64a0179395 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -1,6 +1,6 @@ --- -title: Microsoft Defender ATP evaluation lab -description: Learn about Microsoft Defender ATP capabilities, run attack simulations, and see how it prevents, detects, and remediates threats. +title: Microsoft Defender for Endpoint evaluation lab +description: Learn about Microsoft Defender for Endpoint capabilities, run attack simulations, and see how it prevents, detects, and remediates threats. keywords: evaluate mdatp, evaluation, lab, simulation, windows 10, windows server 2019, evaluation lab search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -18,33 +18,32 @@ ms.collection: ms.topic: article --- -# Microsoft Defender ATP evaluation lab +# Microsoft Defender for Endpoint evaluation lab [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Conducting a comprehensive security product evaluation can be a complex process requiring cumbersome environment and device configuration before an end-to-end attack simulation can actually be done. Adding to the complexity is the challenge of tracking where the simulation activities, alerts, and results are reflected during the evaluation. -The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. +The Microsoft Defender for Endpoint evaluation lab is designed to eliminate the complexities of device and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action. ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM] +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM] -With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made simulations to see how Microsoft Defender ATP performs. +With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made simulations to see how Defender for Endpoint performs. -You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers. +You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Defender for Endpoint offers. You can add Windows 10 or Windows Server 2019 devices that come pre-configured to have the latest OS versions and the right security components in place as well as Office 2019 Standard installed. -You can also install threat simulators. Microsoft Defender ATP has partnered with industry leading threat simulation platforms to help you test out the Microsoft Defender ATP capabilities without having to leave the portal. +You can also install threat simulators. Defender for Endpoint has partnered with industry leading threat simulation platforms to help you test out the Defender for Endpoint capabilities without having to leave the portal. Install your preferred simulator, run scenarios within the evaluation lab, and instantly see how the platform performs - all conveniently available at no extra cost to you. You'll also have convenient access to wide array of simulations which you can access and run from the simulations catalog. ## Before you begin -You'll need to fulfill the [licensing requirements](minimum-requirements.md#licensing-requirements) or have trial access to Microsoft Defender ATP to access the evaluation lab. +You'll need to fulfill the [licensing requirements](minimum-requirements.md#licensing-requirements) or have trial access to Microsoft Defender for Endpoint to access the evaluation lab. You must have **Manage security settings** permissions to: - Create the lab @@ -52,9 +51,11 @@ You must have **Manage security settings** permissions to: - Reset password - Create simulations +If you enabled role-based access control (RBAC) and created at least a one machine group, users must have access to All machine groups. + For more information, see [Create and manage roles](user-roles.md). -Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink) +Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink) ## Get started with the lab @@ -72,7 +73,7 @@ Already have a lab? Make sure to enable the new threat simulators and have activ ## Setup the evaluation lab -1. In the navigation pane, select **Evaluation and tutorials > Evaluation lab**, then select **Setup lab**. +1. In the navigation pane, select **Evaluation and tutorials** > **Evaluation lab**, then select **Setup lab**. ![Image of the evaluation lab welcome page](images/evaluation-lab-setup.png) @@ -98,30 +99,30 @@ After the lab setup process is complete, you can add devices and run simulations ## Add devices -When you add a device to your environment, Microsoft Defender ATP sets up a well-configured device with connection details. You can add Windows 10 or Windows Server 2019 devices. +When you add a device to your environment, Defender for Endpoint sets up a well-configured device with connection details. You can add Windows 10 or Windows Server 2019 devices. The device will be configured with the most up-to-date version of the OS and Office 2019 Standard as well as other apps such as Java, Python, and SysIntenals. >[!TIP] - > Need more devices in your lab? Submit a support ticket to have your request reviewed by the Microsoft Defender ATP team. + > Need more devices in your lab? Submit a support ticket to have your request reviewed by the Defender for Endpoint team. If you chose to add a threat simulator during the lab setup, all devices will have the threat simulator agent installed in the devices that you add. The device will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side. - The following security components are pre-configured in the test devices: +The following security components are pre-configured in the test devices: -- [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) +- [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) - [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus) -- [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) -- [Exploit Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection) -- [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) +- [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) +- [Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection) +- [Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) - [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) - [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus) -- [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview) +- [Microsoft Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview) >[!NOTE] -> Microsoft Defender Antivirus will be on (not in audit). If Microsoft Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the device through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). +> Microsoft Defender Antivirus will be on (not in audit mode). If Microsoft Defender Antivirus blocks you from running your simulation, you can turn off real-time protection on the device through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus). Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md). @@ -167,7 +168,7 @@ You can simulate attack scenarios using: You can also use [Advanced hunting](advanced-hunting-query-language.md) to query data and [Threat analytics](threat-analytics.md) to view reports about emerging threats. ### Do-it-yourself attack scenarios -If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Microsoft Defender ATP capabilities and walk you through investigation experience. +If you are looking for a pre-made simulation, you can use our ["Do It Yourself" attack scenarios](https://securitycenter.windows.com/tutorials). These scripts are safe, documented, and easy to use. These scenarios will reflect Defender for Endpoint capabilities and walk you through investigation experience. >[!NOTE] @@ -197,11 +198,11 @@ If you are looking for a pre-made simulation, you can use our ["Do It Yourself" If you chose to install any of the supported threat simulators during the lab setup, you can run the built-in simulations on the evaluation lab devices. -Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender ATP capabilities within the confines of a lab environment. +Running threat simulations using third-party platforms is a good way to evaluate Microsoft Defender for Endpoint capabilities within the confines of a lab environment. >[!NOTE] >Before you can run simulations, ensure the following requirements are met: ->- Devices must be added to the evaluation lab +>- Devices must be added to the evaluation lab >- Threat simulators must be installed in the evaluation lab 1. From the portal select **Create simulation**. @@ -224,17 +225,16 @@ Running threat simulations using third-party platforms is a good way to evaluate ![Image of simulations tab](images/simulations-tab.png) -After running your simulations, we encourage you to walk through the lab progress bar and explore Microsoft Defender ATP features. See if the attack simulations you ran triggered an automated investigation and remediation, check out the evidence collected and analyzed by the feature. +After running your simulations, we encourage you to walk through the lab progress bar and explore **Microsoft Defender for Endpoint triggered an automated investigation and remediation**. Check out the evidence collected and analyzed by the feature. Hunt for attack evidence through advanced hunting by using the rich query language and raw telemetry and check out some world-wide threats documented in Threat analytics. ## Simulation gallery -Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal. +Microsoft Defender for Endpoint has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal. View all the available simulations by going to **Simulations and tutorials** > **Simulations catalog** from the menu. - A list of supported third-party threat simulation agents are listed, and specific types of simulations along with detailed descriptions are provided on the catalog. You can conveniently run any available simulation right from the catalog. diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md index 54be37811e..a2b75300ee 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md @@ -1,7 +1,7 @@ --- title: Review events and errors using Event Viewer -description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Microsoft Defender ATP service. -keywords: troubleshoot, event viewer, log summary, failure code, failed, Microsoft Defender Advanced Threat Protection service, cannot start, broken, can't start +description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Microsoft Defender for Endpoint service. +keywords: troubleshoot, event viewer, log summary, failure code, failed, Microsoft Defender for Endpoint service, cannot start, broken, can't start search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -28,18 +28,13 @@ ms.date: 05/21/2018 - Event Viewer -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices. For example, if devices are not appearing in the **Devices list**, you might need to look for event IDs on the devices. You can then use this table to determine further troubleshooting steps. -> [!NOTE] -> It can take several days for devices to begin reporting to the Microsoft Defender ATP service. - -**Open Event Viewer and find the Microsoft Defender ATP service event log:** +**Open Event Viewer and find the Microsoft Defender for Endpoint service event log:** 1. Click **Start** on the Windows menu, type **Event Viewer**, and press **Enter**. @@ -49,7 +44,7 @@ For example, if devices are not appearing in the **Devices list**, you might nee a. You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**. > [!NOTE] - > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender ATP. + > SENSE is the internal name used to refer to the behavioral sensor that powers Microsoft Defender for Endpoint. 3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service. @@ -63,39 +58,39 @@ For example, if devices are not appearing in the **Devices list**, you might nee
    - + - + - + - - + - - + - + - + - + - + - + - + - - + - + - + - + - + - + - + - +

    Threat & Vulnerability Management

    Attack surface reduction

    Next-generation protection

    Endpoint detection and response

    Automated investigation and remediation

    Microsoft Threat Experts
    threat and vulnerability icon
    Threat & vulnerability management
    attack surface reduction icon
    Attack surface reduction
    next generation protection icon
    Next-generation protection
    endpoint detection and response icon
    Endpoint detection and response
    automated investigation and remediation icon
    Automated investigation and remediation
    microsoft threat experts icon
    Microsoft Threat Experts
    @@ -47,19 +47,14 @@ ms.topic: conceptual >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] -**[Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
    +**[Threat & vulnerability management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)**
    This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. -- [Risk-based Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](microsoft-defender-atp/tvm-supported-os.md) -- [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md) -- [Exposure score](microsoft-defender-atp/tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) -- [Security recommendations](microsoft-defender-atp/tvm-security-recommendation.md) -- [Remediation](microsoft-defender-atp/tvm-remediation.md) -- [Software inventory](microsoft-defender-atp/tvm-software-inventory.md) -- [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md) -- [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md) +- [Threat & vulnerability management overview](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) +- [Get started](microsoft-defender-atp/tvm-prerequisites.md) +- [Access your security posture](microsoft-defender-atp/tvm-dashboard-insights.md) +- [Improve your security posture and reduce risk](microsoft-defender-atp/tvm-security-recommendation.md) +- [Understand vulnerabilities on your devices](microsoft-defender-atp/tvm-software-inventory.md) @@ -103,25 +98,16 @@ Endpoint detection and response capabilities are put in place to detect, investi **[Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md)**
    -In conjunction with being able to quickly respond to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +In addition to quickly responding to advanced attacks, Microsoft Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - [Automated investigation and remediation](microsoft-defender-atp/automated-investigations.md) - [View details and results of automated investigations](microsoft-defender-atp/auto-investigation-action-center.md) - [View and approve remediation actions](microsoft-defender-atp/manage-auto-investigation.md) - - -**[Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md)**
    - -Microsoft Defender ATP includes a Microsoft Secure Score for Devices to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. - -- [Microsoft Secure Score for Devices](microsoft-defender-atp/tvm-microsoft-secure-score-devices.md) -- [Threat analytics](microsoft-defender-atp/threat-analytics.md) - **[Microsoft Threat Experts](microsoft-defender-atp/microsoft-threat-experts.md)**
    -Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization and additional context and insights that further empower Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. +Microsoft Defender ATP's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. - [Targeted attack notification](microsoft-defender-atp/microsoft-threat-experts.md) - [Experts-on-demand](microsoft-defender-atp/microsoft-threat-experts.md) @@ -149,4 +135,4 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf **[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
    - With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. + With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md index 48c382b306..9919f7d8d2 100644 --- a/windows/security/threat-protection/intelligence/TOC.md +++ b/windows/security/threat-protection/intelligence/TOC.md @@ -10,7 +10,9 @@ ### [Macro malware](macro-malware.md) -### [Phishing](phishing.md) +### [Phishing attacks](phishing.md) + +#### [Phishing trends and techniques](phishing-trends.md) ### [Ransomware](ransomware-malware.md) @@ -46,7 +48,7 @@ ### [Coordinated malware eradication](coordinated-malware-eradication.md) -## [Information for developers](developer-info.md) +## [Information for developers]() ### [Software developer FAQ](developer-faq.md) diff --git a/windows/security/threat-protection/intelligence/developer-info.md b/windows/security/threat-protection/intelligence/developer-info.md deleted file mode 100644 index eb0ac99896..0000000000 --- a/windows/security/threat-protection/intelligence/developer-info.md +++ /dev/null @@ -1,29 +0,0 @@ ---- -title: Information for developers -ms.reviewer: -description: This page provides answers to common questions we receive from software developers and other useful resources -keywords: software, developer, faq, dispute, false-positive, classify, installer, software, bundler, blocking -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: ellevin -author: levinec -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Information for developers - -Learn about the common questions we receive from software developers and get other developer resources such as detection criteria and file submissions. - -## In this section - -Topic | Description -:---|:--- -[Software developer FAQ](developer-faq.md) | Provides answers to common questions we receive from software developers. -[Developer resources](developer-resources.md) | Provides information about how to submit files and the detection criteria. Learn how to check your software against the latest security intelligence and cloud protection from Microsoft. diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md index b6f4a2b873..45dd414624 100644 --- a/windows/security/threat-protection/intelligence/macro-malware.md +++ b/windows/security/threat-protection/intelligence/macro-malware.md @@ -43,8 +43,8 @@ We've seen macro malware download threats from the following families: * Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads. -* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules) +* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) -For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md). +For more tips on protecting yourself from suspicious emails, see [phishing](phishing.md). -For more general tips, see [prevent malware infection](prevent-malware-infection.md). +For more general tips, see [prevent malware infection](prevent-malware-infection.md). diff --git a/windows/security/threat-protection/intelligence/phishing-trends.md b/windows/security/threat-protection/intelligence/phishing-trends.md new file mode 100644 index 0000000000..dcb01fd998 --- /dev/null +++ b/windows/security/threat-protection/intelligence/phishing-trends.md @@ -0,0 +1,69 @@ +--- +title: Phishing trends and techniques +ms.reviewer: +description: Learn about how to spot phishing techniques +keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack, spear phishing, whaling +ms.prod: w10 +ms.mktglfcycl: secure +ms.sitesec: library +ms.localizationpriority: medium +ms.author: ellevin +author: levinec +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +search.appverid: met150 +--- + +# Phishing trends and techniques + +Phishing attacks are scams that often use social engineering bait or lure content. Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information. + +Below are some of the most common phishing techniques attackers will employ to try to steal information or gain access to your devices. + +## Invoice phishing + +In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds. + +## Payment/delivery scam + +You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them. + +## Tax-themed phishing scams + +A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts. + +## Downloads + +An attacker sends a fraudulent email requesting you to open or download a document attachment, such as a PDF. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you. + +## Phishing emails that deliver other threats + +Phishing emails are often effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. + +We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems. + +## Spear phishing + +Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target. + +Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer. + +The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks. + +## Whaling + +Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization. + +## Business email compromise + +Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers. + +## More information about phishing attacks + +For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/): + +- [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc) +- [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc) +- [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc) diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index cfc9140745..d70c3f606b 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -1,5 +1,5 @@ --- -title: Phishing +title: How to protect against phishing attacks ms.reviewer: description: Learn about how phishing work, deliver malware do your devices, and what you can do to protect yourself keywords: security, malware, phishing, information, scam, social engineering, bait, lure, protection, trends, targeted attack @@ -16,98 +16,15 @@ ms.topic: article search.appverid: met150 --- -# Phishing +# How to protect against phishing attacks Phishing attacks attempt to steal sensitive information through emails, websites, text messages, or other forms of electronic communication. They try to look like official communication from legitimate companies or individuals. Cybercriminals often attempt to steal usernames, passwords, credit card details, bank account information, or other credentials. They use stolen information for malicious purposes, such as hacking, identity theft, or stealing money directly from bank accounts and credit cards. The information can also be sold in cybercriminal underground markets. -## What to do if you've been a victim of a phishing scam - -If you feel you've been a victim of a phishing attack: - -1. Contact your IT admin if you are on a work computer. -2. Immediately change all passwords associated with the accounts. -3. Report any fraudulent activity to your bank and credit card company. - -### Reporting spam - -- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**. - -- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**. - -- **Microsoft**: Create a new, blank email message with the one of the following recipients: - - Junk: junk@office365.microsoft.com - - Phishing: phish@office365.microsoft.com - - Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis). - -- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved. - -If you’re on a suspicious website: - -- **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website. - -- **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website. - ->[!NOTE] ->For more information, see [Protect yourself from phishing](https://support.microsoft.com/en-us/help/4033787/windows-protect-yourself-from-phishing). - -## How phishing works - -Phishing attacks are scams that often use social engineering bait or lure content. For example, during tax season bait content can be tax-filing announcements that attempt to lure you into providing personal information such as your SSN or bank account information. - -Legitimate-looking communication, usually email, that links to a phishing site is one of the most common methods used in phishing attacks. The phishing site typically mimics sign in pages that require users to input credentials and account information. The phishing site then captures the sensitive information as soon as the user provides it, giving attackers access to the information. - -Another common phishing technique is the use of emails that direct you to open a malicious attachment like a PDF file. The attachment often contains a message asking you to sign in to another site, such as email or file sharing websites, to open the document. When you access these phishing sites using your sign-in credentials, the attacker now has access to your information and can gain additional personal information about you. - -## Phishing trends and techniques - -### Invoice phishing - -In this scam, the attacker attempts to lure you with an email stating that you have an outstanding invoice from a known vendor or company. They then provide a link for you to access and pay your invoice. When you access the site, the attacker is poised to steal your personal information and funds. - -### Payment/delivery scam - -You're asked to provide a credit card or other personal information so that your payment information can be updated with a commonly known vendor or supplier. The update is requested so that you can take delivery of your ordered goods. Generally, you may be familiar with the company and have likely done business with them in the past. However, you aren't aware of any items you have recently purchased from them. - -### Tax-themed phishing scams - -A common IRS phishing scam is receiving an urgent email letter indicating that you owe money to the IRS. Often the email threatens legal action if you don't access the site in a timely manner and pay your taxes. When you access the site, the attackers can steal your personal credit card or bank information and drain your accounts. - -### Downloads - -An attacker sends a fraudulent email requesting you to open or download a document, often requiring you to sign in. - -### Phishing emails that deliver other threats - -Phishing emails are often very effective, so attackers sometimes use them to distribute [ransomware](ransomware-malware.md) through links or attachments in emails. When run, the ransomware encrypts files and displays a ransom note, which asks you to pay a sum of money to access to your files. - -We have also seen phishing emails that have links to [tech support scam](support-scams.md) websites. These websites use various scare tactics to trick you into calling hotlines and paying for unnecessary "technical support services" that supposedly fix contrived device, platform, or software problems. - -## Targeted attacks against enterprises - -### Spear phishing - -Spear phishing is a targeted phishing attack that involves highly customized lure content. Attackers will typically do reconnaissance work by surveying social media and other information sources about their intended target. - -Spear phishing may involve tricking you into logging into fake sites and divulging credentials. I may also lure you into opening documents by clicking on links that automatically install malware. With this malware in place, attackers can remotely manipulate the infected computer. - -The implanted malware serves as the point of entry for a more sophisticated attack, known as an advanced persistent threat (APT). APTs are designed to establish control and steal data over extended periods. Attackers may try to deploy more covert hacking tools, move laterally to other computers, compromise or create privileged accounts, and regularly exfiltrate information from compromised networks. - -### Whaling - -Whaling is a form of phishing directed at high-level or senior executives within specific companies to gain access to their credentials and/or bank information. The content of the email may be written as a legal subpoena, customer complaint, or other executive issue. This type of attack can also lead to an APT attack within an organization. - -### Business email compromise - -Business email compromise (BEC) is a sophisticated scam that targets businesses who frequently work with foreign suppliers or do money wire transfers. One of the most common schemes used by BEC attackers involves gaining access to a company’s network through a spear phishing attack. The attacker creates a domain similar to the company they're targeting, or spoofs their email to scam users into releasing personal account information for money transfers. - -## How to protect against phishing attacks - Social engineering attacks are designed to take advantage of a user's possible lapse in decision-making. Be aware and never provide sensitive or personal information through email or unknown websites, or over the phone. Remember, phishing emails are designed to appear legitimate. -### Awareness +## Learn the signs of a phishing scam The best protection is awareness and education. Don’t open attachments or links in unsolicited emails, even if the emails came from a recognized source. If the email is unexpected, be wary about opening the attachment and verify the URL. @@ -141,9 +58,7 @@ Here are several telltale signs of a phishing scam: If in doubt, contact the business by known channels to verify if any suspicious emails are in fact legitimate. -For more information, download and read this Microsoft [e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments. - -### Software solutions for organizations +## Software solutions for organizations * [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) and [Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) offer protection from the increasing threat of targeted attacks using Microsoft's industry-leading Hyper-V virtualization technology. If a browsed website is deemed untrusted, the Hyper-V container will isolate that device from the rest of your network thereby preventing access to your enterprise data. @@ -151,14 +66,36 @@ For more information, download and read this Microsoft [e-book on preventing soc * Use [Office 365 Advanced Threat Protection (ATP)](https://products.office.com/exchange/online-email-threat-protection?ocid=cx-blog-mmpc) to help protect your email, files, and online storage against malware. It offers holistic protection in Microsoft Teams, Word, Excel, PowerPoint, Visio, SharePoint Online, and OneDrive for Business. By protecting against unsafe attachments and expanding protection against malicious links, it complements the security features of Exchange Online Protection to provide better zero-day protection. -For more tips and software solutions, see [prevent malware infection](prevent-malware-infection.md). +## What to do if you've been a victim of a phishing scam + +If you feel you've been a victim of a phishing attack: + +1. Contact your IT admin if you are on a work computer +2. Immediately change all passwords associated with the accounts +3. Report any fraudulent activity to your bank and credit card company + +### Reporting spam + +- **Outlook.com**: If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to **Junk**, and then select **Phishing**. + +- **Microsoft Office Outlook**: While in the suspicious message, select **Report message** from the ribbon, and then select **Phishing**. + +- **Microsoft**: Create a new, blank email message with the one of the following recipients: + - Junk: junk@office365.microsoft.com + - Phishing: phish@office365.microsoft.com + + Drag and drop the junk or phishing message into the new message. This will save the junk or phishing message as an attachment in the new message. Don't copy and paste the content of the message or forward the message (we need the original message so we can inspect the message headers). For more information, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis). + +- **Anti-Phishing Working Group**: phishing-report@us-cert.gov. The group uses reports generated from emails sent to fight phishing scams and hackers. ISPs, security vendors, financial institutions, and law enforcement agencies are involved. + +### If you’re on a suspicious website + +- **Microsoft Edge**: While you’re on a suspicious site, select the **More (…) icon** > **Help and feedback** > **Report Unsafe site**. Follow the instructions on the webpage that displays to report the website. + +- **Internet Explorer**: While you’re on a suspicious site, select the gear icon, point to **Safety**, and then select **Report Unsafe Website**. Follow the instructions on the webpage that displays to report the website. ## More information about phishing attacks -For information on the latest phishing attacks, techniques, and trends, you can read these entries on the [Microsoft Security blog](https://www.microsoft.com/security/blog/product/windows/): - -* [Phishers unleash simple but effective social engineering techniques using PDF attachments](https://cloudblogs.microsoft.com/microsoftsecure/2017/01/26/phishers-unleash-simple-but-effective-social-engineering-techniques-using-pdf-attachments/?source=mmpc) - -* [Tax themed phishing and malware attacks proliferate during the tax filing season](https://cloudblogs.microsoft.com/microsoftsecure/2017/03/20/tax-themed-phishing-and-malware-attacks-proliferate-during-the-tax-filing-season/?source=mmpc) - -* [Phishing like emails lead to tech support scam](https://cloudblogs.microsoft.com/microsoftsecure/2017/08/07/links-in-phishing-like-emails-lead-to-tech-support-scam/?source=mmpc) +- [Protect yourself from phishing](https://support.microsoft.com/help/4033787/windows-protect-yourself-from-phishing) +- [Phishing trends](phishing-trends.md) +- [Microsoft e-book on preventing social engineering attacks](https://info.microsoft.com/Protectyourweakestlink.html?ls=social), especially in enterprise environments. diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md index df44f6142a..bd1b4f57e7 100644 --- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md +++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md @@ -17,22 +17,22 @@ search.appverid: met150 --- # Troubleshooting malware submission errors caused by administrator block -In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this. +In some instances, an administrator block might cause submission issues when you try to submit a potentially infected file to the [Microsoft Security intelligence website](https://www.microsoft.com/wdsi) for analysis. The following process shows how to resolve this problem. ## Review your settings Open your Azure [Enterprise application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/). Under **Enterprise Applications** > **Users can consent to apps accessing company data on their behalf**, check whether Yes or No is selected. -- If this is set to **No**, an AAD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with AAD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their AAD admin. Go to the following section for more information. +- If **No** is selected, an Azure AD administrator for the customer tenant will need to provide consent for the organization. Depending on the configuration with Azure AD, users might be able to submit a request right from the same dialog box. If there’s no option to ask for admin consent, users need to request for these permissions to be added to their Azure AD admin. Go to the following section for more information. -- It this is set to **Yes**, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign-in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If this is set to **No** you'll need to request an AAD admin enable it. +- If **Yes** is selected, ensure the Windows Defender Security Intelligence app setting **Enabled for users to sign in?** is set to **Yes** [in Azure](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). If **No** is selected, you'll need to request an Azure AD admin enable it.   ## Implement Required Enterprise Application permissions This process requires a global or application admin in the tenant. 1. Open [Enterprise Application settings](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/4a918a14-4069-4108-9b7d-76486212d75d). - 2. Click **Grant admin consent for organization**. - 3. If you're able to do so, Review the API permissions required for this application. This should be exactly the same as in the following image. Provide consent for the tenant. + 2. Select **Grant admin consent for organization**. + 3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant. - ![grant consent image](images/msi-grant-admin-consent.jpg) + ![grant consent image](images/msi-grant-admin-consent.jpg) 4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.   @@ -59,15 +59,15 @@ This process requires that global admins go through the Enterprise customer sign ![Consent sign in flow](images/msi-microsoft-permission-required.jpg) -Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and click **Accept**. +Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**. All users in the tenant will now be able to use this application. -## Option 3: Delete and re-add app permissions +## Option 3: Delete and readd app permissions If neither of these options resolve the issue, try the following steps (as an admin): 1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b) -and click **delete**. +and select **delete**. ![Delete app permissions](images/msi-properties.png) @@ -78,7 +78,7 @@ and click **delete**. ![Permissions needed](images/msi-microsoft-permission-requested-your-organization.png) -4. Review the permissions required by the application, and then click **Accept**. +4. Review the permissions required by the application, and then select **Accept**. 5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051). diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md index 5aded1e416..fa58868aa8 100644 --- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md @@ -18,21 +18,28 @@ ms.topic: article The Virus Information Alliance (VIA) is a public antimalware collaboration program for security software providers, security service providers, antimalware testing organizations, and other organizations involved in fighting cybercrime. -Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft, with the goal of improving protection for Microsoft customers. +Members of the VIA program collaborate by exchanging technical information on malicious software with Microsoft. The goal is to improve protection for Microsoft customers. ## Better protection for customers against malware -The VIA program gives members access to information that will help improve protection for Microsoft customers. For example, the program provides malware telemetry and samples to security product teams to identify gaps in their protection and prioritize new threat coverage. +The VIA program gives members access to information that will help them improve protection. For example, the program provides malware telemetry and samples to security teams so they can identify gaps and prioritize new threat coverage. -Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets and setting scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity. +Malware prevalence data is provided to antimalware testers to assist them in selecting sample sets. The data also helps set scoring criteria that represent the real-world threat landscape. Service organizations, such as a CERT, can leverage our data to help assess the impact of policy changes or to help shut down malicious activity. Microsoft is committed to continuous improvement to help reduce the impact of malware on customers. By sharing malware-related information, Microsoft enables members of this community to work towards better protection for customers. ## Becoming a member of VIA -Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA). The criteria is designed to ensure that Microsoft is able to work with security software providers, security service providers, antimalware testing organizations, and other organizations involved in the fight against cybercrime to protect a broad range of customers. +Microsoft has well-defined, objective, measurable, and tailored membership criteria for prospective members of the Virus Information Alliance (VIA). -Members will receive information to facilitate effective malware detection, deterrence, and eradication. This includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable. +The criteria is designed to ensure that Microsoft can work with the following groups to protect a broad range of customers: + +- Security software providers +- Security service providers +- Antimalware testing organizations +- Other organizations involved in the fight against cybercrime + +Members will receive information to facilitate effective malware detection, deterrence, and eradication. This information includes technical information on malware as well as metadata on malicious activity. Information shared through VIA is governed by the VIA membership agreement and a Microsoft non-disclosure agreement, where applicable. VIA has an open enrollment for potential members. @@ -43,11 +50,12 @@ To be eligible for VIA your organization must: 1. Be willing to sign a non-disclosure agreement with Microsoft. 2. Fit into one of the following categories: - * Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available. - * Your organization provides security services to Microsoft customers or for Microsoft products. - * Your organization publishes antimalware testing reports on a regular basis. - * Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public. + + - Your organization develops antimalware technology that can run on Windows and your organization’s product is commercially available. + - Your organization provides security services to Microsoft customers or for Microsoft products. + - Your organization publishes antimalware testing reports on a regular basis. + - Your organization has a research or response team dedicated to fighting malware to protect your organization, your customers, or the general public. 3. Be willing to sign and adhere to the VIA membership agreement. -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index a896140ce6..5f8f3c8139 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -19,13 +19,13 @@ ms.topic: article The Microsoft Virus Initiative (MVI) helps organizations to get their products working and integrated with Windows. -MVI members receive access to Windows APIs and other technologies including IOAV, AMSI and Cloud files. Members also get malware telemetry and samples and invitations to security related events and conferences. +MVI members receive access to Windows APIs and other technologies including IOAV, AMSI, and Cloud files. Members also get malware telemetry and samples and invitations to security-related events and conferences. ## Become a member -A request for membership is made by an individual as a representative of an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following eligibility requirements to qualify for the MVI program: +You can request membership if you're a representative for an organization that develops and produces antimalware or antivirus technology. Your organization must meet the following requirements to qualify for the MVI program: -1. Offer an antimalware or antivirus product that is one of the following: +1. Offer an antimalware or antivirus product that meets one of the following criteria: * Your organization's own creation. * Developed by using an SDK (engine and other components) from another MVI Partner company and your organization adds a custom UI and/or other functionality. @@ -34,7 +34,7 @@ A request for membership is made by an individual as a representative of an orga 3. Be active and have a positive reputation in the antimalware industry. - * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT or Gartner. + * Activity can include participation in industry conferences or being reviewed in an industry standard report such as AV Comparatives, OPSWAT, or Gartner. 4. Be willing to sign a non-disclosure agreement (NDA) with Microsoft. @@ -49,14 +49,14 @@ A request for membership is made by an individual as a representative of an orga Test Provider | Lab Test Type | Minimum Level / Score ------------- |---------------|---------------------- AV-Comparatives | Real-World Protection Test
    https://www.av-comparatives.org/testmethod/real-world-protection-tests/ |“Approved” rating from AV Comparatives -AV-Test | Must pass tests for Windows. Certifications for Mac and Linux are not accepted
    https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users) +AV-Test | Must pass tests for Windows. Certifications for Mac and Linux aren't accepted
    https://www.av-test.org/en/about-the-institute/certification/ | Achieve "AV-TEST Certified" (for home users) or "AV-TEST Approved” (for corporate users) ICSA Labs | Endpoint Anti-Malware Detection
    https://www.icsalabs.com/technology-program/anti-virus/criteria |PASS/Certified NSS Labs | Advanced Endpoint Protection AEP 3.0, which covers automatic threat prevention and threat event reporting capabilities
    https://www.nsslabs.com/tested-technologies/advanced-endpoint-protection/ |“Neutral” rating from NSS -SKD Labs | Certification Requirements Product: Anti-virus or Antimalware
    http://www.skdlabs.com/html/english/
    http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5 % with On Demand, On Access and Total Detection tests +SKD Labs | Certification Requirements Product: Anti-virus or Antimalware
    http://www.skdlabs.com/html/english/
    http://www.skdlabs.com/cert/ |SKD Labs Star Check Certification Requirements Pass >= 98.5% with On Demand, On Access and Total Detection tests SE Labs | Protection A rating or Small Business EP A rating or Enterprise EP Protection A rating
    https://selabs.uk/en/reports/consumers |Home or Enterprise “A” rating VB 100 | VB100 Certification Test V1.1
    https://www.virusbulletin.com/testing/vb100/vb100-methodology/vb100-methodology-ver1-1/ | VB100 Certification West Coast Labs | Checkmark Certified
    http://www.checkmarkcertified.com/sme/ | “A” Rating on Product Security Performance ## Apply now -If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/wdsi/alliances/apply-alliance-membership). For questions, [contact us for more information](https://www.microsoft.com/wdsi/alliances/collaboration-inquiry). diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index 04c8f8280f..ca62c08fd9 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -22,19 +22,19 @@ A worm is a type of malware that can copy itself and often spreads through a net ## How worms work -Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities. +Worms represent a large category of malware. Different worms use different methods to infect devices. Depending on the variant, they can steal sensitive information, change security settings, send information to malicious hackers, stop users from accessing files, and other malicious activities. -Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infect users running Microsoft security software. Although these worms share some commonalities, it is interesting to note that they also have distinct characteristics. +Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have consistently remained at the top of the list of malware that infects users running Microsoft software. Although these worms share some commonalities, it's interesting to note that they also have distinct characteristics. * **Jenxcus** has capabilities of not only infecting removable drives but can also act as a backdoor that connects back to its server. This threat typically gets into a device from a drive-by download attack, meaning it's installed when users just visit a compromised web page. -* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues. +* **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as info stealers, spammers, clickers, downloaders, and rogues. * **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. -Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software. +Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they're doing, they try to avoid detection by security software. -* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (e.g. ransomware). +* [**WannaCrypt**](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:Win32/WannaCrypt) also deserves a mention here. Unlike older worms that often spread just because they could, modern worms often spread to drop a payload (like ransomware). This image shows how a worm can quickly spread through a shared USB drive. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md index 1bf808c9ae..273298bf6c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md @@ -25,7 +25,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus is designed to keep your PC safe with built-in, trusted antivirus protection. With Microsoft Defender Antivirus, you get comprehensive, ongoing, and real-time protection against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web. @@ -44,7 +44,7 @@ What if something gets detected wrongly as malware, or something is missed? We c ## Create an "Allow" indicator to prevent a false positive from recurring -If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender Advanced Threat Protection) that the item is safe. +If a file, IP address, URL, or domain is treated as malware on a device, even though it's safe, you can create an "Allow" indicator. This indicator tells Microsoft Defender Antivirus (and Microsoft Defender for Endpoint) that the item is safe. To set up your "Allow" indicator, follow the guidance in [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). @@ -72,6 +72,6 @@ To learn more, see: ## Related articles -[What is Microsoft Defender Advanced Threat Protection?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) +[What is Microsoft Defender for Endpoint?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) -[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) +[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md index c313f7f7cf..586598290d 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md index 8d013685ee..b98d9268b6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md index 3038c3095f..f6c285389b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md @@ -22,7 +22,7 @@ ms.date: 08/17/2020 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md index 093c6632fb..2a0313ec61 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Manage Windows Defender in your business +title: Manage Windows Defender in your business description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection search.product: eADQiWindows 10XVcnh @@ -23,16 +23,16 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can manage and configure Microsoft Defender Antivirus with the following tools: -- Microsoft Intune -- Microsoft Endpoint Configuration Manager +- Microsoft Intune (now part of Microsoft Endpoint Manager) +- Microsoft Endpoint Configuration Manager (now part of Microsoft Endpoint Manager) - Group Policy - PowerShell cmdlets - Windows Management Instrumentation (WMI) -- The mpcmdrun.exe utility +- The Microsoft Malware Protection Command Line Utility (referred to as the *mpcmdrun.exe* utility The articles in this section provide further information, links, and resources for using these tools to manage and configure Microsoft Defender Antivirus. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md index ee3e692d4a..5d559f0d89 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Use Microsoft Intune to configure scanning options diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index a71f13399e..43aa53b445 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Enable Block at First Sight to detect malware in seconds -description: Turn on the block at first sight feature to detect and block malware within seconds, and validate that it is configured correctly. +title: Enable block at first sight to detect malware in seconds +description: Turn on the block at first sight feature to detect and block malware within seconds. keywords: scan, BAFS, malware, first seen, first sight, cloud, defender search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -12,7 +12,7 @@ ms.author: deniseb ms.reviewer: manager: dansimp ms.custom: nextgen -ms.date: 08/26/2020 +ms.date: 10/22/2020 --- # Turn on block at first sight @@ -24,125 +24,91 @@ ms.date: 08/26/2020 - Microsoft Defender Antivirus -Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. +Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments. -You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. +You can [specify how long a file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. >[!TIP] ->Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. +>Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. ## How it works When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat. -Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files. -Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. +Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if the file is a previously undetected file. If the cloud backend is unable to make a determination, Microsoft Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe. In many cases, this process can reduce the response time for new malware from hours to seconds. -## Confirm and validate that block at first sight is turned on +## Turn on block at first sight with Microsoft Intune -Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Microsoft Defender Antivirus deployments. +> [!TIP] +> Microsoft Intune is now part of Microsoft Endpoint Manager. -### Confirm block at first sight is turned on with Intune +1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Devices** > **Configuration profiles**. -1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Microsoft Defender Antivirus**. +2. Select or create a profile using the **Device restrictions** profile type. - > [!NOTE] - > The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type. +3. In the **Configuration settings** for the Device restrictions profile, set or confirm the following settings under **Microsoft Defender Antivirus**: -2. Verify these settings are configured as follows: - - - **Cloud-delivered protection**: **Enable** - - **File Blocking Level**: **High** - - **Time extension for file scanning by the cloud**: **50** - - **Prompt users before sample submission**: **Send all data without prompting** + - **Cloud-delivered protection**: Enabled + - **File Blocking Level**: High + - **Time extension for file scanning by the cloud**: 50 + - **Prompt users before sample submission**: Send all data without prompting ![Intune config](images/defender/intune-block-at-first-sight.png) - > [!WARNING] - > Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus). +4. Save your settings. -For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +> [!TIP] +> - Setting the file blocking level to **High** applies a strong level of detection. In the unlikely event that file blocking causes a false positive detection of legitimate files, you can [restore quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus). +> - For more information about configuring Microsoft Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +> - For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus). -For a list of Microsoft Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus). +## Turn on block at first sight with Microsoft Endpoint Manager -### Turn on block at first sight with Microsoft Endpoint Configuration Manager +> [!TIP] +> If you're looking for Microsoft Endpoint Configuration Manager, it's now part of Microsoft Endpoint Manager. -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**. +1. In Microsoft Endpoint Manager ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), go to **Endpoint security** > **Antivirus**. -2. Click **Home** > **Create Antimalware Policy**. +2. Select an existing policy, or create a new policy using the **Microsoft Defender Antivirus** profile type. -3. Enter a name and a description, and add these settings: - - **Real time protection** - - **Advanced** - - **Cloud Protection Service** +3. Set or confirm the following configuration settings: -4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. - ![Enable real-time protection](images/defender/sccm-real-time-protection.png) + - **Turn on cloud-delivered protection**: Yes + - **Cloud-delivered protection level**: High + - **Defender Cloud Extended Timeout in Seconds**: 50 -5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. - ![Enable Advanced settings](images/defender/sccm-advanced-settings.png) + :::image type="content" source="images/endpointmgr-antivirus-cloudprotection.png" alt-text="Block at first sight settings in Endpoint Manager"::: -6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking suspicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. - ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png) +4. Apply the Microsoft Defender Antivirus profile to a group, such as **All users**, **All devices**, or **All users and devices**. -7. Click **OK** to create the policy. +## Turn on block at first sight with Group Policy -### Confirm block at first sight is turned on with Group Policy +> [!NOTE] +> We recommend using Intune or Microsoft Endpoint Manager to turn on block at first sight. -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and select **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. Using the **Group Policy Management Editor** go to **Computer configuration** > **Administrative templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS**. -3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: +3. In the MAPS section, double-click **Configure the 'Block at First Sight' feature**, and set it to **Enabled**, and then select **OK**. - 1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. - - 2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. - - > [!WARNING] + > [!IMPORTANT] > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. -4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Real-time Protection**: +4. In the MAPS section, double-click **Send file samples when further analysis is required**, and set it to **Enabled**. Under **Send file samples when further analysis is required**, select **Send all samples**, and then click **OK**. - 1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**. +5. If you changed any settings, redeploy the Group Policy Object across your network to ensure all endpoints are covered. - 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**. - -5. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**: - - 1. Double-click **Select cloud protection level** and ensure the option is set to **Enabled**. - - 2. Ensure that **Select cloud blocking level** section on the same page is set to **High blocking level**, and then click **OK**. - -If you had to change any of the settings, you should redeploy the Group Policy Object across your network to ensure all endpoints are covered. - -### Confirm block at first sight is turned on with Registry editor - -1. Start Registry Editor. - -2. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet`, and make sure that - - 1. **SpynetReporting** key is set to **1** - - 2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples) - -3. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection`, and make sure that - - 1. **DisableIOAVProtection** key is set to **0** - - 2. **DisableRealtimeMonitoring** key is set to **0** - -4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that the **MpCloudBlockLevel** key is set to **2** - -### Confirm Block at First Sight is enabled on individual clients +## Confirm block at first sight is enabled on individual clients You can confirm that block at first sight is enabled on individual clients using Windows security settings. @@ -157,24 +123,43 @@ Block at first sight is automatically enabled as long as **Cloud-delivered prote 3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on. > [!NOTE] -> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. +> - If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. +> - Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. -### Validate block at first sight is working +## Validate block at first sight is working -You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). +To validate that the feature is working, follow the guidance in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud). ## Turn off block at first sight -> [!WARNING] -> Turning off block at first sight will lower the protection state of the endpoint and your network. +> [!CAUTION] +> Turning off block at first sight will lower the protection state of your device(s) and your network. -You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network. +You might choose to disable block at first sight if you want to retain the prerequisite settings without actually using block at first sight protection. You might do temporarily turn block at first sight off if you are experiencing latency issues or you want to test the feature's impact on your network. However, we do not recommend disabling block at first sight protection permanently. + +### Turn off block at first sight with Microsoft Endpoint Manager + +1. Go to Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. + +2. Go to **Endpoint security** > **Antivirus**, and then select your Microsoft Defender Antivirus policy. + +3. Under **Manage**, choose **Properties**. + +4. Next to **Configuration settings**, choose **Edit**. + +5. Change one or more of the following settings: + + - Set **Turn on cloud-delivered protection** to **No** or **Not configured**. + - Set **Cloud-delivered protection level** to **Not configured**. + - Clear the **Defender Cloud Extended Timeout In Seconds** box. + +6. Review and save your settings. ### Turn off block at first sight with Group Policy 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. Using the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. 3. Expand the tree through **Windows components** > **Microsoft Defender Antivirus** > **MAPS**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md index db09d1d9ef..93e3d5c543 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md @@ -22,7 +22,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md index 1351a2448b..4d3ba69753 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md @@ -22,7 +22,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index cad89f1643..88a2e71534 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -12,6 +12,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.date: 10/21/2020 --- # Configure and validate exclusions based on file extension and folder location @@ -21,10 +22,10 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!IMPORTANT] -> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md). +> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](../microsoft-defender-atp/manage-indicators.md). ## Exclusion lists @@ -187,7 +188,7 @@ The following table describes how the wildcards can be used and provides some ex |Wildcard |Examples | |---------|---------| |`*` (asterisk)

    In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.

    In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`

    `C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`

    `C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | -|`?` (question mark)

    In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.

    In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip`

    `C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders

    `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | +|`?` (question mark)

    In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.

    In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?` would include `C:\MyData\my1.zip`

    `C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders

    `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | |Environment variables

    The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md index 5a4dcf2b76..e9c99642d5 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md index 0e9715c7f7..a3d582510d 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can configure Microsoft Defender Antivirus with a number of tools, including: diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md index f19baf44aa..8ee17ca054 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md @@ -32,7 +32,7 @@ This article lists the connections that must be allowed, such as by using firewa See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity. >[!TIP] ->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +>You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: > >- Cloud-delivered protection >- Fast learning (including block at first sight) @@ -49,7 +49,7 @@ See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defend After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. -Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. +Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft Defender for Office 365 machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md index ce2af4d4b6..609661e280 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index ae76a5bd9d..95de8ec073 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -22,7 +22,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md index 3d94d7776c..5e47aa185b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus uses several methods to provide threat protection: diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md index d16426a613..83078c2db2 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ ms.custom: nextgen **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md index ef93c95c0e..cc8fa8dec9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) When Microsoft Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Microsoft Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md index fc90bc6dbc..1fa6c1665b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md @@ -157,7 +157,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r - The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage` - - `%systemroot%\Sysvol\*\Nntfrs_cmp*\` + - `%systemroot%\Sysvol\*\Ntfrs_cmp*\` - The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory` diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md index f482a524ba..0651cae7a7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index f482a524ba..6b950c1ad9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -16,24 +16,24 @@ ms.reviewer: manager: dansimp --- -# Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation +# Customize, initiate, and review the results of Microsoft Defender Antivirus scans & remediation [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. ## In this section -Topic | Description ----|--- -[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning -[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning -[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder -[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans -[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app -[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app +| Article | Description | +|:---|:---| +|[Configure and validate file, folder, and process-opened file exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) | You can exclude files (including files modified by specified processes) and folders from on-demand scans, scheduled scans, and always-on real-time protection monitoring and scanning | +|[Configure Microsoft Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md) | You can configure Microsoft Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning | +|[Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md) | Configure what Microsoft Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder | +|[Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans | +|[Configure and run scans](run-scan-microsoft-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app | +|[Review scan results](review-scan-results-microsoft-defender-antivirus.md) | Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md index a6d053b389..d2339875a5 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md @@ -23,13 +23,13 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways. Because the Microsoft Defender Antivirus client is installed as a core part of Windows 10, traditional deployment of a client to your endpoints does not apply. -However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Security Center, or Group Policy Objects, which is described in the following table. +However, in most cases you will still need to enable the protection service on your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Azure Defender, or Group Policy Objects, which is described in the following table. You'll also see additional links for: @@ -46,7 +46,7 @@ Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protectio Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] -Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD. +Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Defender*](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD. 1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md index e66ebbd817..97eeac6ba1 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index ebce0895fc..8139e27e9a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -22,13 +22,13 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. See [Windows Virtual Desktop Documentation](https://docs.microsoft.com/azure/virtual-desktop) for more details on Microsoft Remote Desktop Services and VDI support. -For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic. +For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Defender](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic. With the ability to easily deploy updates to VMs running in VDIs, we've shortened this guide to focus on how you can get updates on your machines quickly and easily. You no longer need to create and seal golden images on a periodic basis, as updates are expanded into their component bits on the host server and then downloaded directly to the VM when it's turned on. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index 0c17ea1575..4c9c47828e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -23,13 +23,13 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge) > [!NOTE] > Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. -Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior. +Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior. For example: @@ -66,7 +66,7 @@ Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Windows Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Windows Defender SmartScreen on or off. -Although Microsoft Defender ATP has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender ATP portal, Windows Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list, based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Windows Defender SmartScreen will respect the new settings. ### Microsoft Defender Antivirus @@ -88,7 +88,7 @@ You can enable PUA protection with Microsoft Intune, Microsoft Endpoint Configur You can also use the PUA audit mode to detect PUAs without blocking them. The detections will be captured in the Windows event log. > [!TIP] -> You can visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. +> You can visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. PUA audit mode is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md index e62fd3c943..7e6ac508a9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md @@ -26,7 +26,7 @@ ms.custom: nextgen > [!NOTE] > The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. -Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) You can enable or disable Microsoft Defender Antivirus cloud-delivered protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. @@ -55,7 +55,7 @@ There are specific network-connectivity requirements to ensure your endpoints ca > The **Send safe samples automatically** option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. > [!WARNING] - > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. + > Setting to **Always Prompt** will lower the protection state of the device. Setting to **Never send** means the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. 8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. @@ -86,7 +86,7 @@ See [How to create and deploy antimalware policies: Cloud-protection service](ht > The **Send safe samples** (1) option means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. > [!WARNING] - > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. + > Setting the option to **Always Prompt** (0) will lower the protection state of the device. Setting it to **Never send** (2) means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. 7. Click **OK**. @@ -105,7 +105,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u > You can also set **-SubmitSamplesConsent** to `SendSafeSamples` (the default setting), `NeverSend`, or `AlwaysPrompt`. The `SendSafeSamples` setting means that most samples will be sent automatically. Files that are likely to contain personal information will still prompt and require additional confirmation. >[!WARNING] -> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender ATP won't work. +> Setting **-SubmitSamplesConsent** to `NeverSend` or `AlwaysPrompt` will lower the protection level of the device. In addition, setting it to `NeverSend` means that the [Block at First Sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) feature of Microsoft Defender for Endpoint won't work. ## Use Windows Management Instruction (WMI) to enable cloud-delivered protection diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md index d76667b2a1..0cba7e0b50 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md @@ -22,12 +22,12 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. >[!TIP] ->You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: +>You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work: >- Cloud-delivered protection >- Fast learning (including Block at first sight) >- Potentially unwanted application blocking diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/endpointmgr-antivirus-cloudprotection.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/endpointmgr-antivirus-cloudprotection.png new file mode 100644 index 0000000000..d9751a4953 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/endpointmgr-antivirus-cloudprotection.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md index 9b9a68afc6..1edd31f232 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md @@ -24,7 +24,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md index 2a22aeb079..efb0cb995d 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md index ab04442450..b6b1f9f8bb 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index 9565e809a3..c9d0582201 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -24,7 +24,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Antivirus lets you determine when it should look for and download updates. @@ -61,10 +61,10 @@ You can also randomize the times when each endpoint checks and downloads protect 4. Click **Policies** then **Administrative templates**. -5. Expand the tree to **Windows components > Microsoft Defender Antivirus > Signature Updates** and configure the following settings: +5. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Signature Intelligence Updates** and configure the following settings: - 1. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. - 2. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. + 1. Double-click the **Specify the day of the week to check for security intelligence updates** setting and set the option to **Enabled**. Enter the day of the week to check for updates. Click **OK**. + 2. Double-click the **Specify the interval to check for security intelligence updates** setting and set the option to **Enabled**. Enter the number of hours between updates. Click **OK**. 3. Double-click the **Specify the time to check for security intelligence updates** setting and set the option to **Enabled**. Enter the time when updates should be checked. The time is based on the local time of the endpoint. Click **OK**. @@ -103,8 +103,3 @@ See the following for more information and allowed parameters: - [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - - - - - diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index 2ac2800429..604fc20a9a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -22,7 +22,7 @@ ms.custom: nextgen **Applies to:** -- [Microsoft Defender Advanced Threat Protection](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index d352e882bd..f562eb572d 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp -ms.date: 10/08/2020 +ms.date: 11/06/2020 --- # Manage Microsoft Defender Antivirus updates and apply baselines @@ -23,7 +23,7 @@ ms.date: 10/08/2020 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) There are two types of updates related to keeping Microsoft Defender Antivirus up to date: @@ -69,14 +69,32 @@ For more information, see [Manage the sources for Microsoft Defender Antivirus p For information how to update or how to install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). -All our updates contain: -- performance improvements -- serviceability improvements -- integration improvements (Cloud, Microsoft 365 Defender) +All our updates contain +- performance improvements; +- serviceability improvements; and +- integration improvements (Cloud, Microsoft 365 Defender).
    + October-2020 (Platform: 4.18.2010.7 | Engine: 1.1.17600.5) + + Security intelligence update version: **1.327.7.0** + Released: **October 29, 2020** + Platform: **4.18.2010.7** + Engine: **1.1.17600.5** + Support phase: **Security and Critical Updates** + +### What's new +- New descriptions for special threat categories +- Improved emulation capabilities +- Improved host address allow/block capabilities +- New option in Defender CSP to Ignore merging of local user exclusions + +### Known Issues +No known issues +
    +
    September-2020 (Platform: 4.18.2009.7 | Engine: 1.1.17500.4)  Security intelligence update version: **1.325.10.0** @@ -88,7 +106,7 @@ All our updates contain: ### What's new - Admin permissions are required to restore files in quarantine - XML formatted events are now supported -- CSP support for ignoring exclusion merge +- CSP support for ignoring exclusion merges - New management interfaces for: - UDP Inspection - Network Protection on Server 2019 @@ -318,7 +336,8 @@ During the technical support (only) phase, commercially reasonable support incid The below table provides the Microsoft Defender Antivirus platform and engine versions that are shipped with the latest Windows 10 releases: |Windows 10 release |Platform version |Engine version |Support phase | -|-|-|-|-| +|:---|:---|:---|:---| +|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade Support (Only) | |1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) | |1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) | |1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) | @@ -332,10 +351,10 @@ Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsof ## See also -Article | Description ----|--- -[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. -[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. -[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan at the next logon. -[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. -[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. +| Article | Description | +|:---|:---| +|[Manage how protection updates are downloaded and applied](manage-protection-updates-microsoft-defender-antivirus.md) | Protection updates can be delivered through a number of sources. | +|[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) | You can schedule when protection updates should be downloaded. | +|[Manage updates for endpoints that are out of date](manage-outdated-endpoints-microsoft-defender-antivirus.md) | If an endpoint misses an update or scheduled scan, you can force an update or scan the next time a user signs in. | +|[Manage event-based forced updates](manage-event-based-updates-microsoft-defender-antivirus.md) | You can set protection updates to be downloaded at startup or after certain cloud-delivered protection events. | +|[Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md)| You can specify settings, such as whether updates should occur on battery power, that are especially useful for mobile devices and virtual machines. | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md index 06525a035e..fbbf677933 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index be374197ff..09984de193 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp -ms.date: 09/28/2020 +ms.date: 11/06/2020 --- # Microsoft Defender Antivirus compatibility @@ -23,24 +23,24 @@ ms.date: 09/28/2020 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Overview -Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. -- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode. -- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.) -- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in preview) enabled, then whenever a malicious artifact is detected, Microsoft Defender ATP takes action to block and remediate the artifact. +Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. +- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender for Endpoint is not used, then Microsoft Defender Antivirus automatically goes into disabled mode. +- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.) +- If your organization is using Microsoft Defender for Endpoint together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) enabled, then whenever a malicious artifact is detected, Microsoft Defender for Endpoint takes action to block and remediate the artifact. -## Antivirus and Microsoft Defender ATP +## Antivirus and Microsoft Defender for Endpoint -The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender ATP. +The following table summarizes what happens with Microsoft Defender Antivirus when third-party antivirus products are used together or without Microsoft Defender for Endpoint. -| Windows version | Antimalware protection offered by | Organization enrolled in Microsoft Defender ATP | Microsoft Defender Antivirus state | +| Windows version | Antimalware protection | Microsoft Defender for Endpoint enrollment | Microsoft Defender Antivirus state | |------|------|-------|-------| | Windows 10 | A third-party product that is not offered or developed by Microsoft | Yes | Passive mode | -| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | +| Windows 10 | A third-party product that is not offered or developed by Microsoft | No | Automatic disabled mode | | Windows 10 | Microsoft Defender Antivirus | Yes | Active mode | | Windows 10 | Microsoft Defender Antivirus | No | Active mode | | Windows Server 2016 or 2019 | A third-party product that is not offered or developed by Microsoft | Yes | Active mode[[1](#fn1)] | @@ -50,7 +50,7 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh (1) On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not enter passive or disabled mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product, you should [consider uninstalling Microsoft Defender Antivirus on Windows Server 2016 or 2019](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a machine. -If you are Using Windows Server, version 1803 and Windows 2019, you can enable passive mode by setting this registry key: +If you are using Windows Server, version 1803 or Windows Server 2019, you can enable passive mode by setting this registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` - Name: ForceDefenderPassiveMode - Type: REG_DWORD @@ -72,32 +72,32 @@ The following table summarizes the functionality and features that are available |State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | |--|--|--|--|--|--| |Active mode

    |Yes |No |Yes |Yes |Yes | -|Passive mode |No |No |Yes |No |Yes | +|Passive mode |No |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes | |[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes | |Automatic disabled mode |No |Yes |No |No |No | - In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). -- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. -- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. -- In Automatic disabled mode, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. +- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. +- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on, Microsoft Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. +- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. ## Keep the following points in mind -If you are enrolled in Microsoft Defender ATP and you are using a third party antimalware product then passive mode is enabled because [the service requires common information sharing from the Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. +If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. -When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. +When Microsoft Defender Antivirus is automatically disabled, it can automatically re-enabled if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. In passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode. > [!WARNING] -> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender ATP, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). +> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). > [!IMPORTANT] -> If you are using [Microsoft endpoint data loss prevention (Endpoint DLP)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview), Microsoft Defender Antivirus real-time protection is enabled even when Microsoft Defender Antivirus is running in passive mode. Endpoint DLP depends on real-time protection to operate. +> If you are using [Microsoft Endpoint DLP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview), Microsoft Defender Antivirus real-time protection is enabled, even when Microsoft Defender Antivirus is running in passive mode. Endpoint DLP depends on real-time protection to operate. -## Related topics +## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md index e9bcff7d72..f141caebc4 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md @@ -23,11 +23,11 @@ ms.custom: nextgen **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) ## Microsoft Defender Antivirus: Your next-generation protection -Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following: +Microsoft Defender Antivirus is the next-generation protection component of Microsoft Defender for Endpoint. Next-generation protection brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices in your enterprise organization. Next-generation protection services include the following: - [Behavior-based, heuristic, and real-time antivirus protection](configure-protection-features-microsoft-defender-antivirus.md). This includes always-on scanning using file and process behavior monitoring and other heuristics (also known as "real-time protection"). It also includes detecting and blocking apps that are deemed unsafe, but may not be detected as malware. - [Cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). This includes near-instant detection and blocking of new and emerging threats. @@ -35,7 +35,7 @@ Microsoft Defender Antivirus is the next-generation protection component of Micr ## Try a demo! -Visit the [Microsoft Defender ATP demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios: +Visit the [Microsoft Defender for Endpoint demo website](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following protection features are working and explore them using demo scenarios: - Cloud-delivered protection - Block at first sight (BAFS) protection - Potentially unwanted applications (PUA) protection diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index 76701c22f2..0b7e4ccdd6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -179,7 +179,7 @@ If you are using a third-party antivirus solution and you're running into issues - See the question "Should I run Microsoft security software at the same time as other security products?" on the [Windows Defender Security Intelligence Antivirus and antimalware software FAQ](https://www.microsoft.com/wdsi/help/antimalware-faq#multiple-products). -- See [Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection. +- See [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus). This article describes 10 advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. If you determine you do want to uninstall Microsoft Defender Antivirus, follow the steps in the following sections. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md index d2e1ac4fe4..355705569c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md @@ -22,7 +22,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md index a6e9c4aa01..e4f4d4c952 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md @@ -22,7 +22,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security. @@ -39,7 +39,7 @@ Settings that were previously part of the Windows Defender client and main Windo See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app. -The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). +The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal that is used to review and manage [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md). ## Review virus and threat protection settings in the Windows Security app diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md index 30030fb3b1..eb9a31fb16 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md @@ -32,7 +32,7 @@ You might already know that: - **Microsoft Defender Antivirus protects your Windows 10 device from software threats, such as viruses, malware, and spyware**. Microsoft Defender Antivirus is your complete, ongoing protection, built into Windows 10 and ready to go. [Microsoft Defender Antivirus is your next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). -- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Office 365 Advanced Threat Protection. [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats). +- **Office 365 includes antiphishing, antispam, and antimalware protection**. With your Office 365 subscription, you get premium email and calendars, Office apps, 1 TB of cloud storage (via OneDrive), and advanced security across all your devices. This is true for home and business users. And if you're a business user, and your organization is using Office 365 E5, you get even more protection through Microsoft Defender for Office 365 [Protect against threats with Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats). - **OneDrive, included in Office 365, enables you to store your files and folders online, and share them as you see fit**. You can work together with people (for work or fun), and coauthor files that are stored in OneDrive. You can also access your files across all your devices (your PC, phone, and tablet). [Manage sharing in OneDrive](https://docs.microsoft.com/OneDrive/manage-sharing). @@ -48,9 +48,9 @@ Read the following sections to learn more. When you save your files to [OneDrive](https://docs.microsoft.com/onedrive), and [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) detects a ransomware threat on your device, the following things occur: -1. **You are told about the threat**. (If your organization is using [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (ATP), your security operations team is notified, too.) +1. **You are told about the threat**. (If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection), your security operations team is notified, too.) -2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender ATP, your security operations team can determine whether other devices are infected and take appropriate action, too.) +2. **Microsoft Defender Antivirus helps you (and your organization's security team) remove the ransomware** from your device(s). (If your organization is using Microsoft Defender for Endpoint, your security operations team can determine whether other devices are infected and take appropriate action, too.) 3. **You get the option to recover your files in OneDrive**. With the OneDrive Files Restore feature, you can recover your files in OneDrive to the state they were in before the ransomware attack occurred. See [Ransomware detection and recovering your files](https://support.office.com/article/0d90ec50-6bfd-40f4-acc7-b8c12c73637f). @@ -58,19 +58,19 @@ Think of the time and hassle this can save. ## Integration means better protection -Office 365 Advanced Threat Protection integrated with Microsoft Defender Advanced Threat Protection means better protection for your organization. Here's how: +Microsoft Defender for Office 365 integrated with Microsoft Defender for Endpoint means better protection for your organization. Here's how: -- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents. +- [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) safeguards your organization against malicious threats posed in email messages, email attachments, and links (URLs) in Office documents. AND -- [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture. +- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) protects your devices from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves your security posture. SO - Once integration is enabled, your security operations team can see a list of devices that are used by the recipients of any detected URLs or email messages, along with recent alerts for those devices, in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). -If you haven't already done so, [integrate Office 365 Advanced Threat Protection with Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp). +If you haven't already done so, [integrate Microsoft Defender for Office 365 with Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp). ## More good reasons to use OneDrive @@ -82,8 +82,8 @@ Protection from ransomware is one great reason to put your files in OneDrive. An [OneDrive](https://docs.microsoft.com/onedrive) -[Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide) +[Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp?view=o365-worldwide) -[Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) +[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md index 7bf4c22d0e..bc77598593 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans. @@ -40,7 +40,7 @@ With the setting set to **Disabled** or not configured: ![Screenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) >[!NOTE] ->Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender Advanced Threat Protection notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) +>Hiding the interface will also prevent Microsoft Defender Antivirus notifications from appearing on the endpoint. Microsoft Defender for Endpoint notifications will still appear. You can also individually [configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) In earlier versions of Windows 10, the setting will hide the Windows Defender client interface. If the user attempts to open it, they will receive a warning that says, "Your system administrator has restricted access to this app." diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md index 2705f9bf69..9b789e6a59 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md index 19b05b9f87..e2ce17b208 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md index da893a1b8a..44079dd62b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md index 84a2edacf5..04914ca837 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md index f176529dde..153100cb9f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: Schedule regular quick and full scans with Microsoft Defender AV +title: Schedule regular quick and full scans with Microsoft Defender Antivirus description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular search.product: eADQiWindows 10XVcnh @@ -11,8 +11,8 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/30/2020 -ms.reviewer: +ms.date: 11/02/2020 +ms.reviewer: pauhijbr manager: dansimp --- @@ -23,7 +23,8 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + > [!NOTE] > By default, Microsoft Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) to override this default. @@ -32,7 +33,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-microsoft You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-microsoft-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. -This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +This article describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10). ## To configure the Group Policy settings described in this article @@ -44,7 +45,9 @@ This article describes how to configure scheduled scans with Group Policy, Power 5. Expand the tree to **Windows components > Microsoft Defender Antivirus** and then the **Location** specified in the table below. -6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. +6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. + +7. Click **OK**, and repeat for any other settings. Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-microsoft-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) topics. @@ -74,12 +77,13 @@ Scheduled scans will run at the day and time you specify. You can use Group Poli ### Use Group Policy to schedule scans -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Specify the scan type to use for a scheduled scan | Quick scan -Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never -Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am -Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
    In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Specify the scan type to use for a scheduled scan | Quick scan | +|Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never | +|Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.). | 2 a.m. | +|Root | Randomize scheduled task times |In Microsoft Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours.
    In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled | + ### Use PowerShell cmdlets to schedule scans @@ -100,8 +104,10 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI -SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +ScanParameters +ScanScheduleDay +ScanScheduleTime +RandomizeScheduleTaskTimes ``` See the following for more information and allowed parameters: @@ -119,9 +125,9 @@ You can set the scheduled scan to only occur when the endpoint is turned on but ### Use Group Policy to schedule scans -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Start the scheduled scan only when computer is on but not in use | Scheduled scans will not run, unless the computer is on but not in use | Enabled | ### Use PowerShell cmdlets @@ -138,8 +144,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI -SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +ScanOnlyIfIdleEnabled ``` See the following for more information and allowed parameters: @@ -152,10 +157,10 @@ Some threats may require a full scan to complete their removal and remediation. ### Use Group Policy to schedule remediation-required scans -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never -Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am +| Location | Setting | Description | Default setting (if not configured) | +|---|---|---|---| +|Remediation | Specify the day of the week to run a scheduled full scan to complete remediation | Specify the day (or never) to run a scan. | Never | +|Remediation | Specify the time of day to run a scheduled full scan to complete remediation | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. | ### Use PowerShell cmdlets @@ -173,8 +178,8 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI -SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +RemediationScheduleDay +RemediationScheduleTime ``` See the following for more information and allowed parameters: @@ -190,10 +195,11 @@ You can enable a daily quick scan that can be run in addition to your other sche ### Use Group Policy to schedule daily scans -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never -Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am) | 2 am + +|Location | Setting | Description | Default setting (if not configured) | +|:---|:---|:---|:---| +|Scan | Specify the interval to run quick scans per day | Specify how many hours should elapse before the next quick scan. For example, to run every two hours, enter **2**, for once a day, enter **24**. Enter **0** to never run a daily quick scan. | Never | +|Scan | Specify the time for a daily quick scan | Specify the number of minutes after midnight (for example, enter **60** for 1 a.m.) | 2 a.m. | ### Use PowerShell cmdlets to schedule daily scans @@ -210,8 +216,7 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI -SignatureFallbackOrder -SignatureDefinitionUpdateFileSharesSouce +ScanScheduleQuickScanTime ``` See the following for more information and allowed parameters: @@ -224,9 +229,9 @@ You can force a scan to occur after every [protection update](manage-protection- ### Use Group Policy to schedule scans after protection updates -Location | Setting | Description | Default setting (if not configured) ----|---|---|--- -Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled +|Location | Setting | Description | Default setting (if not configured)| +|:---|:---|:---|:---| +|Signature updates | Turn on scan after Security intelligence update | A scan will occur immediately after a new protection update is downloaded | Enabled | ## See also - [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md index da8cab7cff..433c59bb6f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- -title: Specify cloud-delivered protection level in Microsoft Defender Antivirus -description: Set the aggressiveness of cloud-delivered protection in Microsoft Defender Antivirus. +title: Specify the cloud-delivered protection level for Microsoft Defender Antivirus +description: Set your level of cloud-delivered protection for Microsoft Defender Antivirus. keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -10,7 +10,7 @@ ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 08/12/2020 +ms.date: 10/26/2020 ms.reviewer: manager: dansimp ms.custom: nextgen @@ -25,56 +25,63 @@ ms.custom: nextgen - Microsoft Defender Antivirus -You can specify the level of cloud-protection offered by Microsoft Defender Antivirus with Group Policy and Microsoft Endpoint Configuration Manager. +You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy. ->[!NOTE] ->The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. +> [!TIP] +> Cloud protection is not simply protection for files that are stored in the cloud. The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and devices (also called endpoints). Cloud protection with Microsoft Defender Antivirus uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional security intelligence updates. +> Microsoft Intune and Microsoft Endpoint Configuration Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). -## Use Intune to specify the level of cloud-delivered protection -1. Sign in to the [Azure portal](https://portal.azure.com). -2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -4. Select **Properties**, select **Settings: Configure**, and then select **Microsoft Defender Antivirus**. -5. On the **File Blocking Level** switch, select one of the following: +## Use Microsoft Endpoint Manager to specify the level of cloud-delivered protection + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. + +2. Choose **Endpoint security** > **Antivirus**. + +3. Select an antivirus profile. (If you don't have one yet, or if you want to create a new profile, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). + +4. Select **Properties**. Then, next to **Configuration settings**, choose **Edit**. + +5. Expand **Cloud protection**, and then in the **Cloud-delivered protection level** list, select one of the following: 1. **High**: Applies a strong level of detection. - 2. **High +**: Uses the **High** level and applies additional protection measures (may impact client performance). + 2. **High plus**: Uses the **High** level and applies additional protection measures (may impact client performance). 3. **Zero tolerance**: Blocks all unknown executables. -8. Click **OK** to exit the **Microsoft Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. +6. Choose **Review + save**, and then choose **Save**. -For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) +> [!TIP] +> Need some help? See the following resources: +> - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) +> - [Add endpoint protection settings in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure) -## Use Configuration Manager to specify the level of cloud-delivered protection - -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring Microsoft Endpoint Configuration Manager (current branch). - ## Use Group Policy to specify the level of cloud-delivered protection 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). 2. Right-click the Group Policy Object you want to configure, and then click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration**. +3. In the **Group Policy Management Editor** go to **Computer Configuration** > **Administrative templates**. -4. Click **Administrative templates**. +4. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus** > **MpEngine**. -5. Expand the tree to **Windows components > Microsoft Defender Antivirus > MpEngine**. - -6. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: +5. Double-click the **Select cloud protection level** setting and set it to **Enabled**. Select the level of protection: - **Default blocking level** provides strong detection without increasing the risk of detecting legitimate files. - **Moderate blocking level** provides moderate only for high confidence detections - - **High blocking level** applies a strong level of detection while optimizing client performance (greater chance of false positives). - - **High + blocking level** applies additional protection measures (may impact client performance and increase risk of false positives). + - **High blocking level** applies a strong level of detection while optimizing client performance (but can also give you a greater chance of false positives). + - **High + blocking level** applies additional protection measures (might impact client performance and increase your chance of false positives). - **Zero tolerance blocking level** blocks all unknown executables. > [!WARNING] > While unlikely, setting this switch to **High** or **High +** may cause some legitimate files to be detected (although you will have the option to unblock or dispute that detection). -7. Click **OK**. +6. Click **OK**. +7. Deploy your updated Group Policy Object. See [Group Policy Management Console](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) + +> [!TIP] +> Are you using Group Policy Objects on premises? See how they translate in the cloud. [Analyze your on-premises group policy objects using Group Policy analytics in Microsoft Endpoint Manager - Preview](https://docs.microsoft.com/mem/intune/configuration/group-policy-analytics). ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md index 09535418a1..801706b95c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md @@ -21,7 +21,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus. @@ -49,7 +49,7 @@ This issue can manifest in the form of several different event IDs, all of whic ### How to tell if Microsoft Defender Antivirus won't start because a third-party antivirus is installed -On a Windows 10 device, if you are not using Microsoft Defender Advanced Threat Protection (ATP), and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender ATP with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality. +On a Windows 10 device, if you are not using Microsoft Defender for Endpoint, and you have a third-party antivirus installed, then Microsoft Defender Antivirus will be automatically turned off. If you are using Microsoft Defender for Endpoint with a third-party antivirus installed, Microsoft Defender Antivirus will start in passive mode, with reduced functionality. > [!TIP] > The scenario just described applies only to Windows 10. Other versions of Windows have [different responses](microsoft-defender-antivirus-compatibility.md) to Microsoft Defender Antivirus being run alongside third-party security software. @@ -121,7 +121,7 @@ Microsoft Defender Antivirus will automatically turn on if no other antivirus is > [!WARNING] > Solutions suggesting that you edit the *Windows Defender* start values for *wdboot*, *wdfilter*, *wdnisdrv*, *wdnissvc*, and *windefend* in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services are unsupported, and may force you to re-image your system. -Passive mode is available if you start using Microsoft Defender ATP and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed. +Passive mode is available if you start using Microsoft Defender for Endpoint and a third-party antivirus together with Microsoft Defender Antivirus. Passive mode allows Microsoft Defender to scan files and update itself, but it will not remediate threats. In addition, behavior monitoring via [Real Time Protection](configure-real-time-protection-microsoft-defender-antivirus.md) is not available under passive mode, unless [Endpoint data loss prevention (DLP)](../microsoft-defender-atp/information-protection-in-windows-overview.md) is deployed. Another feature, known as [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), is available to end-users when Microsoft Defender Antivirus is set to automatically turn off. This feature allows Microsoft Defender Antivirus to scan files periodically alongside a third-party antivirus, using a limited number of detections. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md index bebdd997f5..ba1346ed98 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md @@ -22,7 +22,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. @@ -33,7 +33,7 @@ The tables list: - [Internal Microsoft Defender Antivirus client error codes (used by Microsoft during development and testing)](#internal-error-codes) > [!TIP] -> You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: +> You can also visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working: > > - Cloud-delivered protection > - Fast learning (including Block at first sight) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md index 936180ce74..4693016f63 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md @@ -22,12 +22,12 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!IMPORTANT] > On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates. -You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx). +You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the [Microsoft Defender for Endpoint portal](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see [Windows 10 product licensing options](https://www.microsoft.com/licensing/product-licensing/windows10.aspx). When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of devices or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Microsoft Defender Antivirus, you might encounter problems or issues. @@ -59,7 +59,7 @@ In order for devices to properly show up in Update Compliance, you have to meet > - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level). > - It has been 3 days since all requirements have been met -“You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options" +“You can use Microsoft Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender for Endpoint portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options" If the above prerequisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md index 1a87a09ee4..87f46b0cd9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Configure Microsoft Defender Antivirus with Group Policy -description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender ATP. +description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender for Endpoint. keywords: group policy, GPO, configuration, settings search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -22,7 +22,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Microsoft Defender Antivirus on your endpoints. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md index b32ee0bc06..9b5897d363 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 10/26/2018 ms.reviewer: manager: dansimp --- @@ -23,15 +23,25 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -If you are using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Microsoft Defender Antivirus scans. +If you were using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans. -In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Microsoft Defender Antivirus. +1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Endpoint Security**. -See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager. +2. Under **Manage**, choose **Antivirus**. -For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure). +3. Select your Microsoft Defender Antivirus policy. + +4. Under **Manage**, choose **Properties**. + +5. Next to **Configuration settings**, choose **Edit**. + +6. Expand the **Scan** section, and review or edit your scanning settings. + +7. Choose **Review + save** + +Need help? See [Manage endpoint security in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security). ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md index 3dc5e33650..ae51436faa 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md index a517c3bd60..51137f3e9e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Configure Microsoft Defender Antivirus with WMI -description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender ATP. +description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender for Endpoint. keywords: wmi, scripts, windows management instrumentation, configuration search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md index b24a051f44..da103c7192 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md @@ -25,7 +25,7 @@ ms.custom: nextgen Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. -Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender for Endpoint next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) To take advantage of the power and speed of these next-generation technologies, Microsoft Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md index dc28f1eb2f..56c8f7668f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md @@ -1,5 +1,5 @@ --- -title: "Why you should use Microsoft Defender Antivirus together with Microsoft Defender Advanced Threat Protection" +title: "Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint" description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings." keywords: windows defender, antivirus, third party av search.product: eADQiWindows 10XVcnh @@ -16,39 +16,39 @@ ms.reviewer: manager: dansimp --- -# Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection +# Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +- [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender ATP). +Microsoft Defender Antivirus is the next-generation protection component of [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) (Microsoft Defender for Endpoint). -Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Microsoft Defender Antivirus together with Microsoft Defender ATP. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. +Although you can use a non-Microsoft antivirus solution with Microsoft Defender for Endpoint, there are advantages to using Microsoft Defender Antivirus together with Defender for Endpoint. Not only is Microsoft Defender Antivirus an excellent next-generation antivirus solution, but combined with other Defender for Endpoint capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. -## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender ATP +## 11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint | |Advantage |Why it matters | |--|--|--| -|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender ATP](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | +|1|Antivirus signal sharing |Microsoft applications and services share signals across your enterprise organization, providing a stronger single platform. See [Insights from the MITRE ATT&CK-based evaluation of Microsoft Defender for Endpoint](https://www.microsoft.com/security/blog/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). | |2|Threat analytics and your score for devices |Microsoft Defender Antivirus collects underlying system data used by [threat analytics](../microsoft-defender-atp/threat-analytics.md) and [Microsoft Secure Score for Devices](../microsoft-defender-atp/tvm-microsoft-secure-score-devices.md). This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture. | -|3|Performance |Microsoft Defender ATP is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender ATP](../microsoft-defender-atp/evaluate-atp.md).| -|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| +|3|Performance |Microsoft Defender for Endpoint is designed to work with Microsoft Defender Antivirus, so you get better performance when you use these offerings together. [Evaluate Microsoft Defender Antivirus](evaluate-microsoft-defender-antivirus.md) and [Microsoft Defender for Endpoint](../microsoft-defender-atp/evaluate-atp.md).| +|4|Details about blocked malware |More details and actions for blocked malware are available with Microsoft Defender Antivirus and Microsoft Defender for Endpoint. [Understand malware & other threats](../intelligence/understanding-malware.md).| |5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| |6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| |7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Get an overview of attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction).| |8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | |9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | |10|File recovery via OneDrive |If you are using Microsoft Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| -|11|Technical support |By using Microsoft Defender ATP together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). | +|11|Technical support |By using Microsoft Defender for Endpoint together with Microsoft Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Microsoft Defender Antivirus](troubleshoot-microsoft-defender-antivirus.md). | ## Learn more -[Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) +[Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) [Threat & Vulnerability Management](../microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 121ed70fbe..aa6d77cbd0 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -17,7 +17,7 @@ ms.custom: asr # Configure Microsoft Defender Application Guard policy settings **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index b3bb7867ee..007fa751d5 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 09/14/2020 +ms.date: 11/03/2020 ms.reviewer: manager: dansimp ms.custom: asr @@ -22,19 +22,18 @@ Answering frequently asked questions about Microsoft Defender Application Guard ## Frequently Asked Questions -### Can I enable Application Guard on machines equipped with 4GB RAM? +### Can I enable Application Guard on machines equipped with 4-GB RAM? +We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. -We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. +`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.) -`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.) +`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.) -`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8GB.) - -`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5GB.) +`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.) ### Can employees download documents from the Application Guard Edge session onto host devices? -In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy. +In Windows 10 Enterprise edition 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy. In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. @@ -44,20 +43,16 @@ Depending on your organization's settings, employees can copy and paste images ( ### Why don't employees see their Favorites in the Application Guard Edge session? -To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in an Application Guard Edge session are not copied to the host device. +To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. -### Are extensions supported in the Application Guard? +### Why aren’t employees able to see their Extensions in the Application Guard Edge session? -Extension installs in the container are supported from Microsoft Edge version 81. For more details, see [Extension support inside the container](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard#extension-support-inside-the-container). +Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. ### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. -If Application Guard is used with network proxies, they need to be specified by fully qualified domain name (FQDN) in the system proxy settings (likewise in a PAC script if that is the type of proxy configuration used). Additionally these proxies need to be marked as *neutral* in the **Application trust** list. The FQDNs for the PAC file and the proxy servers the PAC file redirects to must be added as neutral resources in the network isolation policies that are used by Application Guard. You can verify this by going to `edge://application-guard-internals/#utilities` and entering the FQDN for the pac/proxy in the **check url trust** field. Verify that it says *Neutral.* - -Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the enterprise IP ranges in the network isolation policies that are used by Application Guard. Additionally, go to `edge://application-guard-internals/#utilities` to view the Application Guard proxy configuration. This step can be done in both the host and within Application Guard to verify that each side is using the proxy setup you expect. - ### Which Input Method Editors (IME) in 19H1 are not supported? The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard. @@ -76,28 +71,94 @@ The following Input Method Editors (IME) introduced in Windows 10, version 1903 ### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? -This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature. +This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. ### What is the WDAGUtilityAccount local account? -This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. +This account is part of Application Guard beginning with Windows 10, version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. ### How do I trust a subdomain in my site list? -To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` will ensure `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. +To trust a subdomain, you must precede your domain with two dots, for example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. ### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? -When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). +When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). ### Is there a size limit to the domain lists that I need to configure? -Yes, both the enterprise resource domains hosted in the cloud and the domains categorized as both work and personal have a 16383B limit. +Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383-B limit. ### Why does my encryption driver break Microsoft Defender Application Guard? -Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`). +Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). + +### Why do the Network Isolation policies in Group Policy and CSP look different? + +There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP. + +Mandatory network isolation GP policy to deploy Application Guard: "DomainSubnets or CloudResources" +Mandatory network isolation CSP policy to deploy Application Guard: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)" +For EnterpriseNetworkDomainNames, there is no mapped CSP policy. + +Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why did Application Guard stop working after I turned off hyperthreading? If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. + +### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"? + +Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. + +### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file? + +This is a known issue. To mitigate this you need to create two firewall rules. +For guidance on how to create a firewall rule by using group policy, see: +- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule) +- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security) + +First rule (DHCP Server): +1. Program path: `%SystemRoot%\System32\svchost.exe` +2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))` +3. Protocol UDP +4. Port 67 + +Second rule (DHCP Client) +This is the same as the first rule, but scoped to local port 68. +In the Microsoft Defender Firewall user interface go through the following steps: +1. Right click on inbound rules, create a new rule. +2. Choose **custom rule**. +3. Program path: `%SystemRoot%\System32\svchost.exe`. +4. Protocol Type: UDP, Specific ports: 67, Remote port: any. +5. Any IP addresses. +6. Allow the connection. +7. All profiles. +8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. +9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. + +### Why can I not launch Application Guard when Exploit Guard is enabled? + +There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**. + + +### How can I have ICS in enabled state yet still use Application Guard? + +ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. + +1. In the Group Policy setting called, *Prohibit use of Internet Connection Sharing on your DNS domain network*, set it to **Disabled**. + +2. Disable IpNat.sys from ICS load as follows:
    +`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` + +3. Configure ICS (SharedAccess) to enabled as follows:
    +`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` + +4. (This is optional) Disable IPNAT as follows:
    +`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` + +5. Reboot the device. + +## See also + +[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 8aba080ae4..1903c17792 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 02/19/2019 +ms.date: 10/21/2020 ms.reviewer: manager: dansimp ms.custom: asr @@ -17,7 +17,7 @@ ms.custom: asr # Prepare to install Microsoft Defender Application Guard **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Review system requirements diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index 1b3e19b06b..6ffce8a986 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -18,7 +18,7 @@ ms.custom: asr **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md new file mode 100644 index 0000000000..11c95b7ebf --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -0,0 +1,131 @@ +--- +title: "Onboard Windows 10 multi-session devices in Windows Virtual Desktop" +description: "Read more in this article about Onboarding Windows 10 multi-session devices in Windows Virtual Desktop" +keywords: Windows Virtual Desktop, WVD, microsoft defender, endpoint, onboard +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.topic: article +author: dansimp +ms.author: dansimp +ms.custom: nextgen +ms.date: 09/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Onboard Windows 10 multi-session devices in Windows Virtual Desktop +6 minutes to read + +Applies to: +- Windows 10 multi-session running on Windows Virtual Desktop (WVD) +> [!IMPORTANT] +> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future. + +> [!WARNING] +> Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported. + +Microsoft Defender for Endpoint supports monitoring both VDI as well as Windows Virtual Desktop sessions. Depending on your organization's needs, you might need to implement VDI or Windows Virtual Desktop sessions to help your employees access corporate data and apps from an unmanaged device, remote location, or similar scenario. With Microsoft Defender for Endpoint, you can monitor these virtual machines for anomalous activity. + + ## Before you begin +Familiarize yourself with the [considerations for non-persistent VDI](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). While [Windows Virtual Desktop](https://docs.microsoft.com/azure/virtual-desktop/overview) does not provide non-persistence options, it does provide ways to use a golden Windows image that can be used to provision new hosts and redeploy machines. This increases volatility in the environment and thus impacts what entries are created and maintained in the Microsoft Defender for Endpoint portal, potentially reducing visibility for your security analysts. + +> [!NOTE] +> Depending on your choice of onboarding method, devices can appear in Microsoft Defender for Endpoint portal as either: +> - Single entry for each virtual desktop +> - Multiple entries for each virtual desktop + +Microsoft recommends onboarding Windows Virtual Desktop as a single entry per virtual desktop. This ensures that the investigation experience in the Microsoft Defender Endpoint portal is in the context of one device based on the machine name. Organizations that frequently delete and re-deploy WVD hosts should strongly consider using this method as it prevents multiple objects for the same machine from being created in the Microsoft Defender for Endpoint portal. This can lead to confusion when investigating incidents. For test or non-volatile environments, you may opt to choose differently. + +Microsoft recommends adding the Microsoft Defender for Endpoint onboarding script to the WVD golden image. This way, you can be sure that this onboarding script runs immediately at first boot. It is executed as a startup script at first boot on all the WVD machines that are provisioned from the WVD golden image. However, if you are using one of the gallery images without modification, place the script in a shared location and call it from either local or domain group policy. + +> [!NOTE] +> The placement and configuration of the VDI onboarding startup script on the WVD golden image configures it as a startup script that runs when the WVD starts. It is NOT recommended to onboard the actual WVD golden image. Another consideration is the method used to run the script. It should run as early in the startup/provisioning process as possible to reduce the time between the machine being available to receive sessions and the device onboarding to the service. Below scenarios 1 & 2 take this into account. + +### Scenarios +There are several ways to onboard a WVD host machine: + +- Run the script in the golden image (or from a shared location) during startup. +- Use a management tool to run the script. + +#### *Scenario 1: Using local group policy* +This scenario requires placing the script in a golden image and uses local group policy to run early in the boot process. + +Use the instructions in [Onboard non-persistent virtual desktop infrastructure VDI devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi#onboard-non-persistent-virtual-desktop-infrastructure-vdi-devices-1). + +Follow the instructions for a single entry for each device. + +#### *Scenario 2: Using domain group policy* +This scenario uses a centrally located script and runs it using a domain-based group policy. You can also place the script in the golden image and run it in the same way. + +**Download the WindowsDefenderATPOnboardingPackage.zip file from the Windows Defender Security Center** +1. Open the VDI configuration package .zip file (WindowsDefenderATPOnboardingPackage.zip) + - In the Microsoft Defender Security Center navigation pane, select **Settings** > **Onboarding**. + - Select Windows 10 as the operating system. + - In the **Deployment method** field, select VDI onboarding scripts for non-persistent endpoints. + - Click **Download package** and save the .zip file. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the device. You should have a folder called **OptionalParamsPolicy** and the files **WindowsDefenderATPOnboardingScript.cmd** and **Onboard-NonPersistentMachine.ps1**. + +**Use Group Policy management console to run the script when the virtual machine starts** +1. Open the Group Policy Management Console (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. +1. In the Group Policy Management Editor, go to **Computer configuration** \> **Preferences** \> **Control panel settings**. +1. Right-click **Scheduled tasks**, click **New**, and then click **Immediate Task** (At least Windows 7). +1. In the Task window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM. Click **Check Names** and then click OK. NT AUTHORITY\SYSTEM appears as the user account the task will run as. +1. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box. +1. Go to the **Actions** tab and click **New**. Ensure that **Start a program** is selected in the Action field. +Enter the following: + +> Action = "Start a program"
    +> Program/Script = C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
    +> Add Arguments (optional) = -ExecutionPolicy Bypass -command "& \\Path\To\Onboard-NonPersistentMachine.ps1" + +Click **OK** and close any open GPMC windows. + +#### *Scenario 3: Onboarding using management tools* + +If you plan to manage your machines using a management tool, you can onboard devices with Microsoft Endpoint Configuration Manager. + +For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) + +> [!WARNING] +> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly. + +> [!TIP] +> After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test). + +#### Tagging your machines when building your golden image + +As part of your onboarding, you may want to consider setting a machine tag to be able to differentiate WVD machines more easily in the Microsoft Security Center. For more information, see +[Add device tags by setting a registry key value](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags#add-device-tags-by-setting-a-registry-key-value). + +#### Other recommended configuration settings + +When building your golden image, you may want to configure initial protection settings as well. For more information, see [Other recommended configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp#other-recommended-configuration-settings). + +In addition, if you are using FSlogix user profiles, we recommend you exclude the following files from always-on protection: + +**Exclude Files:** + +> %ProgramFiles%\FSLogix\Apps\frxdrv.sys
    +> %ProgramFiles%\FSLogix\Apps\frxdrvvt.sys
    +> %ProgramFiles%\FSLogix\Apps\frxccd.sys
    +> %TEMP%\*.VHD
    +> %TEMP%\*.VHDX
    +> %Windir%\TEMP\*.VHD
    +> %Windir%\TEMP\*.VHDX
    +> \\storageaccount.file.core.windows.net\share\*\*.VHD
    +> \\storageaccount.file.core.windows.net\share\*\*.VHDX
    + +**Exclude Processes:** + +> %ProgramFiles%\FSLogix\Apps\frxccd.exe
    +> %ProgramFiles%\FSLogix\Apps\frxccds.exe
    +> %ProgramFiles%\FSLogix\Apps\frxsvc.exe
    + +#### Licensing requirements + +Windows 10 Multi-session is a client OS. Licensing requirements for Microsoft Defender for endpoint can be found at: [Licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements). diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md index acb5350c34..ccf8b5f19e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md +++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index 3ef821e164..94849b6b18 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -38,7 +38,7 @@ Adds or remove tag to a specific [Machine](machine.md). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 16e7db9ecf..725daf0761 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -17,18 +17,18 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure advanced features in Microsoft Defender ATP +# Configure advanced features in Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) -Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Microsoft Defender ATP with. +Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Defender for Endpoint with. Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: @@ -88,7 +88,7 @@ To use this feature, devices must be running Windows 10 version 1709 or later. T For more information, see [Manage indicators](manage-indicators.md). >[!NOTE] ->Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Microsoft Defender ATP data. +>Network protection leverages reputation services that process requests in locations that might be outside of the location you have selected for your Defender for Endpoint data. ## Show user details @@ -116,9 +116,9 @@ The integration with Azure Advanced Threat Protection allows you to pivot direct ## Microsoft Secure Score -Forwards Microsoft Defender ATP signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. +Forwards Defender for Endpoint signals to Microsoft Secure Score in the Microsoft 365 security center. Turning on this feature gives Microsoft Secure Score visibility into the devices security posture. Forwarded data is stored and processed in the same location as the your Microsoft Secure Score data. -### Enable the Microsoft Defender ATP integration from the Azure ATP portal +### Enable the Defender for Endpoint integration from the Azure ATP portal To receive contextual device integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal. @@ -139,18 +139,18 @@ When you turn this feature on, you'll be able to incorporate data from Office 36 >[!NOTE] >You'll need to have the appropriate license to enable this feature. -To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). +To receive contextual device integration in Office 365 Threat Intelligence, you'll need to enable the Defender for Endpoint settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). ## Microsoft Threat Experts -Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it. +Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability. Experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Defender for Endpoint portal's alerts dashboard and via email if you configure it. >[!NOTE] ->The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). +>The Microsoft Threat Experts capability in Defender for Endpoint is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security). ## Microsoft Cloud App Security -Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. +Enabling this setting forwards Defender for Endpoint signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. >[!NOTE] >This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on devices running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. @@ -161,10 +161,10 @@ Turning on this setting allows signals to be forwarded to Azure Information Prot ## Microsoft Intune connection -Microsoft Defender ATP can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Microsoft Defender ATP device information with Intune, enhancing policy enforcement. +Defender for Endpoint can be integrated with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune) to [enable device risk-based conditional access](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). When you [turn on this feature](configure-conditional-access.md), you'll be able to share Defender for Endpoint device information with Intune, enhancing policy enforcement. >[!IMPORTANT] ->You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature. For more information on specific steps, see [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md). +>You'll need to enable the integration on both Intune and Defender for Endpoint to use this feature. For more information on specific steps, see [Configure Conditional Access in Defender for Endpoint](configure-conditional-access.md). This feature is only available if you have the following: @@ -181,7 +181,7 @@ When you enable Intune integration, Intune will automatically create a classic C ## Preview features -Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience. +Learn about new features in the Defender for Endpoint preview release and be among the first to try upcoming features by turning on the preview experience. You'll have access to upcoming features, which you can provide feedback on to help improve the overall experience before features are generally available. @@ -189,7 +189,7 @@ You'll have access to upcoming features, which you can provide feedback on to he Forwards endpoint security alerts and their triage status to Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data. -After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Microsoft Defender ATP alerts will be shared with insider risk management for applicable users. +After configuring the [Security policy violation indicators](https://docs.microsoft.com/microsoft-365/compliance/insider-risk-management-settings.md#indicators) in the insider risk management settings, Defender for Endpoint alerts will be shared with insider risk management for applicable users. ## Enable advanced features diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md index b1576974be..46e60648d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md @@ -24,7 +24,7 @@ ms.date: 09/20/2020 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 6ddbe3d3a1..bd47d4a12b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -23,9 +23,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) ## Optimize query performance @@ -91,7 +91,7 @@ DeviceProcessEvents | where CanonicalCommandLine contains "stop" and CanonicalCommandLine contains "MpsSvc" ``` -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-belowfoldlink) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md index 80b4736768..51940745aa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md @@ -25,9 +25,9 @@ ms.date: 01/22/2020 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceAlertEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about alerts in Microsoft Defender Security Center. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index 33fbf6118f..82be65bdc4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The miscellaneous device events or `DeviceEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about various event types, including events triggered by security controls, such as Microsoft Defender Antivirus and exploit protection. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md index e5a328a9db..20c0ceb254 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md @@ -25,9 +25,9 @@ ms.date: 01/14/2020 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceFileCertificateInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file signing certificates. This table uses data obtained from certificate verification activities regularly performed on files on endpoints. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 246f3b70bd..2a453a4169 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceFileEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about file creation, modification, and other file system events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index 7cd8fd9ebe..a00c2ef094 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceImageLoadEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about DLL loading events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index b939d5ba59..8c806a1b38 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about devices in the organization, including their OS version, active users, and computer name. Use this reference to construct queries that return information from the table. @@ -38,7 +38,7 @@ For information on other tables in the advanced hunting schema, see [the advance | `DeviceId` | string | Unique identifier for the device in the service | | `DeviceName` | string | Fully qualified domain name (FQDN) of the device | | `ClientVersion` | string | Version of the endpoint agent or sensor running on the device | -| `PublicIP` | string | Public IP address used by the onboarded device to connect to the Microsoft Defender ATP service. This could be the IP address of the device itself, a NAT device, or a proxy | +| `PublicIP` | string | Public IP address used by the onboarded device to connect to the Defender for Endpoint service. This could be the IP address of the device itself, a NAT device, or a proxy | | `OSArchitecture` | string | Architecture of the operating system running on the device | | `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 | | `OSBuild` | string | Build version of the operating system running on the device | diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index 17b769e2f3..c04883052f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceLogonEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about user logons and other authentication events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index 77692cf8fe..467888a9d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceNetworkEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about network connections and related events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index 8d919d89c0..48ae9ead1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceNetworkInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about networking configuration of devices, including network adapters, IP and MAC addresses, and connected networks or domains. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 3d7fc8a005..921304b30c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceProcessEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about process creation and related events. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index 4ee7217b7c..ec6f722e98 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) The `DeviceRegistryEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about the creation and modification of registry entries. Use this reference to construct queries that return information from the table. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md index 22e4e6aa6b..bf6dc4404d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -45,11 +45,13 @@ For information on other tables in the advanced hunting schema, see [the advance | `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | | `ConfigurationImpact` | string | Rated impact of the configuration to the overall configuration score (1-10) | | `IsCompliant` | boolean | Indicates whether the configuration or policy is properly configured | - +| `IsApplicable` | boolean | Indicates whether the configuration or policy applies to the device | +| `Context` | string | Additional contextual information about the configuration or policy | +| `IsExpectedUserImpactCompliant` | boolean | Indicates whether there will be user impact if the configuration or policy is applied | ## Related topics - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) - [Understand the schema](advanced-hunting-schema-reference.md) -- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Overview of Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md index d2b7ab5de4..317e6e26c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md index a61d3499dc..d61956dee5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md index 36a4097508..0779d7d929 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md index 092f10cf8f..ab53ab3585 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md @@ -22,9 +22,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) Advanced hunting displays errors to notify for syntax mistakes and whenever queries hit [predefined limits](advanced-hunting-limits.md). Refer to the table below for tips on how to resolve or avoid errors. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md index 371cfbed8c..60566f53f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md @@ -24,7 +24,7 @@ ms.date: 10/10/2020 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md index f2f93bf6a2..365f8ef6ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md @@ -22,7 +22,7 @@ ms.date: 09/20/2020 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) The `FileProfile()` function is an enrichment function in [advanced hunting](advanced-hunting-overview.md) that adds the following data to files found by the query. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md index cab2d3160b..9b8aed20bc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md @@ -23,7 +23,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) With the *go hunt* action, you can quickly investigate events and various entity types using powerful query-based [advanced hunting](advanced-hunting-overview.md) capabilities. This action automatically runs an advanced hunting query to find relevant information about the selected event or entity. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md index 66e8db56e7..0516afc2f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md @@ -22,9 +22,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) To keep the service performant and responsive, advanced hunting sets various limits for queries run manually and by [custom detection rules](custom-detection-rules.md). Refer to the following table to understand these limits. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index 19ef98383c..e42dbf4cf3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -22,9 +22,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. @@ -37,7 +37,7 @@ Watch this video for a quick overview of advanced hunting and a short tutorial t You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings. >[!TIP] ->Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Microsoft Defender ATP, Office 365 ATP, Microsoft Cloud App Security, and Azure ATP. [Turn on Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable) +>Use [advanced hunting in Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview) to hunt for threats using data from Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Cloud App Security, and Microsoft Defender for Identity. [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable) ## Get started with advanced hunting @@ -61,7 +61,7 @@ We recommend going through several steps to quickly get up and running with adva Advanced hunting data can be categorized into two distinct types, each consolidated differently. -- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Microsoft Defender ATP. +- **Event or activity data**—populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collect them successfully transmit them to Defender for Endpoint. - **Entity data**—populates tables with consolidated information about users and devices. This data comes from both relatively static data sources and dynamic sources, such as Active Directory entries and event logs. To provide fresh data, tables are updated with any new information every 15 minutes, adding rows that might not be fully populated. Every 24 hours, data is consolidated to insert a record that contains the latest, most comprehensive data set about each entity. ## Time zone diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index 2d83c38459..76fd2bee7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -22,9 +22,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) Advanced hunting is based on the [Kusto query language](https://docs.microsoft.com/azure/kusto/query/). You can use Kusto operators and statements to construct queries that locate information in a specialized [schema](advanced-hunting-schema-reference.md). To understand these concepts better, run your first query. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md index b06237a57a..34db3e0745 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md @@ -23,9 +23,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) While you can construct your [advanced hunting](advanced-hunting-overview.md) queries to return very precise information, you can also work with the query results to gain further insight and investigate specific activities and indicators. You can take the following actions on your query results: diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index c41443181f..a0988a90d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -24,9 +24,9 @@ ms.date: 01/14/2020 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md index 46610a6772..0daf0cbfda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -23,9 +23,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) [Advanced hunting](advanced-hunting-overview.md) queries can be shared among users in the same organization. You can also find queries shared publicly on GitHub. These queries let you quickly pursue specific threat hunting scenarios without having to write queries from scratch. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md index b06baf7444..d535b139e2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md @@ -21,9 +21,9 @@ ms.date: 09/20/2020 # Take action on advanced hunting query results **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) You can quickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md) using powerful and comprehensive action options. With these options, you can: @@ -32,7 +32,7 @@ You can quickly contain threats or address compromised assets that you find in [ ## Required permissions -To be able to take action through advanced hunting, you need a role in Microsoft Defender ATP with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission: +To be able to take action through advanced hunting, you need a role in Defender for Endpoint with [permissions to submit remediation actions on devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#permission-options). If you can't take action, contact a global administrator about getting the following permission: *Active remediation actions > Threat and vulnerability management - Remediation handling* @@ -46,7 +46,7 @@ You can take the following actions on devices identified by the `DeviceId` colum - Initiate an automated investigation to check and remediate threats on the device and possibly other affected devices - Restrict app execution to only Microsoft-signed executable files, preventing subsequent threat activity through malware or other untrusted executables -To learn more about how these response actions are performed through Microsoft Defender ATP, [read about response actions on devices](respond-machine-alerts.md). +To learn more about how these response actions are performed through Defender for Endpoint, [read about response actions on devices](respond-machine-alerts.md). ## Quarantine files diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index 9bf8d26a01..e403e8465c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -18,16 +18,16 @@ ms.topic: article ms.date: 03/27/2020 --- -# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue +# View and organize the Microsoft Defender for Endpoint Alerts queue [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-alertsq-abovefoldlink) The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first. @@ -61,15 +61,15 @@ Informational
    (Grey) | Alerts that might not be considered harmful to the n #### Understanding alert severity -Microsoft Defender Antivirus (Microsoft Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes. +Microsoft Defender Antivirus (Microsoft Defender AV) and Defender for Endpoint alert severities are different because they represent different scopes. The Microsoft Defender AV threat severity represents the absolute severity of the detected threat (malware), and is assigned based on the potential risk to the individual device, if infected. -The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization. +The Defender for Endpoint alert severity represents the severity of the detected behavior, the actual risk to the device but more importantly the potential risk to the organization. So, for example: -- The severity of a Microsoft Defender ATP alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage. +- The severity of a Defender for Endpoint alert about a Microsoft Defender AV detected threat that was completely prevented and did not infect the device is categorized as "Informational" because there was no actual damage. - An alert about a commercial malware was detected while executing, but blocked and remediated by Microsoft Defender AV, is categorized as "Low" because it may have caused some damage to the individual device but poses no organizational threat. - An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. @@ -118,7 +118,7 @@ You can choose between showing alerts that are assigned to you or automation. ### Detection source -Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service. +Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service. >[!NOTE] >The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product. @@ -138,11 +138,11 @@ Use this filter to focus on alerts that are related to high profile threats. You ## Related topics -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) +- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md) +- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md) +- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md) +- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 67ed2be93e..eaa7c56c2f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Methods diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md index 6edfd475aa..f9f5d899e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md @@ -20,39 +20,39 @@ ms.collection: ms.topic: conceptual --- -# Configure Microsoft Defender ATP for Android features +# Configure Defender for Endpoint for Android features [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) +- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) -## Conditional Access with Microsoft Defender ATP for Android -Microsoft Defender ATP for Android along with Microsoft Intune and Azure Active +## Conditional Access with Defender for Endpoint for Android +Microsoft Defender for Endpoint for Android along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies -based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense +based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. -For more information about how to set up Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and +For more information about how to set up Defender for Endpoint for Android and Conditional Access, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). ## Configure custom indicators >[!NOTE] -> Microsoft Defender ATP for Android only supports creating custom indicators for IP addresses and URLs/domains. +> Defender for Endpoint for Android only supports creating custom indicators for IP addresses and URLs/domains. -Microsoft Defender ATP for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md). +Defender for Endpoint for Android enables admins to configure custom indicators to support Android devices as well. For more information on how to configure custom indicators, see [Manage indicators](manage-indicators.md). ## Configure web protection -Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center. +Defender for Endpoint for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center. >[!NOTE] -> Microsoft Defender ATP for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. +> Defender for Endpoint for Android would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-manage-android). ## Related topics -- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) -- [Deploy Microsoft Defender ATP for Android with Microsoft Intune](android-intune.md) +- [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) +- [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](android-intune.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md index b70734bf7c..ddba7d596d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md @@ -20,31 +20,31 @@ ms.collection: ms.topic: conceptual --- -# Deploy Microsoft Defender ATP for Android with Microsoft Intune +# Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) +- [Defender for Endpoint](microsoft-defender-atp-android.md) -This topic describes deploying Microsoft Defender ATP for Android on Intune +This topic describes deploying Defender for Endpoint for Android on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your device](https://docs.microsoft.com/mem/intune/user-help/enroll-device-android-company-portal). > [!NOTE] -> **Microsoft Defender ATP for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)**
    -> You can connect to Google Play from Intune to deploy Microsoft Defender ATP app across Device Administrator and Android Enterprise entrollment modes. +> **Defender for Endpoint for Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx)**
    +> You can connect to Google Play from Intune to deploy Defender for Endpoint app across Device Administrator and Android Enterprise entrollment modes. Updates to the app are automatic via Google Play. ## Deploy on Device Administrator enrolled devices -**Deploy Microsoft Defender ATP for Android on Intune Company Portal - Device +**Deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices** -This topic describes how to deploy Microsoft Defender ATP for Android on Intune Company Portal - Device Administrator enrolled devices. +This topic describes how to deploy Defender for Endpoint for Android on Intune Company Portal - Device Administrator enrolled devices. ### Add as Android store app @@ -60,13 +60,13 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> - **Name** - **Description** - **Publisher** as Microsoft. - - **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Microsoft Defender ATP app Google Play Store URL) + - **Appstore URL** as https://play.google.com/store/apps/details?id=com.microsoft.scmx (Defender for Endpoint app Google Play Store URL) Other fields are optional. Select **Next**. ![Image of Microsoft Endpoint Manager Admin Center](images/mda-addappinfo.png) -3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Microsoft Defender ATP for Android app. Click **Select** and then **Next**. +3. In the *Assignments* section, go to the **Required** section and select **Add group.** You can then choose the user group(s) that you would like to target Defender for Endpoint for Android app. Click **Select** and then **Next**. >[!NOTE] >The selected user group should consist of Intune enrolled users. @@ -77,7 +77,7 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> 4. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. - In a few moments, the Microsoft Defender ATP app would be created successfully, and a notification would show up at the top-right corner of the page. + In a few moments, the Defender for Endpoint app would be created successfully, and a notification would show up at the top-right corner of the page. ![Image of Microsoft Endpoint Manager Admin Center](images/86cbe56f88bb6e93e9c63303397fc24f.png) @@ -92,21 +92,21 @@ completed successfully. ### Complete onboarding and check status -1. Once Microsoft Defender ATP for Android has been installed on the device, you'll see the app icon. +1. Once Defender for Endpoint for Android has been installed on the device, you'll see the app icon. ![Icon on mobile device](images/7cf9311ad676ec5142002a4d0c2323ca.jpg) 2. Tap the Microsoft Defender ATP app icon and follow the on-screen instructions -to complete onboarding the app. The details include end-user acceptance of Android permissions required by Microsoft Defender ATP for Android. +to complete onboarding the app. The details include end-user acceptance of Android permissions required by Defender for Endpoint for Android. 3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center. - ![Image of device in Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) + ![Image of device in Defender for Endpoint portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) ## Deploy on Android Enterprise enrolled devices -Microsoft Defender ATP for Android supports Android Enterprise enrolled devices. +Defender for Endpoint for Android supports Android Enterprise enrolled devices. For more information on the enrollment options supported by Intune, see [Enrollment @@ -116,10 +116,9 @@ Currently only Personal devices with Work Profile enrolled are supported for de -## Add Microsoft Defender ATP for Android as a Managed Google Play app +## Add Microsoft Defender for Endpoint for Android as a Managed Google Play app -Follow the steps below to add Microsoft -Defender ATP app into your managed Google Play. +Follow the steps below to add Microsoft Defender for Endpoint app into your managed Google Play. 1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> @@ -131,27 +130,26 @@ center](https://go.microsoft.com/fwlink/?linkid=2109431) , go to **Apps** \> 2. On your managed Google Play page that loads subsequently, go to the search box and lookup **Microsoft Defender.** Your search should display the Microsoft -Defender ATP app in your Managed Google Play. Click on the Microsoft Defender -ATP app from the Apps search result. +Defender for Endpoint app in your Managed Google Play. Click on the Microsoft Defender for Endpoint app from the Apps search result. ![Image of Microsoft Endpoint Manager admin center](images/0f79cb37900b57c3e2bb0effad1c19cb.png) 3. In the App description page that comes up next, you should be able to see app -details on Microsoft Defender ATP. Review the information on the page and then +details on Defender for Endpoint. Review the information on the page and then select **Approve**. > [!div class="mx-imgBorder"] > ![A screenshot of a Managed Google Play](images/07e6d4119f265037e3b80a20a73b856f.png) -4. You should now be presented with the permissions that Microsoft Defender ATP +4. You should now be presented with the permissions that Defender for Endpoint obtains for it to work. Review them and then select **Approve**. - ![A screenshot of Microsoft Defender ATP preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png) + ![A screenshot of Defender for Endpoint preview app approval](images/206b3d954f06cc58b3466fb7a0bd9f74.png) 5. You'll be presented with the Approval settings page. The page confirms -your preference to handle new app permissions that Microsoft Defender ATP for +your preference to handle new app permissions that Defender for Endpoint for Android might ask. Review the choices and select your preferred option. Select **Done**. @@ -162,8 +160,8 @@ permissions* > ![Image of notifications tab](images/ffecfdda1c4df14148f1526c22cc0236.png) -6. After the permissions handling selection is made, select **Sync** to sync -Microsoft Defender ATP to your apps list. +6. After the permissions handling selection is made, select **Sync** to sync Microsoft +Defender for Endpoint to your apps list. > [!div class="mx-imgBorder"] > ![Image of sync page](images/34e6b9a0dae125d085c84593140180ed.png) @@ -180,7 +178,7 @@ Defender ATP should be visible in the apps list. > ![Image of list of Android apps](images/fa4ac18a6333335db3775630b8e6b353.png) -9. Microsoft Defender ATP supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s). +9. Defender for Endpoint supports App configuration policies for managed devices via Intune. This capability can be leveraged to autogrant applicable Android permission(s), so the end user does not need to accept these permission(s). 1. In the **Apps** page, go to **Policy > App configuration policies > Add > Managed devices**. @@ -213,7 +211,7 @@ Defender ATP should be visible in the apps list. > ![Image of create app configuration policy](images/android-auto-grant.png) - 1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender ATP Android app. + 1. In the **Assignments** page, select the user group to which this app config policy would be assigned to. Click **Select groups to include** and selecting the applicable group and then selecting **Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app. > [!div class="mx-imgBorder"] > ![Image of create app configuration policy](images/android-select-group.png) @@ -221,7 +219,7 @@ Defender ATP should be visible in the apps list. 1. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
    - The app configuration policy for Microsoft Defender ATP auto-granting the storage permission is now assigned to the selected user group. + The app configuration policy for Defender for Endpoint auto-granting the storage permission is now assigned to the selected user group. > [!div class="mx-imgBorder"] > ![Image of create app configuration policy](images/android-review-create.png) @@ -248,7 +246,7 @@ assignment. ## Complete onboarding and check status -1. Confirm the installation status of Microsoft Defender ATP for Android by +1. Confirm the installation status of Microsoft Defender for Endpoint for Android by clicking on the **Device Install Status**. Verify that the device is displayed here. @@ -257,23 +255,22 @@ displayed here. 2. On the device, you can confirm the same by going to the **work profile** and -confirm that Microsoft Defender ATP is available. +confirm that Defender for Endpoint is available. ![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png) 3. When the app is installed, open the app and accept the permissions and then your onboarding should be successful. - ![Image of mobile device with Microsoft Defender ATP app](images/mda-devicesafe.png) + ![Image of mobile device with Microsoft Defender for Endpoint app](images/mda-devicesafe.png) -4. At this stage the device is successfully onboarded onto Microsoft Defender -ATP for Android. You can verify this on the [Microsoft Defender Security +4. At this stage the device is successfully onboarded onto Defender for Endpoint for Android. You can verify this on the [Microsoft Defender Security Center](https://securitycenter.microsoft.com) by navigating to the **Devices** page. - ![Image of Microsoft Defender ATP portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) + ![Image of Microsoft Defender for Endpoint portal](images/9fe378a1dce0f143005c3aa53d8c4f51.png) ## Related topics -- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md) -- [Configure Microsoft Defender ATP for Android features](android-configure.md) +- [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) +- [Configure Microsoft Defender for Endpoint for Android features](android-configure.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md index 800e262876..66ec2fa838 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md @@ -17,23 +17,22 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Microsoft Defender ATP for Android - Privacy information +# Microsoft Defender for Endpoint for Android - Privacy information **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) +- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) -Microsoft Defender ATP for Android collects information from your configured -Android devices and stores it in the same tenant where you have Microsoft -Defender ATP. +Defender for Endpoint for Android collects information from your configured +Android devices and stores it in the same tenant where you have Defender for Endpoint. -Information is collected to help keep Microsoft Defender ATP for Android secure, +Information is collected to help keep Defender for Endpoint for Android secure, up-to-date, performing as expected and to support the service. ## Required Data -Required data consists of data that is necessary to make Microsoft Defender ATP +Required data consists of data that is necessary to make Defender for Endpoint for Android work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected: diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md index d2d946c3fb..34959bf022 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md @@ -20,15 +20,14 @@ ms.collection: ms.topic: conceptual --- -# Troubleshooting issues on Microsoft Defender ATP for Android +# Troubleshooting issues on Microsoft Defender for Endpoint for Android [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for - Android](microsoft-defender-atp-android.md) +- [Defender for Endpoint](microsoft-defender-atp-android.md) During onboarding, you might encounter sign in issues after the app is installed on your device. @@ -77,7 +76,7 @@ Contact your administrator for help. - **Xiaomi** -Phishing and harmful web connection threats detected by Microsoft Defender ATP +Phishing and harmful web connection threats detected by Defender for Endpoint for Android are not blocked on some Xiaomi devices. The following functionality does not work on these devices. ![Image of site reported unsafe](images/0c04975c74746a5cdb085e1d9386e713.png) @@ -85,7 +84,7 @@ for Android are not blocked on some Xiaomi devices. The following functionality **Cause:** -Xiaomi devices introduced a new permission that prevents Microsoft Defender ATP +Xiaomi devices introduced a new permission that prevents Defender for Endpoint for Android app from displaying pop-up windows while running in the background. Xiaomi devices permission: "Display pop-up windows while running in the diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md index 0d6e8dcd1c..d80fdbbc7f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md @@ -19,15 +19,15 @@ ms.topic: conceptual hideEdit: true --- -# Microsoft Defender ATP for Android application license terms +# Microsoft Defender for Endpoint for Android application license terms [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Android](microsoft-defender-atp-android.md) +- [Microsoft Defender for Endpoint](microsoft-defender-atp-android.md) -## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP +## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT These license terms ("Terms") are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They @@ -52,21 +52,21 @@ DO NOT USE THE APPLICATION.** 1. **INSTALLATION AND USE RIGHTS.** 1. **Installation and Use.** You may install and use any number of copies - of this application on Android enabled device or devices which you own + of this application on Android enabled device or devices that you own or control. You may use this application with your company's valid - subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or + subscription of Microsoft Defender for Endpoint or an online service that includes MDATP functionalities. 2. **Updates.** Updates or upgrades to MDATP may be required for full functionality. Some functionality may not be available in all countries. - 3. **Third Party Programs.** The application may include third party + 3. **Third-Party Programs.** The application may include third-party programs that Microsoft, not the third party, licenses to you under this agreement. Notices, if any, for the third-party program are included for your information only. 2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to - Internet access, data transfer and other services per the terms of the data + Internet access, data transfer, and other services per the terms of the data service plan and any other agreement you have with your network operator due to use of the application. You are solely responsible for any network operator charges. @@ -92,21 +92,21 @@ DO NOT USE THE APPLICATION.** improve Microsoft products and services and enhance your experience. You may limit or control collection of some usage and performance data through your device settings. Doing so may disrupt your use of - certain features of the application. For additional information on - Microsoft's data collection and use, see the [Online Services + certain features of the application. For more information about + Microsoft data collection and use, see the [Online Services Terms](https://go.microsoft.com/fwlink/?linkid=2106777). 2. Misuse of Internet-based Services. You may not use any Internet-based service in any way that could harm it or impair anyone else's use of it or the wireless network. You may not use the service to try to gain - unauthorized access to any service, data, account or network by any + unauthorized access to any service, data, account, or network by any means. 4. **FEEDBACK.** If you give feedback about the application to Microsoft, you - give to Microsoft, without charge, the right to use, share and commercialize + give to Microsoft, without charge, the right to use, share, and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, - technologies and services to use or interface with any specific parts of a + technologies, and services to use or interface with any specific parts of a Microsoft software or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback @@ -130,35 +130,35 @@ DO NOT USE THE APPLICATION.** - publish the application for others to copy; - - rent, lease or lend the application; or + - rent, lease, or lend the application; or - transfer the application or this agreement to any third party. 6. **EXPORT RESTRICTIONS.** The application is subject to United States export laws and regulations. You must comply with all domestic and international export laws and regulations that apply to the application. These laws - include restrictions on destinations, end users and end use. For additional + include restrictions on destinations, end users, and end use. For more information, - see[www.microsoft.com/exporting](https://www.microsoft.com/exporting). + + see [www.microsoft.com/exporting](https://www.microsoft.com/exporting). 7. **SUPPORT SERVICES.** Because this application is "as is," we may not provide support services for it. If you have any issues or questions about your use of this application, including questions about your company's - privacy policy, please contact your company's admin. Do not contact the + privacy policy, contact your company's admin. Do not contact the application store, your network operator, device manufacturer, or Microsoft. The application store provider has no obligation to furnish support or maintenance with respect to the application. 8. **APPLICATION STORE.** - 1. If you obtain the application through an application store (e.g., Google - Play), please review the applicable application store terms to ensure + 1. If you obtain the application through an application store (for example, Google + Play), review the applicable application store terms to ensure your download and use of the application complies with such terms. - Please note that these Terms are between you and Microsoft and not with + Note that these Terms are between you and Microsoft and not with the application store. - 2. The respective application store provider and its subsidiaries are third - party beneficiaries of these Terms, and upon your acceptance of these + 2. The respective application store provider and its subsidiaries are third-party beneficiaries of these Terms, and upon your acceptance of these Terms, the application store provider(s) will have the right to directly enforce and rely upon any provision of these Terms that grants them a benefit or rights. @@ -213,20 +213,20 @@ DO NOT USE THE APPLICATION.** This limitation applies to: - anything related to the application, services, content (including code) on - third party Internet sites, or third party programs; and + third-party internet sites, or third-party programs; and -- claims for breach of contract, warranty, guarantee or condition; consumer +- claims for breach of contract, warranty, guarantee, or condition; consumer protection; deception; unfair competition; strict liability, negligence, - misrepresentation, omission, trespass or other tort; violation of statute or + misrepresentation, omission, trespass, or other tort; violation of statute or regulation; or unjust enrichment; all to the extent permitted by applicable law. It also applies even if: -a. Repair, replacement or refund for the application does not fully compensate +a. Repair, replacement, or refund for the application does not fully compensate you for any losses; or b. Covered Parties knew or should have known about the possibility of the damages. -The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. +The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential, or other damages. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md index 7bc13986b1..c75879bafc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md @@ -25,11 +25,11 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -The Microsoft Defender ATP API Explorer is a tool that helps you explore various Microsoft Defender ATP APIs interactively. +The Microsoft Defender for Endpoint API Explorer is a tool that helps you explore various Defender for Endpoint APIs interactively. -The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Microsoft Defender ATP API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface. +The API Explorer makes it easy to construct and do API queries, test, and send requests for any available Defender for Endpoint API endpoint. Use the API Explorer to take actions or find data that might not yet be available through the user interface. The tool is useful during app development. It allows you to perform API queries that respect your user access settings, reducing the need to generate access tokens. @@ -47,7 +47,7 @@ From the left navigation menu, select **Partners & APIs** > **API Explorer**. ## Supported APIs -API Explorer supports all the APIs offered by Microsoft Defender ATP. +API Explorer supports all the APIs offered by Defender for Endpoint. The list of supported APIs is available in the [APIs documentation](apis-intro.md). @@ -61,7 +61,7 @@ Some of the samples may require specifying a parameter in the URL, for example, ## FAQ **Do I need to have an API token to use the API Explorer?**
    -Credentials to access an API aren't needed. The API Explorer uses the Microsoft Defender ATP management portal token whenever it makes a request. +Credentials to access an API aren't needed. The API Explorer uses the Defender for Endpoint management portal token whenever it makes a request. The logged-in user authentication credential is used to verify that the API Explorer is authorized to access data on your behalf. diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md index 3163df4fcb..0dfd7bfce2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md @@ -17,14 +17,14 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Microsoft Defender ATP API - Hello World +# Microsoft Defender for Endpoint API - Hello World [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## Get Alerts using a simple PowerShell script @@ -47,7 +47,7 @@ For the Application registration stage, you must have a **Global administrator** 3. In the registration form, choose a name for your application and then click **Register**. -4. Allow your Application to access Microsoft Defender ATP and assign it **'Read all alerts'** permission: +4. Allow your Application to access Defender for Endpoint and assign it **'Read all alerts'** permission: - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**. @@ -177,6 +177,6 @@ You’re all done! You have just successfully: ## Related topic -- [Microsoft Defender ATP APIs](exposed-apis-list.md) -- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md) -- [Access Microsoft Defender ATP with user context](exposed-apis-create-app-nativeapp.md) +- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) +- [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) +- [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md index 8d06eb8f1b..95525bbf97 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md @@ -22,9 +22,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Automating security procedures is a standard requirement for every modern Security Operations Center. The lack of professional cyber defenders forces SOC to work in the most efficient way and automation is a must. Microsoft Power Automate supports different connectors that were built exactly for that. You can build an end-to-end procedure automation within a few minutes. @@ -81,4 +81,4 @@ The Alert trigger provides only the Alert ID and the Machine ID. You can use the You can also create a **scheduled** flow that runs Advanced Hunting queries and much more! ## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +- [Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index b8454c4935..2170d310c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -17,28 +17,28 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Microsoft Defender ATP detections API fields +# Microsoft Defender for Endpoint detections API fields [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink) Understand what data fields are exposed as part of the detections API and how they map to Microsoft Defender Security Center. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections. +>- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections. >- **Microsoft Defender ATP Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details. ->- The Microsoft Defender ATP Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). +>- The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md). ## Detections API fields and portal mapping The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. -The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). +The ArcSight field column contains the default mapping between the Defender for Endpoint fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md). Field numbers match the numbers in the images below. @@ -49,12 +49,12 @@ Field numbers match the numbers in the images below. > | 1 | AlertTitle | name | Microsoft Defender AV detected 'Mikatz' high-severity malware | Value available for every Detection. | > | 2 | Severity | deviceSeverity | High | Value available for every Detection. | > | 3 | Category | deviceEventCategory | Malware | Value available for every Detection. | -> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Microsoft Defender ATP. Value available for every Detection. | +> | 4 | Detection source | sourceServiceName | Antivirus | Microsoft Defender Antivirus or Defender for Endpoint. Value available for every Detection. | > | 5 | MachineName | sourceHostName | desktop-4a5ngd6 | Value available for every Detection. | > | 6 | FileName | fileName | Robocopy.exe | Available for detections associated with a file or process. | > | 7 | FilePath | filePath | C:\Windows\System32\Robocopy.exe | Available for detections associated with a file or process. | -> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Microsoft Defender ATP behavioral based detections. | -> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Microsoft Defender ATP behavioral based detections. | +> | 8 | UserDomain | sourceNtDomain | CONTOSO | The domain of the user context running the activity, available for Defender for Endpoint behavioral based detections. | +> | 9 | UserName | sourceUserName | liz.bean | The user context running the activity, available for Defender for Endpoint behavioral based detections. | > | 10 | Sha1 | fileHash | 3da065e07b990034e9db7842167f70b63aa5329 | Available for detections associated with a file or process. | > | 11 | Sha256 | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5 | Available for Microsoft Defender AV detections. | > | 12 | Md5 | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21 | Available for Microsoft Defender AV detections. | @@ -72,8 +72,9 @@ Field numbers match the numbers in the images below. > | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. | > | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. | > | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | -| | LinkToMTP | flexString1 | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection. -| | IncidentLinkToMTP | flexString1 | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection. +| | LinkToMTP | No mapping | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection. +| | IncidentLinkToMTP | No mapping | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection. +| | IncidentLinkToWDATP | No mapping | `https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection. > | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. | > | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. | > | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. | @@ -96,7 +97,7 @@ Field numbers match the numbers in the images below. ## Related topics -- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md) -- [Configure ArcSight to pull Microsoft Defender ATP detections](configure-arcsight.md) -- [Pull Microsoft Defender ATP detections using REST API](pull-alerts-using-rest-api.md) +- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md) +- [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md) +- [Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md) - [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md index 9ed52103d9..605b0f511a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md @@ -22,11 +22,11 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs. +In this section you will learn create a Power BI report on top of Defender for Endpoint APIs. The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts. @@ -133,6 +133,6 @@ View the Microsoft Defender ATP Power BI report samples. For more information, s ## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +- [Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Using OData Queries](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md index b5e6b4ffb6..9c8c96f2ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md @@ -16,14 +16,14 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Microsoft Defender ATP API license and terms of use +# Microsoft Defender for Endpoint API license and terms of use [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ## APIs -Microsoft Defender ATP APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use). +Defender for Endpoint APIs are governed by [Microsoft API License and Terms of use](https://docs.microsoft.com/legal/microsoft-apis/terms-of-use). ### Throttling limits diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md index 09205163fe..c105db89bb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md @@ -17,33 +17,33 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Access the Microsoft Defender Advanced Threat Protection APIs +# Access the Microsoft Defender for Endpoint APIs [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). -Watch this video for a quick overview of Microsoft Defender ATP's APIs. +Watch this video for a quick overview of Defender for Endpoint's APIs. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M] In general, you’ll need to take the following steps to use the APIs: - Create an AAD application - Get an access token using this application -- Use the token to access Microsoft Defender ATP API +- Use the token to access Defender for Endpoint API -You can access Microsoft Defender ATP API with **Application Context** or **User Context**. +You can access Defender for Endpoint API with **Application Context** or **User Context**. - **Application Context: (Recommended)**
    Used by apps that run without a signed-in user present. for example, apps that run as background services or daemons. - Steps that need to be taken to access Microsoft Defender ATP API with application context: + Steps that need to be taken to access Defender for Endpoint API with application context: 1. Create an AAD Web-Application. 2. Assign the desired permission to the application, for example, 'Read Alerts', 'Isolate Machines'. @@ -57,7 +57,8 @@ You can access Microsoft Defender ATP API with **Application Context** or **User - **User Context:**
    Used to perform actions in the API on behalf of a user. - Steps that needs to be taken to access Microsoft Defender ATP API with application context: + Steps to take to access Defender for Endpoint API with application context: + 1. Create AAD Native-Application. 2. Assign the desired permission to the application, e.g 'Read Alerts', 'Isolate Machines' etc. 3. Get token using the application with user credentials. @@ -67,6 +68,6 @@ You can access Microsoft Defender ATP API with **Application Context** or **User ## Related topics -- [Microsoft Defender ATP APIs](exposed-apis-list.md) -- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md) -- [Access Microsoft Defender ATP with user context](exposed-apis-create-app-nativeapp.md) +- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) +- [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) +- [Access Microsoft Defender for Endpoint with user context](exposed-apis-create-app-nativeapp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md index 6eeaf5c729..a8bf456da1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md @@ -26,11 +26,11 @@ ms.date: 11/28/2018 **Applies to:** - Azure Active Directory - Office 365 -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) -Microsoft Defender ATP supports two ways to manage permissions: +Defender for Endpoint supports two ways to manage permissions: - **Basic permissions management**: Set permissions to either full access or read-only. - **Role-based access control (RBAC)**: Set granular permissions by defining roles, assigning Azure AD user groups to the roles, and granting the user groups access to device groups. For more information on RBAC, see [Manage portal access using role-based access control](rbac.md). @@ -38,7 +38,7 @@ Microsoft Defender ATP supports two ways to manage permissions: > [!NOTE] > If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch: > -> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Microsoft Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Microsoft Defender ATP administrator role after switching to RBAC. Only users assigned to the Microsoft Defender ATP administrator role can manage permissions using RBAC. +> - Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Defender for Endpoint administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Defender for Endpoint administrator role after switching to RBAC. Only users assigned to the Defender for Endpoint administrator role can manage permissions using RBAC. > - Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC. > - After switching to RBAC, you will not be able to switch back to using basic permissions management. diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md index 4726e2223f..74cc0538fb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md @@ -18,22 +18,22 @@ ms.topic: article ms.date: 11/20/2018 --- -# Experience Microsoft Defender ATP through simulated attacks +# Experience Microsoft Defender for Endpoint through simulated attacks [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) >[!TIP] ->- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). ->- Microsoft Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). +>- Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Defender for Endpoint?](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Defender for Endpoint demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). -You might want to experience Microsoft Defender ATP before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Microsoft Defender ATP surfaces malicious activity and explore how it enables an efficient response. +You might want to experience Defender for Endpoint before you onboard more than a few devices to the service. To do this, you can run controlled attack simulations on a few test devices. After running the simulated attacks, you can review how Defender for Endpoint surfaces malicious activity and explore how it enables an efficient response. ## Before you begin @@ -61,7 +61,7 @@ Read the walkthrough document provided with each attack scenario. Each document > Simulation files or scripts mimic attack activity but are actually benign and will not harm or compromise the test device. > > -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-attacksimulations-belowfoldlink) ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index 0175049c55..b3a31baf6d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -23,7 +23,7 @@ ms.custom: asr **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Is attack surface reduction (ASR) part of Windows? @@ -43,7 +43,7 @@ Yes. ASR is supported for Windows Enterprise E3 and above. All of the rules supported with E3 are also supported with E5. -E5 also added greater integration with Microsoft Defender ATP. With E5, you can [use Microsoft Defender ATP to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. +E5 also added greater integration with Defender for Endpoint. With E5, you can [use Defender for Endpoint to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports. ## What are the currently supported ASR rules? @@ -75,13 +75,13 @@ Larger organizations should consider rolling out ASR rules in "rings," by auditi Keep the rule in audit mode for about 30 days to get a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them. -## I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR? +## I'm making the switch from a third-party security solution to Defender for Endpoint. Is there an "easy" way to export rules from another security solution to ASR? -In most cases, it's easier and better to start with the baseline recommendations suggested by [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. +In most cases, it's easier and better to start with the baseline recommendations suggested by [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/) (Defender for Endpoint) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. -The default configuration for most ASR rules, combined with Microsoft Defender ATP's real-time protection, will protect against a large number of exploits and vulnerabilities. +The default configuration for most ASR rules, combined with Defender for Endpoint's real-time protection, will protect against a large number of exploits and vulnerabilities. -From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked. +From within Defender for Endpoint, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked. ## Does ASR support file or folder exclusions that include system variables and wildcards in the path? @@ -95,9 +95,9 @@ It depends on the rule. Most ASR rules cover the behavior of Microsoft Office pr ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time. -## I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline? +## I have an E5 license and enabled some ASR rules in conjunction with Defender for Endpoint. Is it possible for an ASR event to not show up at all in Defender for Endpoint's event timeline? -Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP. +Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Defender for Endpoint portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Defender for Endpoint. ## I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'. diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index 45db3aa0c7..d2c6d68716 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -24,7 +24,7 @@ ms.date: 10/08/2020 **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks. @@ -50,13 +50,13 @@ You can set attack surface reduction rules for devices running any of the follow - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. +To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Defender for Endpoint](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events. ## Review attack surface reduction events in the Microsoft Defender Security Center -Microsoft Defender ATP provides detailed reporting for events and blocks, as part of its alert investigation scenarios. +Defender for Endpoint provides detailed reporting for events and blocks, as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment. +You can query Defender for Endpoint data by using [advanced hunting](advanced-hunting-query-language.md). If you're running [audit mode](audit-windows-defender.md), you can use advanced hunting to understand how attack surface reduction rules could affect your environment. Here is an example query: @@ -87,7 +87,7 @@ This will create a custom view that filters events to only show the following, a |1121 | Event when rule fires in Block-mode | |1122 | Event when rule fires in Audit-mode | -The "engine version" listed for attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not by the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all devices with Windows 10 installed. +The "engine version" listed for attack surface reduction events in the event log, is generated by Defender for Endpoint, not by the operating system. Defender for Endpoint is integrated with Windows 10, so this feature works on all devices with Windows 10 installed. ## Attack surface reduction rules diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md index 8a4304b984..b442dcb82a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md +++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md @@ -15,14 +15,14 @@ ms.reviewer: manager: dansimp --- -# Test how Microsoft Defender ATP features work in audit mode +# Test how Microsoft Defender for Endpoint features work in audit mode [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. Audit mode lets you see a record of what *would* have happened if you had enabled the feature. @@ -32,7 +32,7 @@ The features won't block or prevent apps, scripts, or files from being modified. To find the audited entries, go to **Applications and Services** > **Microsoft** > **Windows** > **Windows Defender** > **Operational**. -You can use Microsoft Defender Advanced Threat Protection to get greater details for each event, especially for investigating attack surface reduction rules. Using the Microsoft Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +You can use Defender for Endpoint to get greater details for each event, especially for investigating attack surface reduction rules. Using the Defender for Endpoint console lets you [investigate issues as part of the alert timeline and investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). This article provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index ef999e9cca..42a409f78e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -11,7 +11,7 @@ ms.sitesec: library ms.pagetype: security ms.author: deniseb author: denisebmsft -ms.date: 09/30/2020 +ms.date: 10/21/2020 ms.localizationpriority: medium manager: dansimp audience: ITPro @@ -27,15 +27,21 @@ ms.custom: AIR [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +**Applies to** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bOeh] Your security operations team receives an alert whenever a malicious or suspicious artifact is detected by Microsoft Defender for Endpoint. Security operations teams face challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats. Microsoft Defender for Endpoint includes automated investigation and remediation capabilities that can help your security operations team address threats more efficiently and effectively. +Watch the following video to see how automated investigation and remediation works: + +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bOeh] + Automated investigation uses various inspection algorithms and processes used by analysts to examine alerts and take immediate action to resolve breaches. These capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. The [Action center](auto-investigation-action-center.md) keeps track of all the investigations that were initiated automatically, along with details, such as investigation status, detection source, and any pending or completed actions. > [!TIP] -> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink) +> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-automated-investigations-abovefoldlink). ## How the automated investigation starts @@ -72,28 +78,19 @@ If an incriminated entity is seen in another device, the automated investigation ## How threats are remediated -Depending on how you set up the device groups and their level of automation, each automated investigation either requires user approval (default) or automatically takes action to remediate threats. +As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*. -> [!NOTE] -> Microsoft Defender for Endpoint tenants created on or after August 16, 2020 have **Full - remediate threats automatically** selected by default. You can keep the default setting, or change it according to your organizational needs. To change your settings, [adjust your device group settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups). +As verdicts are reached, automated investigations can result in one or more remediation actions. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](manage-auto-investigation.md#remediation-actions).) -You can configure the following levels of automation: +Depending on the [level of automation](automation-levels.md) set for your organization, remediation actions can occur automatically or only upon approval by your security operations team. -|Automation level | Description| -|---|---| -|**Full - remediate threats automatically** | All remediation actions are performed automatically. Remediation actions that were taken can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab.

    ***This option is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.*

    *If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Full - remediate threats automatically**.* | -|**Semi - require approval for core folders remediation** | Approval is required for remediation actions on files or executables that are in core folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).

    Remediation actions can be taken automatically on files or executables that are in other (non-core) folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`). | -|**Semi - require approval for non-temp folders remediation** | Approval is required for remediation actions on files or executables that are not in temporary folders. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).

    Remediation actions can be taken automatically on files or executables that are in temporary folders. Temporary folders can include the following examples:
    - `\users\*\appdata\local\temp\*`
    - `\documents and settings\*\local settings\temp\*`
    - `\documents and settings\*\local settings\temporary\*`
    - `\windows\temp\*`
    - `\users\*\downloads\*`
    - `\program files\`
    - `\program files (x86)\*`
    - `\documents and settings\*\users\*` | -|**Semi - require approval for any remediation** | Approval is required for any remediation action. Pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md).

    *This option is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*

    *If you do have a device group defined, you will also have a device group called **Ungrouped devices (default)**, which will be set to **Semi - require approval for any remediation**.*| -|**No automated response** | Automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation.

    ***This option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up or changing your device groups to use **Full** or **Semi** automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)* | - - -> [!IMPORTANT] -> If your tenant already has device groups defined, then the automation level settings are not changed for those device groups. +All remediation actions, whether pending or completed, can be viewed in Action Center. If necessary, your security operations team can undo a remediation action. (See [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).) ## Next steps -- [Learn about the automated investigations dashboard](manage-auto-investigation.md) +- [Get an overview of the automated investigations dashboard](manage-auto-investigation.md) + +- [Learn more about automation levels](automation-levels.md) - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md new file mode 100644 index 0000000000..9fa9ebd762 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md @@ -0,0 +1,62 @@ +--- +title: Automation levels in automated investigation and remediation +description: Get an overview of automation levels and how they work in Microsoft Defender for Endpoint +keywords: automated, investigation, level, defender atp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.technology: windows +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.date: 10/22/2020 +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs +ms.custom: AIR +--- + +# Automation levels in automated investigation and remediation capabilities + +Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Endpoint can be configured to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval. +- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. +- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken. (See the table in [Levels of automation](#levels-of-automation).) +- All remediation actions, whether pending or completed, are tracked in the Action Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). + +> [!TIP] +> For best results, we recommend using full automation when you [configure AIR](configure-automated-investigations-remediation.md). Data collected and analyzed over the past year shows that customers who are using full automation had 40% more high-confidence malware samples removed than customers who are using lower levels of automation. Full automation can help free up your security operations resources to focus more on your strategic initiatives. + +## Levels of automation + +The following table describes each level of automation and how it works. + +|Automation level | Description| +|:---|:---| +|**Full - remediate threats automatically**
    (also referred to as *full automation*)| With full automation, remediation actions are performed automatically. All remediation actions that are taken can be viewed in the [Action Center](auto-investigation-action-center.md) on the **History** tab. If necessary, a remediation action can be undone.

    ***Full automation is recommended** and is selected by default for tenants that were created on or after August 16, 2020 with Microsoft Defender for Endpoint, with no device groups defined yet.* | +|**Semi - require approval for any remediation**
    (also referred to as *semi-automation*)| With this level of semi-automation, approval is required for *any* remediation action. Such pending actions can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.

    *This level of semi-automation is selected by default for tenants that were created before August 16, 2020 with Microsoft Defender ATP, with no device groups defined.*| +|**Semi - require approval for core folders remediation**
    (also a type of *semi-automation*) | With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are in core folders. Core folders include operating system directories, such as the **Windows** (`\windows\*`).

    Remediation actions can be taken automatically on files or executables that are in other (non-core) folders.

    Pending actions for files or executables in core folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.

    Actions that were taken on files or executables in other folders can be viewed in the [Action Center](auto-investigation-action-center.md), on the **History** tab. | +|**Semi - require approval for non-temp folders remediation**
    (also a type of *semi-automation*)| With this level of semi-automation, approval is required for any remediation actions needed on files or executables that are *not* in temporary folders.

    Temporary folders can include the following examples:
    - `\users\*\appdata\local\temp\*`
    - `\documents and settings\*\local settings\temp\*`
    - `\documents and settings\*\local settings\temporary\*`
    - `\windows\temp\*`
    - `\users\*\downloads\*`
    - `\program files\`
    - `\program files (x86)\*`
    - `\documents and settings\*\users\*`

    Remediation actions can be taken automatically on files or executables that are in temporary folders.

    Pending actions for files or executables that are not in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **Pending** tab.

    Actions that were taken on files or executables in temporary folders can be viewed and approved in the [Action Center](auto-investigation-action-center.md), on the **History** tab. | +|**No automated response**
    (also referred to as *no automation*) | With no automation, automated investigation does not run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation. However, other threat protection features, such as [protection from potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus), can be in effect, depending on how your antivirus and next-generation protection features are configured.

    ***Using the *no automation* option is not recommended**, because it reduces the security posture of your organization's devices. [Consider setting up your automation level to full automation (or at least semi-automation)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)*. | + +## Important points about automation levels + +- Full automation has proven to be reliable, efficient, and safe, and is recommended for all customers. Full automation frees up your critical security resources so they can focus more on your strategic initiatives. + +- New tenants (which include tenants that were created on or after August 16, 2020) with Microsoft Defender for Endpoint are set to full automation by default. + +- If your security team has defined device groups with a level of automation, those settings are not changed by the new default settings that are rolling out. + +- You can keep your default automation settings, or change them according to your organizational needs. To change your settings, [set your level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation#set-up-device-groups). + +## Next steps + +- [Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint](configure-automated-investigations-remediation.md) + +- [Visit the Action Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center#the-action-center) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index 2d1aa8f368..fed2ad3911 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -24,15 +24,15 @@ ms.topic: article **Applies to:** - Azure Active Directory -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) Refer to the instructions below to use basic permissions management. -You can use either of the following: +You can use either of the following solutions: - Azure PowerShell -- Azure Portal +- Azure portal For granular control over permissions, [switch to role-based access control](rbac.md). @@ -42,21 +42,21 @@ You can assign users with one of the following levels of permissions: - Read-only access ### Before you begin -- Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
    +- Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).
    > [!NOTE] > You need to run the PowerShell cmdlets in an elevated command-line. -- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). +- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). **Full access**
    Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the "Security Administrator" or "Global Administrator" AAD built-in roles. -**Read only access**
    -Users with read only access can log in, view all alerts, and related information. +**Read-only access**
    +Users with read-only access can log in, view all alerts, and related information. They will not be able to change alert states, submit files for deep analysis or perform any state changing operations. -Assigning read only access rights requires adding the users to the "Security Reader" AAD built-in role. +Assigning read-only access rights requires adding the users to the "Security Reader" Azure AD built-in role. Use the following steps to assign security roles: @@ -64,12 +64,12 @@ Use the following steps to assign security roles: ```text Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" ``` -- For **read only** access, assign users to the security reader role by using the following command: +- For **read-only** access, assign users to the security reader role by using the following command: ```text Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com" ``` -For more information see, [Add or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). +For more information, see, [Add, or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). ## Assign user access using the Azure portal For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 8d29204276..05ec75c8d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -27,23 +27,23 @@ ms.collection: **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Overview -Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security). +Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised devices. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and device learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Defender for Endpoint](https://docs.microsoft.com/windows/security). -Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Microsoft Defender ATP components and features work together in behavioral blocking and containment capabilities. +Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Defender for Endpoint components and features work together in behavioral blocking and containment capabilities. :::image type="content" source="images/mdatp-next-gen-EDR-behavblockcontain.png" alt-text="Behavioral blocking and containment"::: -Behavioral blocking and containment capabilities work with multiple components and features of Microsoft Defender ATP to stop attacks immediately and prevent attacks from progressing. +Behavioral blocking and containment capabilities work with multiple components and features of Defender for Endpoint to stop attacks immediately and prevent attacks from progressing. - [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running. - [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond. -- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Microsoft Defender ATP processes and correlates these signals, raises detection alerts, and connects related alerts in incidents. +- [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Defender for Endpoint processes and correlates these signals, raises detection alerts, and connects related alerts in incidents. With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks. @@ -59,7 +59,7 @@ The following image shows an example of an alert that was triggered by behaviora - **[Feedback-loop blocking](feedback-loop-blocking.md)** (also referred to as rapid protection) Threat detections are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) -- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.) +- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Microsoft Defender Antivirus is not the primary antivirus solution. (EDR in block mode is not enabled by default; you turn it on in the Microsoft Defender Security Center.) Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap). @@ -85,7 +85,7 @@ Below are two real-life examples of behavioral blocking and containment in actio As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server. -Behavior-based device learning models in Microsoft Defender ATP caught and stopped the attacker’s techniques at two points in the attack chain: +Behavior-based device learning models in Defender for Endpoint caught and stopped the attacker’s techniques at two points in the attack chain: - The first protection layer detected the exploit behavior. Device learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack. - The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot). @@ -97,7 +97,7 @@ This example shows how behavior-based device learning models in the cloud add ne ### Example 2: NTLM relay - Juicy Potato malware variant -As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered. +As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Defender for Endpoint detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered. :::image type="content" source="images/NTLMalertjuicypotato.png" alt-text="NTLM alert for Juicy Potato malware"::: @@ -113,7 +113,7 @@ This example shows that with behavioral blocking and containment capabilities, t ## Next steps -- [Learn more about Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) +- [Learn more about Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) - [Configure your attack surface reduction rules](attack-surface-reduction.md) @@ -121,4 +121,4 @@ This example shows that with behavioral blocking and containment capabilities, t - [See recent global threat activity](https://www.microsoft.com/wdsi/threats) -- [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) +- [Get an overview of Microsoft 365 Defender ](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md index 9e38e27515..bbff2e68b9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md @@ -18,32 +18,32 @@ ms.topic: article ms.date: 04/24/2018 --- -# Check sensor health state in Microsoft Defender ATP +# Check sensor health state in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-checksensor-abovefoldlink) -The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual device’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues. +The **Devices with sensor issues** tile is found on the Security Operations dashboard. This tile provides information on the individual device’s ability to provide sensor data and communicate with the Defender for Endpoint service. It reports how many devices require attention and helps you identify problematic devices and take action to correct known issues. There are two status indicators on the tile that provide information on the number of devices that are not reporting properly to the service: -- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. -- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. +- **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service and might have configuration errors that need to be corrected. +- **Inactive** - Devices that have stopped reporting to the Defender for Endpoint service for more than seven days in the past month. Clicking any of the groups directs you to **Devices list**, filtered according to your choice. ![Screenshot of Devices with sensor issues tile](images/atp-devices-with-sensor-issues-tile.png) On **Devices list**, you can filter the health state list by the following status: -- **Active** - Devices that are actively reporting to the Microsoft Defender ATP service. -- **Misconfigured** - These devices might partially be reporting sensor data to the Microsoft Defender ATP service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues: +- **Active** - Devices that are actively reporting to the Defender for Endpoint service. +- **Misconfigured** - These devices might partially be reporting sensor data to the Defender for Endpoint service but have configuration errors that need to be corrected. Misconfigured devices can have either one or a combination of the following issues: - **No sensor data** - Devices has stopped sending sensor data. Limited alerts can be triggered from the device. - **Impaired communications** - Ability to communicate with device is impaired. Sending files for deep analysis, blocking files, isolating device from network and other actions that require communication with the device may not work. -- **Inactive** - Devices that have stopped reporting to the Microsoft Defender ATP service. +- **Inactive** - Devices that have stopped reporting to the Defender for Endpoint service. You can also download the entire list in CSV format using the **Export** feature. For more information on filters, see [View and organize the Devices list](machines-view-overview.md). @@ -55,4 +55,4 @@ You can also download the entire list in CSV format using the **Export** feature You can view the device details when you click on a misconfigured or inactive device. ## Related topic -- [Fix unhealthy sensors in Microsoft Defender ATP](fix-unhealthy-sensors.md) +- [Fix unhealthy sensors in Defender for Endpoint](fix-unhealthy-sensors.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md index 52e97e1b70..ef5d153836 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md +++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md @@ -27,11 +27,11 @@ ms.collection: **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Overview -Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Microsoft Defender ATP. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. +Client behavioral blocking is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in Defender for Endpoint. As suspicious behaviors are detected on devices (also referred to as clients or endpoints), artifacts (such as files or applications) are blocked, checked, and remediated automatically. :::image type="content" source="images/pre-execution-and-post-execution-detection-engines.png" alt-text="Cloud and client protection"::: @@ -72,11 +72,11 @@ Behavior-based detections are named according to the [MITRE ATT&CK Matrix for En ## Configuring client behavioral blocking -If your organization is using Microsoft Defender ATP, client behavioral blocking is enabled by default. However, to benefit from all Microsoft Defender ATP capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured: +If your organization is using Defender for Endpoint, client behavioral blocking is enabled by default. However, to benefit from all Defender for Endpoint capabilities, including [behavioral blocking and containment](behavioral-blocking-containment.md), make sure the following features and capabilities of Defender for Endpoint are enabled and configured: -- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) +- [Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) -- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) +- [Devices onboarded to Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) - [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) @@ -92,4 +92,4 @@ If your organization is using Microsoft Defender ATP, client behavioral blocking - [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/) -- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) +- [Helpful Defender for Endpoint resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index 398305b848..0d6949ea0b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -22,9 +22,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description Collect investigation package from a device. @@ -35,7 +35,7 @@ Collect investigation package from a device. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md index d34460c4bf..34adbf6fbe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md @@ -20,8 +20,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - -* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender ATP APIs. +* The error codes listed in the following table may be returned by an operation on any of Microsoft Defender for Endpoint APIs. * Note that in addition to the error code, every error response contains an error message which can help resolving the problem. * Note that the message is a free text that can be changed. * At the bottom of the page you can find response examples. @@ -40,7 +39,7 @@ MaximumBatchSizeExceeded | BadRequest (400) | Maximum batch size exceeded. Recei MissingRequiredParameter | BadRequest (400) | Parameter {the missing parameter} is missing. OsPlatformNotSupported | BadRequest (400) | OS Platform {the client OS Platform} is not supported for this action. ClientVersionNotSupported | BadRequest (400) | {The requested action} is supported on client version {supported client version} and above. -Unauthorized | Unauthorized (401) | Unauthorized (usually invalid or expired authorization header). +Unauthorized | Unauthorized (401) | Unauthorized (invalid or expired authorization header). Forbidden | Forbidden (403) | Forbidden (valid token but insufficient permission for the action). DisabledFeature | Forbidden (403) | Tenant feature is not enabled. DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason}. @@ -48,11 +47,11 @@ NotFound | Not Found (404) | General Not Found error message. ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found. InternalServerError | Internal Server Error (500) | (No error message, try retry the operation or contact us if it does not resolved) -## Body parameters are case sensitive +## Body parameters are case-sensitive -The submitted body parameters are currently case sensitive. +The submitted body parameters are currently case-sensitive.
    If you experience an **InvalidRequestBody** or **MissingRequiredParameter** errors, it might be caused from a wrong parameter capital or lower-case letter. -
    It is recommended to go to the requested Api documentation page and check that the submitted parameters match the relevant example. +
    We recommend that you go to the requested API documentation page and check that the submitted parameters match the relevant example. ## Correlation request ID diff --git a/windows/security/threat-protection/microsoft-defender-atp/community.md b/windows/security/threat-protection/microsoft-defender-atp/community.md index 7a83827fc5..f68dcdeab3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/community.md +++ b/windows/security/threat-protection/microsoft-defender-atp/community.md @@ -19,17 +19,17 @@ ms.date: 04/24/2018 --- -# Access the Microsoft Defender ATP Community Center +# Access the Microsoft Defender for Endpoint Community Center [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -The Microsoft Defender ATP Community Center is a place where community members can learn, collaborate, and share experiences about the product. +The Defender for Endpoint Community Center is a place where community members can learn, collaborate, and share experiences about the product. There are several spaces you can explore to learn about specific information: - Announcements @@ -38,8 +38,8 @@ There are several spaces you can explore to learn about specific information: There are several ways you can access the Community Center: -- In the Microsoft Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Microsoft Defender ATP Tech Community page. -- Access the community through the [Microsoft Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page +- In the Microsoft Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Defender for Endpoint Tech Community page. +- Access the community through the [Microsoft Defender for Endpoint Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page You can instantly view and read conversations that have been posted in the community. diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md index edcabf4028..a0ace30f14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md @@ -23,11 +23,11 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink) Conditional Access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications. @@ -37,7 +37,7 @@ With Conditional Access, you can control access to enterprise information based You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state. -The implementation of Conditional Access in Microsoft Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. +The implementation of Conditional Access in Defender for Endpoint is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. The compliance policy is used with Conditional Access to allow only devices that fulfill one or more device compliance policy rules to access applications. @@ -67,15 +67,15 @@ When the risk is removed either through manual or automated remediation, the dev The following example sequence of events explains Conditional Access in action: -1. A user opens a malicious file and Microsoft Defender ATP flags the device as high risk. +1. A user opens a malicious file and Defender for Endpoint flags the device as high risk. 2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat. 3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune Conditional Access policy. In Azure AD, the corresponding policy is applied to block access to applications. -4. The manual or automated investigation and remediation is completed and the threat is removed. Microsoft Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications. +4. The manual or automated investigation and remediation is completed and the threat is removed. Defender for Endpoint sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications. 5. Users can now access applications. ## Related topic -- [Configure Conditional Access in Microsoft Defender ATP](configure-conditional-access.md) +- [Configure Conditional Access in Microsoft Defender for Endpoint](configure-conditional-access.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index 2a2e4d3535..aca0be0b19 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -17,25 +17,24 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Configure Micro Focus ArcSight to pull Microsoft Defender ATP detections +# Configure Micro Focus ArcSight to pull Defender for Endpoint detections [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configurearcsight-abovefoldlink) -You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Microsoft Defender ATP detections. +You'll need to install and configure some files and tools to use Micro Focus ArcSight so that it can pull Defender for Endpoint detections. >[!Note] ->- [Microsoft Defender ATP Alert](alerts.md) is composed from one or more detections ->- [Microsoft Defender ATP Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. +>- [Defender for Endpoint Alert](alerts.md) is composed from one or more detections +>- [Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. ## Before you begin @@ -43,7 +42,7 @@ Configuring the Micro Focus ArcSight Connector tool requires several configurati This section guides you in getting the necessary information to set and use the required configuration files correctly. -- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). +- Make sure you have enabled the SIEM integration feature from the **Settings** menu. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md). - Have the file you saved from enabling the SIEM integration feature ready. You'll need to get the following values: - OAuth 2.0 Token refresh URL @@ -116,7 +115,7 @@ The following steps assume that you have completed all the required steps in [Be
    		Browse to the location of the wdatp-connector.properties file. The name must match the file provided in the .zip that you downloaded.
    Refresh TokenYou can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.

    For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Microsoft Defender ATP.

    Get your refresh token using the restutil tool:
    a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool.

    b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open.

    c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

    d. A refresh token is shown in the command prompt.

    e. Copy and paste it into the Refresh Token field. +     		You can obtain a refresh token in two ways: by generating a refresh token from the SIEM settings page or using the restutil tool.

    For more information on generating a refresh token from the Preferences setup , see Enable SIEM integration in Defender for Endpoint.

    Get your refresh token using the restutil tool:
    a. Open a command prompt. Navigate to C:\folder_location\current\bin where folder_location represents the location where you installed the tool.

    b. Type: arcsight restutil token -config from the bin directory.For example: arcsight restutil boxtoken -proxy proxy.location.hp.com:8080 A Web browser window will open.

    c. Type in your credentials then click on the password field to let the page redirect. In the login prompt, enter your credentials.

    d. A refresh token is shown in the command prompt.

    e. Copy and paste it into the Refresh Token field.
    1Microsoft Defender Advanced Threat Protection service started (Version variable).Microsoft Defender for Endpoint service started (Version variable). Occurs during system start up, shut down, and during onbboarding. Normal operating notification; no action required.
    2Microsoft Defender Advanced Threat Protection service shutdown.Microsoft Defender for Endpoint service shutdown. Occurs when the device is shut down or offboarded. Normal operating notification; no action required.
    3Microsoft Defender Advanced Threat Protection service failed to start. Failure code: variable.Microsoft Defender for Endpoint service failed to start. Failure code: variable. Service did not start. Review other messages to determine possible cause and troubleshooting steps.
    4Microsoft Defender Advanced Threat Protection service contacted the server at variable.Variable = URL of the Microsoft Defender ATP processing servers.
    +    		Microsoft Defender for Endpoint service contacted the server at variable.Variable = URL of the Defender for Endpoint processing servers.
    This URL will match that seen in the Firewall or network activity.    		 Normal operating notification; no action required.
    5Microsoft Defender Advanced Threat Protection service failed to connect to the server at variable.Variable = URL of the Microsoft Defender ATP processing servers.
    +    		Microsoft Defender for Endpoint service failed to connect to the server at variable.Variable = URL of the Defender for Endpoint processing servers.
    The service could not contact the external processing servers at that URL.    		 Check the connection to the URL. See Configure proxy and Internet connectivity.
    6Microsoft Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found.Microsoft Defender for Endpoint service is not onboarded and no onboarding parameters were found. The device did not onboard correctly and will not be reporting to the portal. Onboarding must be run before starting the service.
    Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
    @@ -103,14 +98,14 @@ See Onboard Windows 10 devices.
    8Microsoft Defender Advanced Threat Protection service failed to clean its configuration. Failure code: variable.Microsoft Defender for Endpoint service failed to clean its configuration. Failure code: variable. During onboarding: The service failed to clean its configuration during the onboarding. The onboarding process continues.

    During offboarding: The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running.     		Onboarding: No action required.

    Offboarding: Reboot the system.
    @@ -118,47 +113,47 @@ See Onboard Windows 10 devices.
    10Microsoft Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: variable.Microsoft Defender for Endpoint service failed to persist the onboarding information. Failure code: variable. The device did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
    See Onboard Windows 10 devices.
    11Onboarding or re-onboarding of Microsoft Defender Advanced Threat Protection service completed.Onboarding or re-onboarding of Defender for Endpoint service completed. The device onboarded correctly. Normal operating notification; no action required.
    It may take several hours for the device to appear in the portal.
    12Microsoft Defender Advanced Threat Protection failed to apply the default configuration.Microsoft Defender for Endpoint failed to apply the default configuration. Service was unable to apply the default configuration. This error should resolve after a short period of time.
    13Microsoft Defender Advanced Threat Protection device ID calculated: variable.Microsoft Defender for Endpoint device ID calculated: variable. Normal operating process. Normal operating notification; no action required.
    15Microsoft Defender Advanced Threat Protection cannot start command channel with URL: variable.Variable = URL of the Microsoft Defender ATP processing servers.
    +    		Microsoft Defender for Endpoint cannot start command channel with URL: variable.Variable = URL of the Defender for Endpoint processing servers.
    The service could not contact the external processing servers at that URL.    		 Check the connection to the URL. See Configure proxy and Internet connectivity.
    17Microsoft Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable.Microsoft Defender for Endpoint service failed to change the Connected User Experiences and Telemetry service location. Failure code: variable. An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled.
    Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
    @@ -185,7 +180,7 @@ If this error persists after a system restart, ensure all Windows updates have f
    25Microsoft Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: variable.Microsoft Defender for Endpoint service failed to reset health status in the registry. Failure code: variable. The device did not onboard correctly. It will report to the portal, however the service may not appear as registered in SCCM or the registry. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
    @@ -193,7 +188,7 @@ See Onboard Windows 10 devices.
    Ensure real-time antimalware protection is running properly.
    28Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: variable.Microsoft Defender for Endpoint Connected User Experiences and Telemetry service registration failed. Failure code: variable. An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled.
    Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
    @@ -223,34 +218,34 @@ See Onboard Windows 10 devices
    Ensure real-time antimalware protection is running properly.
    31Microsoft Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: variable.Microsoft Defender for Endpoint Connected User Experiences and Telemetry service unregistration failed. Failure code: variable. An error occurred with the Windows telemetry service during onboarding. The offboarding process continues. Check for errors with the Windows telemetry service.
    32Microsoft Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1Microsoft Defender for Endpoint service failed to request to stop itself after offboarding process. Failure code: %1 An error occurred during offboarding. Reboot the device.
    33Microsoft Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: variable.Microsoft Defender for Endpoint service failed to persist SENSE GUID. Failure code: variable. A unique identifier is used to represent each device that is reporting to the portal.
    If the identifier does not persist, the same device might appear twice in the portal.    		 Check registry permissions on the device to ensure the service can update the registry.
    34Microsoft Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: variable.Microsoft Defender for Endpoint service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: variable. An error occurred with the Windows telemetry service. Ensure the diagnostic data service is enabled.
    Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
    @@ -258,62 +253,62 @@ See [!IMPORTANT] > Image File Execution Options only allows you to specify a file name or path, and not a version number, architecture, or any other differentiator. Be careful to target mitigations to apps which have unique names or paths, applying them only on devices where you have tested that version and that architecture of the application. -If you configure Exploit Protection mitigations using an XML configuration file, either via PowerShell, Group Policy, or MDM, when processing this XML configuration file, individual registry settings will be configured for you. +If you configure exploit protection mitigations using an XML configuration file, either via PowerShell, Group Policy, or MDM, when processing this XML configuration file, individual registry settings will be configured for you. When the policy distributing the XML file is no longer enforced, settings deployed by this XML configuration file will not be automatically removed. To remove Exploit Protection settings, export the XML configuration from a clean Windows 10 device, and deploy this new XML file. Alternately, Microsoft provides an XML file as part of the Windows Security Baselines for resetting Exploit Protection settings. -To reset Exploit Protection settings using PowerShell, you could use the following command: +To reset exploit protection settings using PowerShell, you could use the following command: ```powershell Set-ProcessMitigation -PolicyFilePath EP-reset.xml @@ -181,49 +181,49 @@ Following is the EP-reset.xml distributed with the Windows Security Baselines: ## Mitigation Reference -The below sections detail the protections provided by each Exploit Protection mitigation, the compatibility considerations for the mitigation, and the configuration options available. +The following sections detail the protections provided by each exploit protection mitigation, the compatibility considerations for the mitigation, and the configuration options available. ## Arbitrary code guard ### Description -Arbitrary Code Guard helps protect against a malicious attacker loading the code of their choice into memory through a memory safety vulnerability and being able to execute that code. +Arbitrary code guard helps protect against a malicious attacker loading the code of their choice into memory through a memory safety vulnerability and being able to execute that code. -Arbitrary Code Guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary Code Guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). +Arbitrary code guard protects an application from executing dynamically generated code (code that is not loaded, for example, from the exe itself or a dll). Arbitrary code guard works by preventing memory from being marked as executable. When an application attempts to [allocate memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualalloc), we check the protection flags. (Memory can be allocated with read, write, and/or execute protection flags.) If the allocation attempts to include the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the memory allocation fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). Similarly, if an application attempts to [change the protection flags of memory](https://docs.microsoft.com/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect) that has already been allocated and includes the [*execute*](https://docs.microsoft.com/windows/win32/memory/memory-protection-constants) protection flag, then the permission change fails and returns an error code (STATUS_DYNAMIC_CODE_BLOCKED). -By preventing the *execute* flag from being set, the Data Execution Prevention feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code. +By preventing the *execute* flag from being set, the data execution prevention feature of Windows 10 can then protect against the instruction pointer being set to that memory and running that code. ### Compatibility considerations -Arbitrary Code Guard prevents allocating any memory as executable, which presents a compatibility issue with approaches such as Just-in-Time (JIT) compilers. Most modern browsers, for example, will compile JavaScript into native code in order to optimize performance. In order to support this mitigation, they will need to be rearchitected to move the JIT compilation outside of the protected process. Other applications whose design dynamically generates code from scripts or other intermediate languages will be similarly incompatible with this mitigation. +Arbitrary code guard prevents allocating any memory as executable, which presents a compatibility issue with approaches such as Just-in-Time (JIT) compilers. Most modern browsers, for example, will compile JavaScript into native code in order to optimize performance. In order to support this mitigation, they will need to be rearchitected to move the JIT compilation outside of the protected process. Other applications whose design dynamically generates code from scripts or other intermediate languages will be similarly incompatible with this mitigation. ### Configuration options **Allow thread opt-out** - You can configure the mitigation to allow an individual thread to opt-out of this protection. The developer must have written the application with awareness of this mitigation, and have called the [**SetThreadInformation**](https://docs.microsoft.com/windows/win32/api/processthreadsapi/nf-processthreadsapi-setthreadinformation) API with the *ThreadInformation* parameter set to **ThreadDynamicCodePolicy** in order to be allowed to execute dynamic code on this thread. -**Audit only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Block low integrity images ### Description -Block low integrity images prevents the application from loading files which are untrusted, typically because they have been downloaded from the internet from a sandboxed browser. +Block low integrity images prevents the application from loading files that are untrusted, typically because they have been downloaded from the internet from a sandboxed browser. This mitigation will block image loads if the image has an Access Control Entry (ACE) which grants access to Low IL processes and which does not have a trust label ACE. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a low integrity image, it will trigger a STATUS_ACCESS_DENIED error. For details on how integrity levels work, see [Mandatory Integrity Control](https://docs.microsoft.com/windows/win32/secauthz/mandatory-integrity-control). ### Compatibility considerations -Block low integrity images will prevent the application from loading files which were downloaded from the internet. If your application workflow requires loading images which are downloaded, you will want to ensure that they are downloaded from a higher-trust process, or are explicitly relabeled in order to apply this mitigation. +Block low integrity images will prevent the application from loading files that were downloaded from the internet. If your application workflow requires loading images that are downloaded, you will want to ensure that they are downloaded from a higher-trust process, or are explicitly relabeled in order to apply this mitigation. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Block remote images ### Description -Block remote images will prevent the application from loading files which are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory which are on an external device controlled by the attacker. +Block remote images will prevent the application from loading files that are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory that are on an external device controlled by the attacker. This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error. @@ -233,25 +233,25 @@ Block remote images will prevent the application from loading images from remote ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Block untrusted fonts ### Description -Block untrusted fonts mitigates the risk of a flaw in font parsing leading to the attacker being able to run code on the device. Only fonts which are installed into the windows\fonts directory will be loaded for processing by GDI. +Block untrusted fonts mitigates the risk of a flaw in font parsing leading to the attacker being able to run code on the device. Only fonts that are installed into the windows\fonts directory will be loaded for processing by GDI. This mitigation is implemented within GDI, which validates the location of the file. If the file is not in the system fonts directory, the font will not be loaded for parsing and that call will fail. -Note that this mitigation is in addition to the built-in mitigation provided in Windows 10 1607 and later, which moves font parsing out of the kernel and into a user-mode app container. Any exploit based on font parsing, as a result, happens in a sandboxed and isolated context, which reduces the risk significantly. For details on this mitigation, see the blog [Hardening Windows 10 with zero-day exploit mitigations](https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/). +This mitigation is in addition to the built-in mitigation provided in Windows 10 1607 and later, which moves font parsing out of the kernel and into a user-mode app container. Any exploit based on font parsing, as a result, happens in a sandboxed and isolated context, which reduces the risk significantly. For details on this mitigation, see the blog [Hardening Windows 10 with zero-day exploit mitigations](https://www.microsoft.com/security/blog/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/). ### Compatibility considerations -The most common use of fonts outside of the system fonts directory is with [web fonts](https://docs.microsoft.com/typography/fonts/font-faq#web). Modern browsers, such as Microsoft Edge, use DirectWrite instead of GDI, and are not impacted. However, legacy browsers, such as Internet Explorer 11 (and IE mode in the new Microsoft Edge) can be impacted, particularly with applications such as Office 365 which use font glyphs to display UI. +The most common use of fonts outside of the system fonts directory is with [web fonts](https://docs.microsoft.com/typography/fonts/font-faq#web). Modern browsers, such as Microsoft Edge, use DirectWrite instead of GDI, and are not impacted. However, legacy browsers, such as Internet Explorer 11 (and IE mode in the new Microsoft Edge) can be impacted, particularly with applications such as Office 365, which use font glyphs to display UI. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Code integrity guard @@ -259,17 +259,17 @@ The most common use of fonts outside of the system fonts directory is with [web Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process. -This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary which is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process. +This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary that is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process. ### Compatibility considerations -This mitigation specifically blocks any binary which is not signed by Microsoft. As such, it will be incompatible with most third party software, unless that software is distributed by (and digitally signed by) the Microsoft Store, and the option to allow loading of images signed by the Microsoft Store is selected. +This mitigation specifically blocks any binary that is not signed by Microsoft. As such, it will be incompatible with most third-party software, unless that software is distributed by (and digitally signed by) the Microsoft Store, and the option to allow loading of images signed by the Microsoft Store is selected. ### Configuration options -**Also allow loading of images signed by Microsoft Store** - Applications which are distributed by the Microsoft Store will be digitally signed by the Microsoft Store, and adding this configuration will allow binaries which have gone through the store certification process to be loaded by the application. +**Also allow loading of images signed by Microsoft Store** - Applications that are distributed by the Microsoft Store will be digitally signed by the Microsoft Store, and adding this configuration will allow binaries that have gone through the store certification process to be loaded by the application. -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Control flow guard (CFG) @@ -277,7 +277,7 @@ This mitigation specifically blocks any binary which is not signed by Microsoft. Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program). -This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications which are compiled with CFG support can benefit from this mitigation. +This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation. The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation. @@ -296,19 +296,19 @@ Since applications must be compiled to support CFG, they implicitly declare thei ### Description -Data Execution Prevention (DEP) prevents memory which was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code. +Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code. If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash. ### Compatibility considerations -All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is generally assumed. +All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is assumed. -All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some very old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (e.g. JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code. +All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code. ### Configuration options -**Enable ATL Thunk emulation** - This configuration option disables ATL Thunk emulation. ATL, the ActiveX Template Library, is designed to be as small and fast as possible. In order to reduce binary size, it would use a technique called thunking. Thunking is typically thought of for interacting between 32-bit and 16-bit applications, but there are no 16-bit components to ATL here. Rather, in order to optimize for binary size, ATL will store machine code in memory which is not word-aligned (creating a smaller binary), and then invoke that code directly. ATL components compiled with Visual Studio 7.1 or earlier (Visual Studio 2003) do not allocate this memory as executable - thunk emulation resolves that compatibility issue. Applications which have a binary extension model (such as Internet Explorer 11) will often need to have ATL Thunk emulation enabled. +**Enable ATL Thunk emulation** - This configuration option disables ATL Thunk emulation. ATL, the ActiveX Template Library, is designed to be as small and fast as possible. In order to reduce binary size, it would use a technique called *thunking*. Thunking is typically thought of for interacting between 32-bit and 16-bit applications, but there are no 16-bit components to ATL here. Rather, in order to optimize for binary size, ATL will store machine code in memory that is not word-aligned (creating a smaller binary), and then invoke that code directly. ATL components compiled with Visual Studio 7.1 or earlier (Visual Studio 2003) do not allocate this memory as executable - thunk emulation resolves that compatibility issue. Applications that have a binary extension model (such as Internet Explorer 11) will often need to have ATL Thunk emulation enabled. ## Disable extension points @@ -318,13 +318,13 @@ This mitigation disables various extension points for an application, which migh This includes: -- **AppInit DLLs** - Whenever a process starts, the system will load the specified DLL into to context of the newly started process before calling its entry point function. [Details on AppInit DLLs can be found here](https://docs.microsoft.com/windows/win32/winmsg/about-window-classes#application-global-classes). With this mitigation applied, AppInit DLLs are not loaded. Note that, beginning with Windows 7, AppInit DLLs need to be digitally signed, [as described here](https://docs.microsoft.com/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2). Additionally, beginning with Windows 8, AppInit DLLs will not be loaded if SecureBoot is enabled, [as described here](https://docs.microsoft.com/windows/win32/dlls/secure-boot-and-appinit-dlls). +- **AppInit DLLs** - Whenever a process starts, the system will load the specified DLL into to context of the newly started process before calling its entry point function. [Details on AppInit DLLs can be found here](https://docs.microsoft.com/windows/win32/winmsg/about-window-classes#application-global-classes). With this mitigation applied, AppInit DLLs are not loaded. Beginning with Windows 7, AppInit DLLs need to be digitally signed, [as described here](https://docs.microsoft.com/windows/win32/win7appqual/appinit-dlls-in-windows-7-and-windows-server-2008-r2). Additionally, beginning with Windows 8, AppInit DLLs will not be loaded if SecureBoot is enabled, [as described here](https://docs.microsoft.com/windows/win32/dlls/secure-boot-and-appinit-dlls). - **Legacy IMEs** - An Input Method Editor (IME) allows a user to type text in a language that has more characters than can be represented on a keyboard. Third parties are able to create IMEs. A malicious IME might obtain credentials or other sensitive information from this input capture. Some IMEs, referred to as Legacy IMEs, will only work on Windows Desktop apps, and not UWP apps. This mitigation will also prevent this legacy IME from loading into the specified Windows Desktop app. - **Windows Event Hooks** - An application can call the [SetWinEventHook API](https://docs.microsoft.com/windows/win32/api/winuser/nf-winuser-setwineventhook) to register interest in an event taking place. A DLL is specified and can be injected into the process. This mitigation forces the hook to be posted to the registering process rather than running in-process through an injected DLL. ### Compatibility considerations -Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using 3rd party Legacy IMEs which will not work with the protected application. +Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third party Legacy IMEs that will not work with the protected application. ### Configuration options @@ -341,11 +341,11 @@ Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode com ### Compatibility considerations -This mitigation is designed for processes which are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application which displays a GUI using a single process will be impacted by this mitigation. +This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Do not allow child processes @@ -355,23 +355,23 @@ This mitigation prevents an application from creating new child applications. A ### Compatibility considerations -If your application launches child applications for any reason, such as supporting hyperlinks which launch a browser or an external browser, or which launch other utilities on the computer, this functionality will be broken with this mitigation applied. +If your application launches child applications for any reason, such as supporting hyperlinks that launch a browser or an external browser, or which launch other utilities on the computer, this functionality will be broken with this mitigation applied. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Export address filtering ### Description -Export address filtering (EAF) mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack. This is a common tactic used by shellcode. In order to mitigate the risk of such an attack, this mitigation protects 3 commonly attacked modules: +Export address filtering (EAF) mitigates the risk of malicious code looking at the export address table of all loaded modules to find modules that contain useful APIs for their attack. This is a common tactic used by shellcode. In order to mitigate the risk of such an attack, this mitigation protects three commonly attacked modules: - ntdll.dll - kernelbase.dll - kernel32.dll -The mitigation protects the memory page in the [export directory](https://docs.microsoft.com/windows/win32/debug/pe-format#export-directory-table) which points to the [export address table](https://docs.microsoft.com/windows/win32/debug/pe-format#export-address-table). This memory page will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated. +The mitigation protects the memory page in the [export directory that points to the [export address table](https://docs.microsoft.com/windows/win32/debug/pe-format#export-address-table). This memory page will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to it. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated. ### Compatibility considerations @@ -394,7 +394,7 @@ This mitigation is primarily an issue for applications such as debuggers, sandbo Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory. -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Force randomization for images (Mandatory ASLR) @@ -402,17 +402,17 @@ Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection t Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose. -Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019) linker option, and this mitigation has the same effect. +Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019&preserve-view=true) linker option, and this mitigation has the same effect. When the memory manager is mapping in the image into the process, Mandatory ASLR will forcibly rebase DLLs and EXEs that have not opted in to ASLR. Note, however, that this rebasing has no entropy, and can therefore be placed at a predictable location in memory. For rebased and randomized location of binaries, this mitigation should be paired with [Randomize memory allocations (Bottom-up ASLR)](#randomize-memory-allocations-bottom-up-aslr). ### Compatibility considerations -This compatibility impact of ASLR is typically constrained to older applications which were built using compilers which made assumptions about the base address of a binary file or have stripped out base relocation information. This can lead to unpredictable errors as the execution flow attempts to jump to the expected, rather than the actual, location in memory. +This compatibility impact of ASLR is typically constrained to older applications that were built using compilers that made assumptions about the base address of a binary file or have stripped out base relocation information. This can lead to unpredictable errors as the execution flow attempts to jump to the expected, rather than the actual, location in memory. ### Configuration options -**Do not allow stripped images** - This option blocks the loading of images that have had relocation information stripped. The Windows PE file format contains absolute addresses, and the compiler also generates a [base relocation table](https://docs.microsoft.com/windows/win32/debug/pe-format#the-reloc-section-image-only) which the loader can use to find all relative memory references and their offset, so they can be updated if the binary does not load at its preferred base address. Some older applications strip out this information in production builds, and therefore these binaries cannot be rebased. This mitigation blocks such binaries from being loaded (instead of allowing them to load at their preferred base address). +**Do not allow stripped images** - This option blocks the loading of images that have had relocation information stripped. The Windows PE file format contains absolute addresses, and the compiler also generates a [base relocation table that the loader can use to find all relative memory references and their offset, so they can be updated if the binary does not load at its preferred base address. Some older applications strip out this information in production builds, and therefore these binaries cannot be rebased. This mitigation blocks such binaries from being loaded (instead of allowing them to load at their preferred base address). > [!Note] > **Force randomization for images (Mandatory ASLR)** has no audit mode. @@ -421,7 +421,7 @@ This compatibility impact of ASLR is typically constrained to older applications ### Description -The Import address filtering (IAF) mitigation helps mitigate the risk of an adversary changing the control flow of an application by modifying the import address table (IAT) to redirect to arbitrary code of the attacker's choice when that function is called. An attacker could use this approach to hijack control, or to intercept, inspect, and potentially block calls to sensitive APIs. +The import address filtering (IAF) mitigation helps mitigate the risk of an adversary changing the control flow of an application by modifying the import address table (IAT) to redirect to arbitrary code of the attacker's choice when that function is called. An attacker could use this approach to hijack control, or to intercept, inspect, and potentially block calls to sensitive APIs. The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs.microsoft.com/windows/win32/memory/creating-guard-pages) protection applied to them. When someone tries to access this memory, it will generate a STATUS_GUARD_PAGE_VIOLATION. The mitigation handles this exception, and if the accessing instruction doesn't pass validation, the process will be terminated. @@ -455,11 +455,11 @@ This mitigation protects the following Windows APIs: ### Compatibility considerations -Legitimate applications which perform API interception may be detected by this mitigation and cause some applications to crash. Examples include security software and application compatibility shims. +Legitimate applications that perform API interception may be detected by this mitigation and cause some applications to crash. Examples include security software and application compatibility shims. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Randomize memory allocations (Bottom-up ASLR) @@ -467,15 +467,15 @@ Legitimate applications which perform API interception may be detected by this m Randomize memory allocations (Bottom-up ASLR) adds entropy to relocations, so their location is randomized and therefore less predictable. This mitigation requires Mandatory ASLR to take effect. -Note that the size of the 32-bit address space places practical constraints on the entropy that can be added, and therefore 64-bit applications make it significantly more difficult for an attacker to guess a location in memory. +The size of the 32-bit address space places practical constraints on the entropy that can be added, and therefore 64-bit applications make it more difficult for an attacker to guess a location in memory. ### Compatibility considerations -Most applications which are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4GB), and thus will be incompatible with the high entropy option (which can be disabled). +Most applications that are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled). ### Configuration options -**Don't use high entropy** - this option disables the use of high-entropy ASLR, which adds 24 bits of entropy (1TB of variance) into the bottom-up allocation for 64-bit applications. +**Don't use high entropy** - this option disables the use of high-entropy ASLR, which adds 24 bits of entropy (1 TB of variance) into the bottom-up allocation for 64-bit applications. > [!Note] > **Randomize memory allocations (Bottom-up ASLR)** has no audit mode. @@ -484,7 +484,7 @@ Most applications which are compatible with Mandatory ASLR (rebasing) will also ### Description -Simulate execution (SimExec) is a mitigation for 32-bit applications only which helps validate that calls to sensitive APIs will return to legitimate caller functions. It does this by intercepting calls into sensitive APIs, and then simulating the execution of those APIs by walking through the encoded assembly language instructions looking for the RET instruction, which should return to the caller. It then inspects that function and walks backwards in memory to find the preceding CALL instruction to compare if the two match and that the RET hasn't been intercepted. +Simulate execution (SimExec) is a mitigation for 32-bit applications only. This helps validate that calls to sensitive APIs will return to legitimate caller functions. It does this by intercepting calls into sensitive APIs, and then simulating the execution of those APIs by walking through the encoded assembly language instructions looking for the RET instruction, which should return to the caller. It then inspects that function and walks backwards in memory to find the preceding CALL instruction to determine whether the function and CALL instruction match, and that the RET hasn't been intercepted. The APIs intercepted by this mitigation are: @@ -527,19 +527,19 @@ If a ROP gadget is detected, the process is terminated. ### Compatibility considerations -Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation. +Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation. This mitigation is incompatible with the Arbitrary Code Guard mitigation. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Validate API invocation (CallerCheck) ### Description -Validate API invocation (CallerCheck) is a mitigation for return oriented programming (ROP) techniques which validates that sensitive APIs were called from a valid caller. This mitigation inspects the passed return address, and then heuristically disassembles backwards to find a call above the return address to determine if the call target matches the parameter passed into the function. +Validate API invocation (CallerCheck) is a mitigation for return-oriented programming (ROP) techniques that validates that sensitive APIs were called from a valid caller. This mitigation inspects the passed return address, and then heuristically disassembles backwards to find a call above the return address to determine if the call target matches the parameter passed into the function. The APIs intercepted by this mitigation are: @@ -582,19 +582,19 @@ If a ROP gadget is detected, the process is terminated. ### Compatibility considerations -Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation. +Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation. This mitigation is incompatible with the Arbitrary Code Guard mitigation. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Validate exception chains (SEHOP) ### Description -Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured Exception Handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice. +Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice. This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that: @@ -619,13 +619,13 @@ Compatibility issues with SEHOP are relatively rare. It's uncommon for an applic ### Description -*Validate handle usage* is a mitigation which helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). +*Validate handle usage* is a mitigation that helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). This mitigation is automatically applied to Windows Store applications. ### Compatibility considerations -Applications which were not accurately tracking handle references, and which were not wrapping these operations in exception handlers, will potentially be impacted by this mitigation. +Applications that were not accurately tracking handle references, and which were not wrapping these operations in exception handlers, will potentially be impacted by this mitigation. ### Configuration options @@ -656,21 +656,21 @@ This mitigation is already applied by default for 64-bit applications and for 32 ### Description -The *validate image dependency* mitigation helps protect against attacks which attempt to substitute code for dlls which are statically linked by Windows binaries. The technique of DLL planting abuses the loader's search mechanism to inject malicious code, which can be used to get malicious code running in an elevated context. When the loader is loading a Windows signed binary, and then loads up any dlls that the binary depends on, these binaries will be verified to ensure that they are also digitally signed as a Windows binary. If they fail the signature check, the dll will not be loaded, and will throw an exception, returning a status of STATUS_INVALID_IMAGE_HASH. +The *validate image dependency* mitigation helps protect against attacks that attempt to substitute code for dlls that are statically linked by Windows binaries. The technique of DLL planting abuses the loader's search mechanism to inject malicious code, which can be used to get malicious code running in an elevated context. When the loader is loading a Windows signed binary, and then loads up any dlls that the binary depends on, these binaries will be verified to ensure that they are also digitally signed as a Windows binary. If they fail the signature check, the dll will not be loaded, and will throw an exception, returning a status of STATUS_INVALID_IMAGE_HASH. ### Compatibility considerations -Compatibility issues are uncommon. Applications which depend on replacing Windows binaries with local private versions will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. +Compatibility issues are uncommon. Applications that depend on replacing Windows binaries with local private versions will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). ## Validate stack integrity (StackPivot) ### Description -The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack which controls the flow of execution. +The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack that controls the flow of execution. This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated. @@ -713,11 +713,11 @@ The APIs intercepted by this mitigation are: ### Compatibility considerations -Applications which are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. -Applications which perform API interception, particularly security software, can cause compatibility problems with this mitigation. +Applications that are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. +Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation. This mitigation is incompatible with the Arbitrary Code Guard mitigation. ### Configuration options -**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender ATP](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). +**Audit Only** - You can enable this mitigation in audit mode in order to measure the potential compatibility impact on an application. Audit events can then be viewed either in the event viewer or using Advanced Hunting in [Microsoft Defender for Endpoint](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-overview). diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index e4174dddea..b2ad6f832b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 04/02/2019 +ms.date: 10/21/2020 ms.reviewer: manager: dansimp ms.custom: asr @@ -24,14 +24,14 @@ ms.custom: asr **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Exploit protection automatically applies a number of exploit mitigation techniques to operating system processes and apps. Exploit protection is supported beginning with Windows 10, version 1709 and Windows Server, version 1803. > [!TIP] > You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Exploit protection works best with [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +Exploit protection works best with [Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). You can [enable exploit protection](enable-exploit-protection.md) on an individual device, and then use [Group Policy](import-export-exploit-protection-emet-xml.md) to distribute the XML file to multiple devices at once. @@ -49,9 +49,9 @@ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](http ## Review exploit protection events in the Microsoft Security Center -Microsoft Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios. +Defender for Endpoint provides detailed reporting into events and blocks as part of its alert investigation scenarios. -You can query Microsoft Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how exploit protection settings could affect your environment. +You can query Defender for Endpoint data by using [Advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview). If you're using [audit mode](audit-windows-defender.md), you can use advanced hunting to see how exploit protection settings could affect your environment. Here is an example query: @@ -65,7 +65,7 @@ DeviceEvents You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app: |Provider/source | Event ID | Description| -|---|---|---| +|:---|:---|:---| |Security-Mitigations | 1 | ACG audit | |Security-Mitigations | 2 | ACG enforce | |Security-Mitigations | 3 | Do not allow child processes audit | @@ -100,7 +100,7 @@ The mitigations available in EMET are included natively in Windows 10 (starting The table in this section indicates the availability and support of native mitigations between EMET and exploit protection. |Mitigation | Available under exploit protection | Available in EMET | -|---|---|---| +|:---|:---|:---| |Arbitrary code guard (ACG) | yes | yes
    As "Memory Protection Check" | |Block remote images | yes | yes
    As "Load Library Check" | |Block untrusted fonts | yes | yes | @@ -131,8 +131,6 @@ The table in this section indicates the availability and support of native mitig ## See also - [Protect devices from exploits](exploit-protection.md) -- [Evaluate exploit protection](evaluate-exploit-protection.md) -- [Enable exploit protection](enable-exploit-protection.md) - [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) - [Troubleshoot exploit protection](troubleshoot-exploit-protection-mitigations.md) +- [Optimize ASR rule deployment and detections](configure-machines-asr.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index 8f4d3dec0e..4bbd942ec8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -1,7 +1,7 @@ --- -title: Use Microsoft Defender Advanced Threat Protection APIs +title: Use Microsoft Defender for Endpoint APIs ms.reviewer: -description: Learn how to design a native Windows app to get programmatic access to Microsoft Defender ATP without a user. +description: Learn how to design a native Windows app to get programmatic access to Microsoft Defender for Endpoint without a user. keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -17,33 +17,33 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Use Microsoft Defender ATP APIs +# Use Microsoft Defender for Endpoint APIs [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -This page describes how to create an application to get programmatic access to Microsoft Defender ATP on behalf of a user. +This page describes how to create an application to get programmatic access to Defender for Endpoint on behalf of a user. -If you need programmatic access Microsoft Defender ATP without a user, refer to [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md). +If you need programmatic access Microsoft Defender for Endpoint without a user, refer to [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md). If you are not sure which access you need, read the [Introduction page](apis-intro.md). -Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create an AAD application - Get an access token using this application -- Use the token to access Microsoft Defender ATP API +- Use the token to access Defender for Endpoint API -This page explains how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token. +This page explains how to create an AAD application, get an access token to Microsoft Defender for Endpoint and validate the token. >[!NOTE] -> When accessing Microsoft Defender ATP API on behalf of a user, you will need the correct Application permission and user permission. -> If you are not familiar with user permissions on Microsoft Defender ATP, see [Manage portal access using role-based access control](rbac.md). +> When accessing Microsoft Defender for Endpoint API on behalf of a user, you will need the correct Application permission and user permission. +> If you are not familiar with user permissions on Microsoft Defender for Endpoint, see [Manage portal access using role-based access control](rbac.md). >[!TIP] > If you have the permission to perform an action in the portal, you have the permission to perform the action in the API. @@ -56,54 +56,54 @@ This page explains how to create an AAD application, get an access token to Micr ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app2.png) -3. In the registration from, enter the following information then click **Register**. +3. In the registration from, enter the following information then select **Register**. ![Image of Create application window](images/nativeapp-create2.png) - **Name:** -Your application name- - **Application type:** Public client -4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission: +4. Allow your Application to access Microsoft Defender for Endpoint and assign it 'Read alerts' permission: - - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**. + - On your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and select on **WindowsDefenderATP**. - - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + - **Note**: *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear. - ![Image of API access and API selection](images/add-permission.png) + ![add permission](images/add-permission.png) - - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions** + - Choose **Delegated permissions** > **Alert.Read** > select **Add permissions** - ![Image of API access and API selection](images/application-permissions-public-client.png) + ![application permissions](images/application-permissions-public-client.png) - - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example! + - **Important note**: Select the relevant permissions. Read alerts is only an example. For instance, - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission - To [isolate a device](isolate-machine.md), select 'Isolate machine' permission - - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. + - To determine which permission you need, view the **Permissions** section in the API you are interested to call. - - Click **Grant consent** + - Select **Grant consent** - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect. + **Note**: Every time you add permission you must select on **Grant consent** for the new permission to take effect. ![Image of Grant permissions](images/grant-consent.png) 6. Write down your application ID and your tenant ID: - - On your application page, go to **Overview** and copy the following: + - On your application page, go to **Overview** and copy the following information: ![Image of created app id](images/app-and-tenant-ids.png) ## Get an access token -For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) +For more information on AAD tokens, see [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) ### Using C# - Copy/Paste the below class in your application. -- Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token. +- Use **AcquireUserTokenAsync** method with your application ID, tenant ID, user name, and password to acquire a token. ```csharp namespace WindowsDefenderATP @@ -145,18 +145,18 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co ## Validate the token -Sanity check to make sure you got a correct token: +Verify to make sure you got a correct token: - Copy/paste into [JWT](https://jwt.ms) the token you got in the previous step in order to decode it - Validate you get a 'scp' claim with the desired app permissions -- In the screen shot below you can see a decoded token acquired from the app in the tutorial: +- In the screenshot below you can see a decoded token acquired from the app in the tutorial: ![Image of token validation](images/nativeapp-decoded-token.png) -## Use the token to access Microsoft Defender ATP API +## Use the token to access Microsoft Defender for Endpoint API -- Choose the API you want to use - [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) +- Choose the API you want to use - [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md) - Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization scheme) -- The Expiration time of the token is 1 hour (you can send more then one request with the same token) +- The Expiration time of the token is 1 hour (you can send more than one request with the same token) - Example of sending a request to get a list of alerts **using C#** @@ -172,6 +172,6 @@ Sanity check to make sure you got a correct token: // Do something useful with the response ``` -## Related topics -- [Microsoft Defender ATP APIs](exposed-apis-list.md) -- [Access Microsoft Defender ATP with application context](exposed-apis-create-app-webapp.md) +## See also +- [Microsoft Defender for Endpoint APIs](exposed-apis-list.md) +- [Access Microsoft Defender for Endpoint with application context](exposed-apis-create-app-webapp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md index 2b71b7c2cf..e2de608fbd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md @@ -1,7 +1,7 @@ --- -title: Create an Application to access Microsoft Defender ATP without a user +title: Create an Application to access Microsoft Defender for Endpoint without a user ms.reviewer: -description: Learn how to design a web app to get programmatic access to Microsoft Defender ATP without a user. +description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint without a user. keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -17,30 +17,30 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Partner access through Microsoft Defender ATP APIs +# Partner access through Microsoft Defender for Endpoint APIs [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +This page describes how to create an Azure Active Directory (Azure AD) application to get programmatic access to Microsoft Defender for Endpoint on behalf of your customers. -This page describes how to create an AAD application to get programmatic access to Microsoft Defender ATP on behalf of your customers. -Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: -- Create a **multi-tenant** AAD application. -- Get authorized(consent) by your customer administrator for your application to access Microsoft Defender ATP resources it needs. +- Create a **multi-tenant** Azure AD application. +- Get authorized(consent) by your customer administrator for your application to access Defender for Endpoint resources it needs. - Get an access token using this application. -- Use the token to access Microsoft Defender ATP API. +- Use the token to access Microsoft Defender for Endpoint API. -The following steps with guide you how to create an AAD application, get an access token to Microsoft Defender ATP and validate the token. +The following steps will guide you how to create an Azure AD application, get an access token to Microsoft Defender for Endpoint and validate the token. ## Create the multi-tenant app -1. Log on to your [Azure tenant](https://portal.azure.com) with user that has **Global Administrator** role. +1. Sign in to your [Azure tenant](https://portal.azure.com) with user that has **Global Administrator** role. 2. Navigate to **Azure Active Directory** > **App registrations** > **New registration**. @@ -57,17 +57,17 @@ The following steps with guide you how to create an AAD application, get an acce ![Image of Microsoft Azure partner application registration](images/atp-api-new-app-partner.png) -4. Allow your Application to access Microsoft Defender ATP and assign it with the minimal set of permissions required to complete the integration. +4. Allow your Application to access Microsoft Defender for Endpoint and assign it with the minimal set of permissions required to complete the integration. - - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**. + - On your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and select on **WindowsDefenderATP**. - - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + - **Note**: *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear. - ![Image of API access and API selection](images/add-permission.png) + ![add permission](images/add-permission.png) ### Request API permissions - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. For instance: + To determine which permission you need, review the **Permissions** section in the API you are interested to call. For instance: - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission @@ -75,20 +75,20 @@ The following steps with guide you how to create an AAD application, get an acce In the following example we will use **'Read all alerts'** permission: - Choose **Application permissions** > **Alert.Read.All** > Click on **Add permissions** + Choose **Application permissions** > **Alert.Read.All** > select on **Add permissions** - ![Image of API access and API selection](images/application-permissions.png) + ![app permissions](images/application-permissions.png) -5. Click **Grant consent** +5. Select **Grant consent** - - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect. + - **Note**: Every time you add permission you must select on **Grant consent** for the new permission to take effect. ![Image of Grant permissions](images/grant-consent.png) 6. Add a secret to the application. - - Click **Certificates & secrets**, add description to the secret and click **Add**. + - Select **Certificates & secrets**, add description to the secret and select **Add**. **Important**: After click Add, **copy the generated secret value**. You won't be able to retrieve after you leave! @@ -96,15 +96,15 @@ The following steps with guide you how to create an AAD application, get an acce 7. Write down your application ID: - - On your application page, go to **Overview** and copy the following: + - On your application page, go to **Overview** and copy the following information: ![Image of created app id](images/app-id.png) 8. Add the application to your customer's tenant. - You need your application to be approved in each customer tenant where you intend to use it. This is because your application interacts with Microsoft Defender ATP application on behalf of your customer. + You need your application to be approved in each customer tenant where you intend to use it. This is because your application interacts with Microsoft Defender for Endpoint application on behalf of your customer. - A user with **Global Administrator** from your customer's tenant need to click the consent link and approve your application. + A user with **Global Administrator** from your customer's tenant need to select the consent link and approve your application. Consent link is of the form: @@ -114,7 +114,7 @@ The following steps with guide you how to create an AAD application, get an acce Where 00000000-0000-0000-0000-000000000000 should be replaced with your Application ID - After clicking on the consent link, login with the Global Administrator of the customer's tenant and consent the application. + After clicking on the consent link, sign in with the Global Administrator of the customer's tenant and consent the application. ![Image of consent](images/app-consent-partner.png) @@ -123,11 +123,11 @@ The following steps with guide you how to create an AAD application, get an acce - **Done!** You have successfully registered an application! - See examples below for token acquisition and validation. -## Get an access token examples: +## Get an access token example: -**Note:** to get access token on behalf of your customer, use the customer's tenant ID on the following token acquisitions. +**Note:** To get access token on behalf of your customer, use the customer's tenant ID on the following token acquisitions. -
    For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) +
    For more information on AAD token, see [AAD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) ### Using PowerShell @@ -158,14 +158,14 @@ return $token >The below code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory - Create a new Console Application -- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) +- Install NuGet [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) - Add the below using ``` using Microsoft.IdentityModel.Clients.ActiveDirectory; ``` -- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```) +- Copy/Paste the below code in your application (do not forget to update the three variables: ```tenantId, appId, appSecret```) ``` string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here @@ -194,7 +194,7 @@ Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token) - Open a command window - Set CLIENT_ID to your Azure application ID - Set CLIENT_SECRET to your Azure application secret -- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender ATP application +- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access Microsoft Defender for Endpoint application - Run the below command: ``` @@ -212,16 +212,16 @@ You will get an answer of the form: Sanity check to make sure you got a correct token: - Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it - Validate you get a 'roles' claim with the desired permissions -- In the screenshot below, you can see a decoded token acquired from an Application with multiple permissions to Microsoft Defender ATP: +- In the screenshot below, you can see a decoded token acquired from an Application with multiple permissions to Microsoft Defender for Endpoint: - The "tid" claim is the tenant ID the token belongs to. ![Image of token validation](images/webapp-decoded-token.png) -## Use the token to access Microsoft Defender ATP API +## Use the token to access Microsoft Defender for Endpoint API -- Choose the API you want to use, for more information, see [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) +- Choose the API you want to use, for more information, see [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md) - Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme) -- The Expiration time of the token is 1 hour (you can send more then one request with the same token) +- The Expiration time of the token is 1 hour (you can send more than one request with the same token) - Example of sending a request to get a list of alerts **using C#** ``` @@ -236,6 +236,6 @@ Sanity check to make sure you got a correct token: // Do something useful with the response ``` -## Related topics -- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) -- [Access Microsoft Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) +## See also +- [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md) +- [Access Microsoft Defender for Endpoint on behalf of a user](exposed-apis-create-app-nativeapp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index e4a7458f08..a7584847f9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -1,7 +1,7 @@ --- -title: Create an app to access Microsoft Defender ATP without a user +title: Create an app to access Microsoft Defender for Endpoint without a user ms.reviewer: -description: Learn how to design a web app to get programmatic access to Microsoft Defender ATP without a user. +description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint without a user. keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -17,25 +17,25 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Create an app to access Microsoft Defender ATP without a user +# Create an app to access Microsoft Defender for Endpoint without a user [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -This page describes how to create an application to get programmatic access to Microsoft Defender ATP without a user. If you need programmatic access to Microsoft Defender ATP on behalf of a user, see [Get access with user context](exposed-apis-create-app-nativeapp.md). If you are not sure which access you need, see [Get started](apis-intro.md). +This page describes how to create an application to get programmatic access to Defender for Endpoint without a user. If you need programmatic access to Defender for Endpoint on behalf of a user, see [Get access with user context](exposed-apis-create-app-nativeapp.md). If you are not sure which access you need, see [Get started](apis-intro.md). -Microsoft Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Microsoft Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Microsoft Defender for Endpoint exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate work flows and innovate based on Defender for Endpoint capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create an Azure Active Directory (Azure AD) application. - Get an access token using this application. -- Use the token to access Microsoft Defender ATP API. +- Use the token to access Defender for Endpoint API. -This article explains how to create an Azure AD application, get an access token to Microsoft Defender ATP, and validate the token. +This article explains how to create an Azure AD application, get an access token to Microsoft Defender for Endpoint, and validate the token. ## Create an app @@ -47,29 +47,29 @@ This article explains how to create an Azure AD application, get an access token 3. In the registration form, choose a name for your application, and then select **Register**. -4. To enable your app to access Microsoft Defender ATP and assign it **'Read all alerts'** permission, on your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** >, type **WindowsDefenderATP**, and then select **WindowsDefenderATP**. +4. To enable your app to access Defender for Endpoint and assign it **'Read all alerts'** permission, on your application page, select **API Permissions** > **Add permission** > **APIs my organization uses** >, type **WindowsDefenderATP**, and then select **WindowsDefenderATP**. > [!NOTE] - > WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + > *WindowsDefenderATP* does not appear in the original list. Start writing its name in the text box to see it appear. - ![Image of API access and API selection](images/add-permission.png) + ![add permission](images/add-permission.png) - Select **Application permissions** > **Alert.Read.All**, and then select **Add permissions**. - ![Image of API access and API selection](images/application-permissions.png) + ![app permission](images/application-permissions.png) - Note that you need to select the relevant permissions. 'Read All Alerts' is only an example. For instance: + You need to select the relevant permissions. 'Read All Alerts' is only an example. For instance: - To [run advanced queries](run-advanced-query-api.md), select the 'Run advanced queries' permission. - To [isolate a device](isolate-machine.md), select the 'Isolate machine' permission. - - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. + - To determine which permission you need, look at the **Permissions** section in the API you are interested to call. 5. Select **Grant consent**. > [!NOTE] > Every time you add a permission, you must select **Grant consent** for the new permission to take effect. - ![Image of Grant permissions](images/grant-consent.png) + ![Grant permissions](images/grant-consent.png) 6. To add a secret to the application, select **Certificates & secrets**, add a description to the secret, and then select **Add**. @@ -82,13 +82,13 @@ This article explains how to create an Azure AD application, get an access token ![Image of created app id](images/app-and-tenant-ids.png) -8. **For Microsoft Defender ATP Partners only**. Set your app to be multi-tenanted (available in all tenants after consent). This is **required** for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted: +8. **For Microsoft Defender for Endpoint Partners only**. Set your app to be multi-tenanted (available in all tenants after consent). This is **required** for third-party apps (for example, if you create an app that is intended to run in multiple customers' tenant). This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data). To set your app to be multi-tenanted: - - Go to **Authentication**, and add https://portal.azure.com as the **Redirect URI**. + - Go to **Authentication**, and add `https://portal.azure.com` as the **Redirect URI**. - On the bottom of the page, under **Supported account types**, select the **Accounts in any organizational directory** application consent for your multi-tenant app. - You need your application to be approved in each tenant where you intend to use it. This is because your application interacts Microsoft Defender ATP on behalf of your customer. + You need your application to be approved in each tenant where you intend to use it. This is because your application interacts Defender for Endpoint on behalf of your customer. You (or your customer if you are writing a third-party app) need to select the consent link and approve your app. The consent should be done with a user who has administrative privileges in Active Directory. @@ -105,7 +105,7 @@ This article explains how to create an Azure AD application, get an access token ## Get an access token -For more details on Azure AD tokens, see the [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds). +For more information on Azure AD tokens, see the [Azure AD tutorial](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds). ### Use PowerShell @@ -133,10 +133,10 @@ return $token ### Use C#: -The following code was tested with Nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8. +The following code was tested with NuGet Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8. 1. Create a new console application. -1. Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/). +1. Install NuGet [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/). 1. Add the following: ``` @@ -171,7 +171,7 @@ See [Get token using Python](run-advanced-query-sample-python.md#get-token). 1. Open a command prompt, and set CLIENT_ID to your Azure application ID. 1. Set CLIENT_SECRET to your Azure application secret. -1. Set TENANT_ID to the Azure tenant ID of the customer that wants to use your app to access Microsoft Defender ATP. +1. Set TENANT_ID to the Azure tenant ID of the customer that wants to use your app to access Defender for Endpoint. 1. Run the following command: ``` @@ -190,18 +190,18 @@ Ensure that you got the correct token: 1. Copy and paste the token you got in the previous step into [JWT](https://jwt.ms) in order to decode it. 1. Validate that you get a 'roles' claim with the desired permissions -1. In the following image, you can see a decoded token acquired from an app with permissions to all of Microsoft Defender ATP's roles: +1. In the following image, you can see a decoded token acquired from an app with permissions to all of Microsoft Defender for Endpoint's roles: ![Image of token validation](images/webapp-decoded-token.png) -## Use the token to access Microsoft Defender ATP API +## Use the token to access Microsoft Defender for Endpoint API -1. Choose the API you want to use. For more information, see [Supported Microsoft Defender ATP APIs](exposed-apis-list.md). +1. Choose the API you want to use. For more information, see [Supported Defender for Endpoint APIs](exposed-apis-list.md). 1. Set the authorization header in the http request you send to "Bearer {token}" (Bearer is the authorization scheme). -1. The expiration time of the token is one hour. You can send more then one request with the same token. +1. The expiration time of the token is one hour. You can send more than one request with the same token. The following is an example of sending a request to get a list of alerts **using C#**: - ``` +``` var httpClient = new HttpClient(); var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); @@ -211,8 +211,8 @@ The following is an example of sending a request to get a list of alerts **using var response = httpClient.SendAsync(request).GetAwaiter().GetResult(); // Do something useful with the response - ``` +``` -## Related topics -- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md) -- [Access Microsoft Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) +## See also +- [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md) +- [Access Microsoft Defender for Endpoint on behalf of a user](exposed-apis-create-app-nativeapp.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md index 1ad142d2e4..31142c2936 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md @@ -1,7 +1,7 @@ --- -title: Advanced Hunting with Powershell API Guide +title: Advanced Hunting with PowerShell API Guide ms.reviewer: -description: Use these code samples, querying several Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs. +description: Use these code samples, querying several Microsoft Defender for Endpoint APIs. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -18,19 +18,19 @@ ms.topic: article ms.date: 09/24/2018 --- -# Microsoft Defender ATP APIs using PowerShell +# Microsoft Defender for Endpoint APIs using PowerShell [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Full scenario using multiple APIs from Microsoft Defender ATP. +Full scenario using multiple APIs from Microsoft Defender for Endpoint. -In this section we share PowerShell samples to +In this section, we share PowerShell samples to - Retrieve a token -- Use token to retrieve the latest alerts in Microsoft Defender ATP +- Use token to retrieve the latest alerts in Microsoft Defender for Endpoint - For each alert, if the alert has medium or high priority and is still in progress, check how many times the device has connected to suspicious URL. **Prerequisite**: You first need to [create an app](apis-intro.md). @@ -43,15 +43,16 @@ In this section we share PowerShell samples to Set-ExecutionPolicy -ExecutionPolicy Bypass ``` -For more details, refer to [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy) +For more information, see [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy) ## Get token Run the below: - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) -- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP) -- $appSecret: Secret of your AAD app +- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Defender for Endpoint) +- $appSecret: Secret of your Azure AD app + - $suspiciousUrl: The URL @@ -116,7 +117,7 @@ $response ``` -## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +## See also +- [Microsoft Defender for Endpoint APIs](apis-intro.md) - [Advanced Hunting API](run-advanced-query-api.md) - [Advanced Hunting using Python](run-advanced-query-sample-python.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md index d5115891d3..785ac39e0d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md @@ -1,7 +1,7 @@ --- -title: Supported Microsoft Defender Advanced Threat Protection APIs +title: Supported Microsoft Defender for Endpoint APIs ms.reviewer: -description: Learn about the specific supported Microsoft Defender Advanced Threat Protection entities where you can create API calls to. +description: Learn about the specific supported Microsoft Defender for Endpoint entities where you can create API calls to. keywords: apis, supported apis, actor, alerts, device, user, domain, ip, file, advanced queries, advanced hunting search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -17,18 +17,18 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Supported Microsoft Defender ATP APIs +# Supported Microsoft Defender for Endpoint APIs [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -## End Point URI and Versioning +## Endpoint URI and versioning -### End Point URI: +### Endpoint URI: > The service base URI is: https://api.securitycenter.windows.com > @@ -40,7 +40,7 @@ ms.topic: article > > The current version is **V1.0**. > -> To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts +> To use a specific version, use this format: `https://api.securitycenter.windows.com/api/{Version}`. For example: `https://api.securitycenter.windows.com/api/v1.0/alerts` > > If you don't specify any version (e.g. https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version. @@ -53,17 +53,17 @@ Topic | Description :---|:--- Advanced Hunting | Run queries from API. Alerts | Run API calls such as get alerts, create alert, update alert and more. -Domains | Run API calls such as get domain related devices, domain statistics and more. +Domains | Run API calls such as get domain-related devices, domain statistics and more. Files | Run API calls such as get file information, file related alerts, file related devices, and file statistics. -IPs | Run API calls such as get IP related alerts and get IP statistics. +IPs | Run API calls such as get IP-related alerts and get IP statistics. Machines | Run API calls such as get devices, get devices by ID, information about logged on users, edit tags and more. Machine Actions | Run API call such as Isolation, Run anti-virus scan and more. Indicators | Run API call such as create Indicator, get Indicators and delete Indicators. -Users | Run API calls such as get user related alerts and user related devices. +Users | Run API calls such as get user-related alerts and user-related devices. Score | Run API calls such as get exposure score or get device secure score. Software | Run API calls such as list vulnerabilities by software. Vulnerability | Run API calls such as list devices by vulnerability. -Recommendation | Run API calls such as Get recommendation by Id. +Recommendation | Run API calls such as Get recommendation by ID. -## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +## See also +- [Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index e5f5fcad0b..b4a487ffbe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -1,7 +1,7 @@ --- -title: OData queries with Microsoft Defender ATP +title: OData queries with Microsoft Defender for Endpoint ms.reviewer: -description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender ATP. +description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender for Endpoint. keywords: apis, supported apis, odata, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -17,14 +17,14 @@ ms.collection: M365-security-compliance ms.topic: article --- -# OData queries with Microsoft Defender ATP +# OData queries with Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) @@ -320,7 +320,7 @@ HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen g ### Example 6 -Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP +Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint ```http HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan' @@ -364,5 +364,5 @@ HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415 4 ``` -## Related topic -- [Microsoft Defender ATP APIs](apis-intro.md) +## See also +- [Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md index 0d0ee850c5..b5ac0c1ea5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md +++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md @@ -1,7 +1,7 @@ --- title: Feedback-loop blocking -description: Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender ATP -keywords: behavioral blocking, rapid protection, feedback blocking, Microsoft Defender ATP +description: Feedback-loop blocking, also called rapid protection, is part of behavioral blocking and containment capabilities in Microsoft Defender for Endpoint +keywords: behavioral blocking, rapid protection, feedback blocking, Microsoft Defender for Endpoint search.product: eADQiWindows 10XVcnh ms.pagetype: security author: denisebmsft @@ -25,11 +25,11 @@ ms.collection: **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Overview -Feedback-loop blocking, also referred to as rapid protection, is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/). With feedback-loop blocking, devices across your organization are better protected from attacks. +Feedback-loop blocking, also referred to as rapid protection, is a component of [behavioral blocking and containment capabilities](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/). With feedback-loop blocking, devices across your organization are better protected from attacks. ## How feedback-loop blocking works @@ -40,11 +40,11 @@ With rapid protection in place, an attack can be stopped on a device, other devi ## Configuring feedback-loop blocking -If your organization is using Microsoft Defender ATP, feedback-loop blocking is enabled by default. However, rapid protection occurs through a combination of Microsoft Defender ATP capabilities, machine learning protection features, and signal-sharing across Microsoft security services. Make sure the following features and capabilities of Microsoft Defender ATP are enabled and configured: +If your organization is using Defender for Endpoint, feedback-loop blocking is enabled by default. However, rapid protection occurs through a combination of Defender for Endpoint capabilities, machine learning protection features, and signal-sharing across Microsoft security services. Make sure the following features and capabilities of Defender for Endpoint are enabled and configured: -- [Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) +- [Microsoft Defender for Endpoint baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline) -- [Devices onboarded to Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) +- [Devices onboarded to Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure) - [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) @@ -58,4 +58,4 @@ If your organization is using Microsoft Defender ATP, feedback-loop blocking is - [(Blog) Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection/) -- [Helpful Microsoft Defender ATP resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) +- [Helpful Microsoft Defender for Endpoint resources](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/helpful-resources) diff --git a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md index d21ad49611..a4f175566c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md @@ -24,9 +24,9 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) >[!NOTE] @@ -39,7 +39,7 @@ There are two ways you can fetch alerts: ## Fetch alerts into your SIEM -To fetch alerts into your SIEM system you'll need to take the following steps: +To fetch alerts into your SIEM system, you'll need to take the following steps: Step 1: Create a third-party application @@ -47,21 +47,15 @@ Step 2: Get access and refresh tokens from your customer's tenant Step 3: allow your application on Microsoft Defender Security Center - - - ### Step 1: Create an application in Azure Active Directory (Azure AD) -You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender ATP tenant. - +You'll need to create an application and grant it permissions to fetch alerts from your customer's Microsoft Defender for Endpoint tenant. 1. Sign in to the [Azure AD portal](https://aad.portal.azure.com/). 2. Select **Azure Active Directory** > **App registrations**. - 3. Click **New registration**. - 4. Specify the following values: @@ -80,7 +74,6 @@ You'll need to create an application and grant it permissions to fetch alerts fr 9. Click **New client secret**. - - Description: Enter a description for the key. - Expires: Select **In 1 year** @@ -163,12 +156,10 @@ After providing your credentials, you'll need to grant consent to the applicatio 7. You'll be asked to provide your credentials and consent. Ignore the page redirect. 8. In the PowerShell window, you'll receive an access token and a refresh token. Save the refresh token to configure your SIEM connector. - ### Step 3: Allow your application on Microsoft Defender Security Center You'll need to allow the application you created in Microsoft Defender Security Center. - You'll need to have **Manage portal system settings** permission to allow the application. Otherwise, you'll need to request your customer to allow the application for you. 1. Go to `https://securitycenter.windows.com?tid=` (replace \ with the customer's tenant ID. @@ -182,10 +173,10 @@ You'll need to have **Manage portal system settings** permission to allow the ap 5. Click **Authorize application**. -You can now download the relevant configuration file for your SIEM and connect to the Microsoft Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem.md). +You can now download the relevant configuration file for your SIEM and connect to the Defender for Endpoint API. For more information, see, [Pull alerts to your SIEM tools](configure-siem.md). -- In the ArcSight configuration file / Splunk Authentication Properties file ? you will have to write your application key manually by settings the secret value. +- In the ArcSight configuration file / Splunk Authentication Properties file, write your application key manually by setting the secret value. - Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means). ## Fetch alerts from MSSP customer's tenant using APIs @@ -193,7 +184,7 @@ You can now download the relevant configuration file for your SIEM and connect t For information on how to fetch alerts using REST API, see [Pull alerts using REST API](pull-alerts-using-rest-api.md). -## Related topics +## See also - [Grant MSSP access to the portal](grant-mssp-access.md) - [Access the MSSP customer portal](access-mssp-portal.md) - [Configure alert notifications](configure-mssp-notifications.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/files.md b/windows/security/threat-protection/microsoft-defender-atp/files.md index 2b27cae459..6289c8645b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/files.md @@ -1,6 +1,6 @@ --- title: File resource type -description: Retrieve recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts related to files. +description: Retrieve recent Microsoft Defender for Endpoint alerts related to files. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,11 +21,11 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Represent a file entity in Microsoft Defender ATP. +Represent a file entity in Defender for Endpoint. ## Methods Method|Return Type |Description @@ -37,24 +37,24 @@ Method|Return Type |Description ## Properties -Property | Type | Description -:---|:---|:--- -sha1 | String | Sha1 hash of the file content -sha256 | String | Sha256 hash of the file content -globalPrevalence | Nullable long | File prevalence across organization -globalFirstObserved | DateTimeOffset | First time the file was observed. -globalLastObserved | DateTimeOffset | Last time the file was observed. -size | Nullable long | Size of the file. -fileType | String | Type of the file. -isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.) -filePublisher | String | File publisher. -fileProductName | String | Product name. -signer | String | File signer. -issuer | String | File issuer. -signerHash | String | Hash of the signing certificate. -isValidCertificate | Boolean | Was signing certificate successfully verified by Microsoft Defender ATP agent. -determinationType | String | The determination type of the file. -determinationValue | String | Determination value. +|Property | Type | Description | +|:---|:---|:---| +|sha1 | String | Sha1 hash of the file content | +|sha256 | String | Sha256 hash of the file content | +|globalPrevalence | Nullable long | File prevalence across organization | +|globalFirstObserved | DateTimeOffset | First time the file was observed | +|globalLastObserved | DateTimeOffset | Last time the file was observed | +|size | Nullable long | Size of the file | +|fileType | String | Type of the file | +|isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.) | +|filePublisher | String | File publisher | +|fileProductName | String | Product name | +|signer | String | File signer | +|issuer | String | File issuer | +|signerHash | String | Hash of the signing certificate | +|isValidCertificate | Boolean | Was signing certificate successfully verified by Microsoft Defender for Endpoint agent | +|determinationType | String | The determination type of the file | +|determinationValue | String | Determination value | ## Json representation diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md index d0690e63d2..0d640fa36f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Find a device by internal IP. @@ -31,7 +31,7 @@ Find a device by internal IP. >The timestamp must be within the last 30 days. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md index e4a3b8ac99..3db35c6164 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -36,7 +36,7 @@ Find [Machines](machine.md) seen with the requested internal IP in the time rang ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -66,8 +66,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and machines were found - 200 OK with list of the machines in the response body. -If no machine found - 404 Not Found. +If successful - 200 OK with list of the machines in the response body. If the timestamp is not in the past 30 days - 400 Bad Request. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md index 9afb49c31b..ce92f63d99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md @@ -1,5 +1,5 @@ --- -title: Fix unhealthy sensors in Microsoft Defender ATP +title: Fix unhealthy sensors in Microsoft Defender for Endpoint description: Fix device sensors that are reporting as misconfigured or inactive so that the service receives data from the device. keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh @@ -15,22 +15,17 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article -ms.date: 10/23/2017 +ms.date: 11/06/2020 --- -# Fix unhealthy sensors in Microsoft Defender ATP +# Fix unhealthy sensors in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - - - ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-fixsensor-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-fixsensor-abovefoldlink) Devices that are categorized as misconfigured or inactive can be flagged due to varying causes. This section provides some explanations as to what might have caused a device to be categorized as inactive or misconfigured. @@ -38,19 +33,18 @@ Devices that are categorized as misconfigured or inactive can be flagged due to An inactive device is not necessarily flagged due to an issue. The following actions taken on a device can cause a device to be categorized as inactive: -**Device is not in use**
    -If the device has not been in use for more than 7 days for any reason, it will remain in an ‘Inactive’ status in the portal. +### Device is not in use -**Device was reinstalled or renamed**
    -A reinstalled or renamed device will generate a new device entity in Microsoft Defender Security Center. The previous device entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a device and deployed the Microsoft Defender ATP package, search for the new device name to verify that the device is reporting normally. +If the device has not been in use for more than seven days for any reason, it will remain in an ‘Inactive’ status in the portal. -**Device was offboarded**
    -If the device was offboarded it will still appear in devices list. After 7 days, the device health state should change to inactive. +### Device was reinstalled or renamed +A reinstalled or renamed device will generate a new device entity in Microsoft Defender Security Center. The previous device entity will remain with an ‘Inactive’ status in the portal. If you reinstalled a device and deployed the Defender for Endpoint package, search for the new device name to verify that the device is reporting normally. +### Device was offboarded +If the device was offboarded, it will still appear in devices list. After seven days, the device health state should change to inactive. -**Device is not sending signals** -If the device is not sending any signals for more than 7 days to any of the Microsoft Defender ATP channels for any reason including conditions that fall under misconfigured devices classification, a device can be considered inactive. - +### Device is not sending signals +If the device is not sending any signals for more than seven days to any of the Microsoft Defender for Endpoint channels for any reason including conditions that fall under misconfigured devices classification, a device can be considered inactive. Do you expect a device to be in ‘Active’ status? [Open a support ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). @@ -65,10 +59,10 @@ This status indicates that there's limited communication between the device and The following suggested actions can help fix issues related to a misconfigured device with impaired communications: - [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)
    - The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. + The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. -- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls)
    - Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. +- [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls)
    + Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs. If you took corrective actions and the device status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). @@ -77,18 +71,18 @@ A misconfigured device with status ‘No sensor data’ has communication with t Follow theses actions to correct known issues related to a misconfigured device with status ‘No sensor data’: - [Ensure the device has Internet connection](troubleshoot-onboarding.md#troubleshoot-onboarding-issues-on-the-device)
    - The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service. + The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. -- [Verify client connectivity to Microsoft Defender ATP service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls)
    - Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender ATP service URLs. +- [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls)
    + Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Microsoft Defender for Endpoint service URLs. - [Ensure the diagnostic data service is enabled](troubleshoot-onboarding.md#ensure-the-diagnostics-service-is-enabled)
    If the devices aren't reporting correctly, you might need to check that the Windows 10 diagnostic data service is set to automatically start and is running on the endpoint. - [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy)
    -If your devices are running a third-party antimalware client, the Microsoft Defender ATP agent needs the Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled. +If your devices are running a third-party antimalware client, the Defender for Endpoint agent needs the Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver to be enabled. If you took corrective actions and the device status is still misconfigured, [open a support ticket](https://go.microsoft.com/fwlink/?LinkID=761093&clcid=0x409). -## Related topic -- [Check sensor health state in Microsoft Defender ATP](check-sensor-status.md) +## See also +- [Check sensor health state in Microsoft Defender for Endpoint](check-sensor-status.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md index d5ed580340..14a50992e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md @@ -1,6 +1,6 @@ --- title: Get alert information by ID API -description: Learn how to use the Get alert information by ID API to retrieve a specific alert by its ID in Microsoft Defender Advanced Threat Protection. +description: Learn how to use the Get alert information by ID API to retrieve a specific alert by its ID in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, alert, information, id search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index 6b256610ed..e9d18d97e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -36,7 +36,7 @@ Retrieves all domains related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index 5ac0f2d01a..6e61e17504 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -1,6 +1,6 @@ --- title: Get alert related files information -description: Retrieve all files related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). +description: Retrieve all files related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint). keywords: apis, graph api, supported apis, get alert information, alert information, related files search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint ](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -36,7 +36,7 @@ Retrieves all files related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index 9b841e71af..62db50d08a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -1,6 +1,6 @@ --- title: Get alert related IPs information -description: Retrieve all IPs related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). +description: Retrieve all IPs related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint). keywords: apis, graph api, supported apis, get alert information, alert information, related ip search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -36,7 +36,7 @@ Retrieves all IPs related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index 94132932d5..98f64ac8d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -1,6 +1,6 @@ --- title: Get alert related machine information -description: Retrieve all devices related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). +description: Retrieve all devices related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint). keywords: apis, graph api, supported apis, get alert information, alert information, related device search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -36,7 +36,7 @@ Retrieves [Device](machine.md) related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index 4c54267d9a..3e96ce7383 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -36,7 +36,7 @@ Retrieves the User related to a specific alert. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index e0b7e0c358..a7c825d739 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -1,6 +1,6 @@ --- title: List alerts API -description: Learn how to use the List alerts API to retrieve a collection of alerts in Microsoft Defender Advanced Threat Protection. +description: Learn how to use the List alerts API to retrieve a collection of alerts in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -34,7 +34,7 @@ Retrieves a collection of Alerts.
    ```$top``` with max value of 10,000
    ```$skip```
    ```$expand``` of ```evidence``` -
    See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) +
    See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md) ## Limitations @@ -44,7 +44,7 @@ Retrieves a collection of Alerts. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -262,5 +262,5 @@ Here is an example of the response. ``` -## Related topics -- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) +## See also +- [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md index c49e958dfb..a5cde6e4a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md @@ -21,14 +21,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieves a list of all security recommendations affecting the organization. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- @@ -105,7 +105,7 @@ Here is an example of the response. ] } ``` -## Related topics +## See also - [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability security recommendation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md index f3be9540c4..f2de05191d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Retrieves a list of all the vulnerabilities affecting the organization per [machine](machine.md) and [software](software.md). - If the vulnerability has a fixing KB, it will appear in the response. @@ -32,7 +32,7 @@ Retrieves a list of all the vulnerabilities affecting the organization per [mach >This is great API for [Power BI integration](api-power-bi.md). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- @@ -103,7 +103,7 @@ Here is an example of the response. } ``` -## Related topics +## See also - [Risk-based threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) - [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md index 262c80a1bf..9847c928d4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md @@ -21,14 +21,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieves a list of all the vulnerabilities affecting the organization. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- @@ -94,6 +94,6 @@ Here is an example of the response. } ``` -## Related topics +## See also - [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) - [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md index d4dac32b7b..7a5a5aacb3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md @@ -1,6 +1,6 @@ --- title: Get CVE-KB map API -description: Learn how to use the Get CVE-KB map API to retrieve a map of CVE's to KB's and CVE details in Microsoft Defender Advanced Threat Protection. +description: Learn how to use the Get CVE-KB map API to retrieve a map of CVE's to KB's and CVE details in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, cve, kb search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -25,7 +25,7 @@ ROBOTS: NOINDEX **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Retrieves a map of CVE's to KB's and CVE details. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md index 2c896a9943..e14a6859a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md @@ -21,15 +21,15 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint(https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Retrieves your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). A higher Microsoft Secure Score for Devices means your endpoints are more resilient from cybersecurity threat attacks. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- @@ -81,6 +81,6 @@ Here is an example of the response. } ``` -## Related topics +## See also -- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) +- [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md index 10ff59d2ea..5b16a71cfc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md @@ -22,13 +22,13 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Retrieves a collection of discovered vulnerabilities related to a given device ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -91,7 +91,7 @@ Here is an example of the response. } ``` -## Related topics +## See also - [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) - [Vulnerabilities in your organization](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md index 59c2587cda..26fdbad6f4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md @@ -1,6 +1,6 @@ --- title: Get domain related alerts API -description: Learn how to use the Get domain related alerts API to retrieve alerts related to a given domain address in Microsoft Defender Advanced Threat Protection. +description: Learn how to use the Get domain related alerts API to retrieve alerts related to a given domain address in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, domain, related, alerts search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -36,7 +36,7 @@ Retrieves a collection of [Alerts](alerts.md) related to a given domain address. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md index 662f9724e7..bda2a9024c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md @@ -1,6 +1,6 @@ --- title: Get domain related machines API -description: Learn how to use the Get domain related machines API to get machines that communicated to or from a domain in Microsoft Defender Advanced Threat Protection. +description: Learn how to use the Get domain related machines API to get machines that communicated to or from a domain in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, domain, related, devices search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint(https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index efb793f5cc..cb49efb465 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -1,6 +1,6 @@ --- title: Get domain statistics API -description: Learn how to use the Get domain statistics API to retrieve the statistics on the given domain in Microsoft Defender Advanced Threat Protection. +description: Learn how to use the Get domain statistics API to retrieve the statistics on the given domain in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, domain, domain related devices search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -35,7 +35,7 @@ Retrieves the statistics on the given domain. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md index 77c92c030f..43d7ac20e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -31,7 +31,7 @@ Retrieves the organizational exposure score. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -84,7 +84,7 @@ Here is an example of the response. ``` -## Related topics +## See also - [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability exposure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index db6f1f2f72..61ab343580 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -1,6 +1,6 @@ --- title: Get file information API -description: Learn how to use the Get file information API to get a file by Sha1, Sha256, or MD5 identifier in Microsoft Defender Advanced Threat Protection. +description: Learn how to use the Get file information API to get a file by Sha1, Sha256, or MD5 identifier in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5 search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -35,7 +35,7 @@ Retrieves a [File](files.md) by identifier Sha1, or Sha256 ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md index 7ccb81730f..d1c53228ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md @@ -1,6 +1,6 @@ --- title: Get file related alerts API -description: Learn how to use the Get file related alerts API to get a collection of alerts related to a given file hash in Microsoft Defender Advanced Threat Protection. +description: Learn how to use the Get file related alerts API to get a collection of alerts related to a given file hash in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, file, hash search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -35,7 +35,7 @@ Retrieves a collection of alerts related to a given file hash. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md index 09aef678f7..c60f272c69 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md @@ -1,6 +1,6 @@ --- title: Get file related machines API -description: Learn how to use the Get file related machines API to get a collection of machines related to a file hash in Microsoft Defender Advanced Threat Protection. +description: Learn how to use the Get file related machines API to get a collection of machines related to a file hash in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, devices, hash search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -35,7 +35,7 @@ Retrieves a collection of [Machines](machine.md) related to a given file hash. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index 9f480df6b7..59f525f594 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -1,6 +1,6 @@ --- title: Get file statistics API -description: Learn how to use the Get file statistics API to retrieve the statistics for the given file in Microsoft Defender Advanced Threat Protection. +description: Learn how to use the Get file statistics API to retrieve the statistics for the given file in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, file, statistics search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -35,7 +35,7 @@ Retrieves the statistics for the given file. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md index 79f263d9b0..293d458f27 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md @@ -21,14 +21,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieves a collection of installed software related to a given device ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -87,6 +87,7 @@ Here is an example of the response. } ``` -## Related topics +## See also + - [Risk-based Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) - [Threat & Vulnerability software inventory](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md index 676eba4bd3..296f7c81ce 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md @@ -21,16 +21,16 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description Retrieves a collection of [Investigations](investigation.md).
    Supports [OData V4 queries](https://www.odata.org/documentation/).
    The OData's ```$filter``` query is supported on: ```startTime```, ```state```, ```machineId``` and ```triggeringAlertId``` properties. -
    See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) +
    See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md) ## Limitations @@ -39,7 +39,7 @@ Retrieves a collection of [Investigations](investigation.md). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md index 99fd6a043d..6953ccabba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md @@ -21,10 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description Retrieves specific [Investigation](investigation.md) by its ID. @@ -36,7 +35,7 @@ Retrieves specific [Investigation](investigation.md) by its ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index c8a2ab1f94..6d078cbf15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -35,7 +35,7 @@ Retrieves a collection of alerts related to a given IP address. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index ffd9485045..b58fd359e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -35,7 +35,7 @@ Retrieves the statistics for the given IP. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md index d41005cb74..e7ac39a93c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md @@ -25,7 +25,7 @@ ROBOTS: NOINDEX **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Retrieves a collection of KB's and KB details. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index 3cc89cd33b..30fd9d4263 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -36,7 +36,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md index 92b5fae137..112ed575be 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md @@ -16,14 +16,14 @@ ms.collection: M365-security-compliance ms.topic: article --- -# List exposure score by device group - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] +# List exposure score by device group + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -31,7 +31,7 @@ Retrieves a collection of alerts related to a given domain address. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index e673d96cf0..137fc569cc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -1,6 +1,6 @@ --- -title: Get machine log on users API -description: Learn how to use the Get machine log on users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection. +title: Get machine logon users API +description: Learn how to use the Get machine logon users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, device, log on, users search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -16,14 +16,14 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get machine log on users API +# Get machine logon users API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -36,7 +36,7 @@ Retrieves a collection of logged on users on a specific device. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -45,8 +45,8 @@ Delegated (work or school account) | User.Read.All | 'Read user profiles' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include users only if the device is visible to the user, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) +>- The user needs to have at least the following role permission: 'View Data'. For more information, see [Create and manage roles](user-roles.md) ) +>- Response will include users only if the device is visible to the user, based on device group settings. For more information, see [Create and manage device groups](machine-groups.md). ## HTTP request ```http @@ -64,7 +64,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and device exist - 200 OK with list of [user](user.md) entities in the body. If device was not found - 404 Not Found. +If successful and device exists - 200 OK with list of [user](user.md) entities in the body. If device was not found - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md index f47cdd76d2..49e6162ab5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md index b7a20c7b89..dc294c9002 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -35,7 +35,7 @@ Retrieves specific [Machine Action](machineaction.md) by its ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index 5569002ec3..026a5fe161 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -21,16 +21,16 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description Retrieves a collection of [Machine Actions](machineaction.md).
    Supports [OData V4 queries](https://www.odata.org/documentation/).
    The OData's ```$filter``` query is supported on: ```status```, ```machineId```, ```type```, ```requestor``` and ```creationDateTimeUtc``` properties. -
    See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) +
    See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md) ## Limitations @@ -39,7 +39,7 @@ Retrieves a collection of [Machine Actions](machineaction.md). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -193,4 +193,4 @@ Content-type: application/json ``` ## Related topics -- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) +- [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md index ff88b78222..93f27a6093 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md @@ -25,7 +25,7 @@ ms.date: 10/07/2018 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Retrieves a collection of RBAC device groups. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md index d3c3f50dca..7490907216 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md @@ -23,14 +23,14 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieve a list of device references that has this software installed. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md index 02ea057f59..bbd94f8b8d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md @@ -21,14 +21,15 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieves a list of devices affected by a vulnerability. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index 6f6c6177e9..aef7e2789a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -21,16 +21,16 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description -Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender ATP cloud. +Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender for Endpoint cloud.
    Supports [OData V4 queries](https://www.odata.org/documentation/).
    The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`. -
    See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) +
    See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md) ## Limitations @@ -122,4 +122,4 @@ Content-type: application/json ``` ## Related topics -- [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) +- [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md index 0da42db679..aba82de482 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md @@ -24,7 +24,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Retrieves a collection of devices security states. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index 510c7516c2..52846f5bdf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Retrieves missing KBs (security updates) by device ID diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md index 6b6bf2db5f..21506f3767 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md @@ -21,15 +21,15 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Retrieves missing KBs (security updates) by software ID ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index a43102c733..ffd04c4f62 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md index b7bc3ab58f..ef3203f244 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md @@ -20,8 +20,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md index 2bdfb4a6e4..079ab2c449 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -21,14 +21,15 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieves a list of devices associated with the security recommendation. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md index 449bb2bd1d..0656c420e8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md @@ -21,14 +21,15 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieves a security recommendation related to a specific software. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md index 156cef803c..95b525bf6b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md @@ -21,14 +21,15 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieves a list of vulnerabilities associated with the security recommendation. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md index dffd2a0613..91a19e9c18 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -21,14 +21,15 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieves a collection of security recommendations related to a given device ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md index 0074439db0..07550126c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -23,14 +23,14 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieves software details by ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md index e9b64f2ad1..7ae8324de9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md @@ -23,14 +23,14 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieves a list of your organization's software version distribution. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md index e205e5f5b7..6a02de62a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md @@ -21,14 +21,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Retrieves the organization software inventory. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md index 0b87266339..3ab82897fa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md @@ -1,7 +1,7 @@ --- title: Become a Microsoft Defender ATP partner ms.reviewer: -description: Learn the steps and requirements so that you can integrate your solution with Microsoft Defender ATP and be a partner +description: Learn the steps and requirements to integrate your solution with Microsoft Defender ATP and be a partner keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -18,40 +18,40 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Become a Microsoft Defender ATP partner +# Become a Microsoft Defender for Endpoint partner [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -To become a Microsoft Defender ATP solution partner, you'll need to follow and complete the following steps. +To become a Defender for Endpoint solution partner, you'll need to follow and complete the following steps. -## Step 1: Subscribe to a Microsoft Defender ATP Developer license -Subscribing to the [Microsoft Defender ATP Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9) allows you to use a Microsoft Defender ATP tenant with up to 10 devices for developing solutions to integrate with Microsoft Defender ATP. +## Step 1: Subscribe to a Microsoft Defender for Endpoint Developer license +Subscribe to the [Microsoft Defender for Endpoint Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9). Subscribing allows you to use a Microsoft Defender for Endpoint tenant with up to 10 devices to developing solutions that integrate with Microsoft Defender for Endpoint. ## Step 2: Fulfill the solution validation and certification requirements -The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design (the customer can use the **Recommend a partner** option in the [Partner Application page](https://securitycenter.microsoft.com/interoperability/partners) in the Microsoft Defender Security Center) and have it tested and demoed to the Microsoft Defender ATP team. +The best way for technology partners to certify that their integration works is to have a joint customer approve the suggested integration design (the customer can use the **Recommend a partner** option in the [Partner Application page](https://securitycenter.microsoft.com/interoperability/partners) in the Microsoft Defender Security Center) and have it tested and demoed to the Microsoft Defender for Endpoint team. -Once the Microsoft Defender ATP team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association. +Once the Microsoft Defender for Endpoint team has reviewed and approves the integration, we will direct you to be included as a partner at the Microsoft Intelligent Security Association. ## Step 3: Become a Microsoft Intelligent Security Association member [Microsoft Intelligent Security Association](https://www.microsoft.com/security/partnerships/intelligent-security-association) is a program specifically for Microsoft security partners to help enrich your security products and improve customer discoverability of your integrations to Microsoft security products. -## Step 4: Get listed in the Microsoft Defender ATP partner application portal -Microsoft Defender ATP supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender ATP management portal. +## Step 4: Get listed in the Microsoft Defender for Endpoint partner application portal +Microsoft Defender ATP supports third-party applications discovery and integration using the in-product [partner page](partner-applications.md) that is embedded within the Microsoft Defender for Endpoint management portal. -To have your company listed as a partner in the in-product partner page, you will need to provide the following: +To have your company listed as a partner in the in-product partner page, you will need to provide the following information: 1. A square logo (SVG). 2. Name of the product to be presented. 3. Provide a 15-word product description. -4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Please note that any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. You should allow at least 10 days for review process to be performed. -5. If you use a multi-tenant Azure AD approach, we will need the AAD application name to track usage of the application. -6. We'd like to request that you include the User-Agent field in each API call made to Microsoft Defender ATP public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA). +4. Link to the landing page for the customer to complete the integration or blog post that will include sufficient information for customers. Any press release including the Microsoft Defender ATP product name should be reviewed by the marketing and engineering teams. Wait for at least 10 days for the review process to be done. +5. If you use a multi-tenant Azure AD approach, we will need the Azure AD application name to track usage of the application. +6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA). Follow these steps: - 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP integrated product with the version of the product that includes this integration. + 1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender ATP-integrated product with the version of the product that includes this integration. - ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}` - Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}` @@ -59,7 +59,7 @@ To have your company listed as a partner in the in-product partner page, you wil For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0` -Partnership with Microsoft Defender ATP help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender ATP partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together. +Partnerships with Microsoft Defender for Endpoint help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender for Endpoint partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together. ## Related topics - [Technical partner opportunities](partner-integration.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md index 41c5a0ebdd..ea42bf22ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md @@ -21,16 +21,16 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description Retrieves a collection of all active [Indicators](ti-indicator.md).
    Supports [OData V4 queries](https://www.odata.org/documentation/).
    The OData's ```$filter``` query is supported on: ```indicatorValue```, ```indicatorType```, ```creationTimeDateTimeUtc```, ```createdBy```, ```action``` and ```severity``` properties. -
    See examples at [OData queries with Microsoft Defender ATP](exposed-apis-odata-samples.md) +
    See examples at [OData queries with Microsoft Defender for Endpoint](exposed-apis-odata-samples.md) ## Limitations diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md index 80617258d3..bc5b69d9cd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md @@ -21,13 +21,13 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Retrieve a User entity by key (user name). ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 3d00668c3b..b6282b18f3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -1,5 +1,5 @@ --- -title: Get user related alerts API +title: Get user-related alerts API description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, user, related, alerts search.product: eADQiWindows 10XVcnh @@ -16,14 +16,14 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get user related alerts API +# Get user-related alerts API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -35,7 +35,7 @@ Retrieves a collection of alerts related to a given user ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -46,7 +46,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +>- The user needs to have at least the following role permission: 'View Data'. For more information, see [Create and manage roles](user-roles.md). >- Response will include only alerts, associated with devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request @@ -54,7 +54,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' GET /api/users/{id}/alerts ``` -**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)** +**The ID is not the full UPN, but only the user name. (for example, to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)** ## Request headers @@ -67,7 +67,7 @@ Authorization | String | Bearer {token}. **Required**. Empty ## Response -If successful and user exist - 200 OK. If the user do not exist - 404 Not Found. +If successful and user exists - 200 OK. If the user does not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index 28c129e51c..33fbf7f79a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -1,6 +1,6 @@ --- -title: Get user related machines API -description: Learn how to use the Get user related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection. +title: Get user-related machines API +description: Learn how to use the Get user-related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, user, user related alerts search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -16,14 +16,14 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Get user related machines API +# Get user-related machines API [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -35,7 +35,7 @@ Retrieves a collection of devices related to a given user ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- @@ -46,15 +46,15 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include only devices that the user can access, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) +>- The user needs to have at least the following role permission: 'View Data'. For more information, see [Create and manage roles](user-roles.md) ) +>- Response will include only devices that the user can access, based on device group settings. For more information, see [Create and manage device groups](machine-groups.md). ## HTTP request ``` GET /api/users/{id}/machines ``` -**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines)** +**The ID is not the full UPN, but only the user name. (for example, to retrieve machines for user1@contoso.com use /api/users/user1/machines)** ## Request headers diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md index 4a5514ff10..ac266cf40f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md @@ -23,14 +23,14 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieve a list of vulnerabilities in the installed software. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md index 27b633e634..3e66207db5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md @@ -21,14 +21,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] Retrieves vulnerability information by its ID. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) for details. +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) for details. Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md similarity index 72% rename from windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md rename to windows/security/threat-protection/microsoft-defender-atp/gov.md index 3642376253..af348b95bc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -17,15 +17,15 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Microsoft Defender ATP for US Government GCC High customers +# Microsoft Defender for Endpoint for US Government GCC High customers [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for US Government Community Cloud High (GCC High) customers, built in the US Azure Government environment, uses the same underlying technologies as Microsoft Defender ATP in Azure Commercial. +Microsoft Defender for Endpoint for US Government Community Cloud High (GCC High) customers, built in the US Azure Government environment, uses the same underlying technologies as Defender for Endpoint in Azure Commercial. This offering is currently available to US Office 365 GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some key differences in the availability of capabilities for this offering. @@ -34,13 +34,13 @@ This offering is currently available to US Office 365 GCC High customers and is The following OS versions are supported: - Windows 10, version 1903 -- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/en-us/help/4490481)) +- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/help/4490481)) - Windows 10, version 1803 (OS Build 17134.799 with [KB4499183](https://support.microsoft.com/help/4499183)) - Windows 10, version 1709 (OS Build 16299.1182 with [KB4499147](https://support.microsoft.com/help/4499147)) -- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/en-us/help/4490481)) +- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/help/4490481)) >[!NOTE] ->A patch must be deployed before device onboarding in order to configure Microsoft Defender ATP to the correct environment. +A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment. The following OS versions are supported via Azure Security Center: - Windows Server 2008 R2 SP1 @@ -59,7 +59,7 @@ The following OS versions are not supported: - macOS - Linux -The initial release of Microsoft Defender ATP will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2020: +The initial release of Defender for Endpoint will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2020: ## Threat Analytics Not currently available. @@ -91,7 +91,7 @@ Not currently available. Integrations with the following Microsoft products are not currently available: - Azure Advanced Threat Protection - Azure Information Protection -- Office 365 Advanced Threat Protection +- Defender for Office 365 - Microsoft Cloud App Security - Skype for Business - Microsoft Intune (sharing of device information and enhanced policy enforcement) @@ -105,7 +105,7 @@ You'll need to ensure that traffic from the following are allowed: Service location | DNS record :---|:--- Common URLs for all locations (Global location) | ```crl.microsoft.com```
    ```ctldl.windowsupdate.com```
    ```notify.windows.com```
    ```settings-win.data.microsoft.com```

    NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 devices running version 1803 or earlier. -Microsoft Defender ATP GCC High specific | ```us4-v20.events.data.microsoft.com```
    ```winatp-gw-usgt.microsoft.com```
    ```winatp-gw-usgv.microsoft.com```
    ```*.blob.core.usgovcloudapi.net``` +Defender for Endpoint GCC High specific | ```us4-v20.events.data.microsoft.com```
    ```winatp-gw-usgt.microsoft.com```
    ```winatp-gw-usgv.microsoft.com```
    ```*.blob.core.usgovcloudapi.net``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md index 1feba6fc45..f62c3b418f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md @@ -24,39 +24,39 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) >[!IMPORTANT] >Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. To implement a multi-tenant delegated access solution, take the following steps: -1. Enable [role-based access control](rbac.md) in Microsoft Defender ATP and connect with Active Directory (AD) groups. +1. Enable [role-based access control](rbac.md) in Defender for Endpoint and connect with Active Directory (AD) groups. 2. Configure [Governance Access Packages](https://docs.microsoft.com/azure/active-directory/governance/identity-governance-overview) for access request and provisioning. 3. Manage access requests and audits in [Microsoft Myaccess](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-request-approve). -## Enable role-based access controls in Microsoft Defender ATP +## Enable role-based access controls in Microsoft Defender for Endpoint 1. **Create access groups for MSSP resources in Customer AAD: Groups** - These groups will be linked to the Roles you create in Microsoft Defender ATP. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups: + These groups will be linked to the Roles you create in Defender for Endpoint. To do so, in the customer AD tenant, create three groups. In our example approach, we create the following groups: - Tier 1 Analyst - Tier 2 Analyst - MSSP Analyst Approvers -2. Create Microsoft Defender ATP roles for appropriate access levels in Customer Microsoft Defender ATP. +2. Create Defender for Endpoint roles for appropriate access levels in Customer Defender for Endpoint. To enable RBAC in the customer Microsoft Defender Security Center, access **Settings > Permissions > Roles** and "Turn on roles", from a user account with Global Administrator or Security Administrator rights. ![Image of MSSP access](images/mssp-access.png) - Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via Assigned user groups. + Then, create RBAC roles to meet MSSP SOC Tier needs. Link these roles to the created user groups via "Assigned user groups". Two possible roles: @@ -120,13 +120,13 @@ To implement a multi-tenant delegated access solution, take the following steps: Access requests are managed in the customer My Access, by members of the MSSP Analyst Approvers group. - To do so, access the customers myaccess using: + To do so, access the customer's myaccess using: `https://myaccess.microsoft.com/@`. Example: `https://myaccess.microsoft.com/@M365x440XXX.onmicrosoft.com#/` 2. Approve or deny requests in the **Approvals** section of the UI. - At this point, analyst access has been provisioned, and each analyst should be able to access the customers Microsoft Defender Security Center: `https://securitycenter.Microsoft.com/?tid=` + At this point, analyst access has been provisioned, and each analyst should be able to access the customer's Microsoft Defender Security Center: `https://securitycenter.Microsoft.com/?tid=` ## Related topics - [Access the MSSP customer portal](access-mssp-portal.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md index 1b411df76d..adc3dd0a3b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md @@ -17,38 +17,33 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Helpful Microsoft Defender Advanced Threat Protection resources +# Helpful Microsoft Defender for Endpoint resources [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Access helpful resources such as links to blogs and other resources related to Microsoft Defender Advanced Threat Protection. +Access helpful resources such as links to blogs and other resources related to Microsoft Defender for Endpoint. ## Endpoint protection platform - [Top scoring in industry tests](https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests) -- [Inside out: Get to know the advanced technologies at the core of Microsoft - Defender ATP next generation - protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) +- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) -- [Protecting disconnected devices with Microsoft Defender - ATP](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341) +- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341) -- [Tamper protection in Microsoft Defender - ATP](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571) +- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571) ## Endpoint Detection Response -- [Incident response at your fingertips with Microsoft Defender ATP live - response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894) +- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894) ## Threat Vulnerability Management -- [Microsoft Defender ATP Threat & Vulnerability Management now publicly +- [Defender for Endpoint Threat & Vulnerability Management now publicly available!](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/MDATP-Threat-amp-Vulnerability-Management-now-publicly-available/ba-p/460977) ## Operational @@ -56,7 +51,7 @@ Access helpful resources such as links to blogs and other resources related to - [The Golden Hour remake - Defining metrics for a successful security operations](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/The-Golden-Hour-remake-Defining-metrics-for-a-successful/ba-p/782014) -- [Microsoft Defender ATP Evaluation lab is now available in public preview +- [Defender for Endpoint Evaluation lab is now available in public preview ](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271) - [How automation brings value to your security diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/admin-powershell.png b/windows/security/threat-protection/microsoft-defender-atp/images/admin-powershell.png new file mode 100644 index 0000000000..af7d9bc867 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/admin-powershell.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/deployment-rings.png b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-rings.png new file mode 100644 index 0000000000..c8d85fa889 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-rings.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/deployment-strategy-big.png b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-strategy-big.png new file mode 100644 index 0000000000..cfee2eaf86 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/deployment-strategy-big.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/insider-rings.png b/windows/security/threat-protection/microsoft-defender-atp/images/insider-rings.png new file mode 100644 index 0000000000..770b263605 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/insider-rings.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-config-mgr.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-config-mgr.png new file mode 100644 index 0000000000..6e0bfa21fc Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-config-mgr.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-configure-diagram.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-configure-diagram.png new file mode 100644 index 0000000000..03df8d4c0c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-configure-diagram.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-gp.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-gp.png new file mode 100644 index 0000000000..138ffc93cd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-gp.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-intune-big.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-intune-big.png new file mode 100644 index 0000000000..d2e629f921 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-intune-big.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-intune.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-intune.png new file mode 100644 index 0000000000..b794184562 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-intune.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboard-script.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-script.png new file mode 100644 index 0000000000..385dfa8e22 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboard-script.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/onboarding-flow-diagram.png b/windows/security/threat-protection/microsoft-defender-atp/images/onboarding-flow-diagram.png new file mode 100644 index 0000000000..73e6c05da6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/onboarding-flow-diagram.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/software_inventory_filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/software_inventory_filter.png deleted file mode 100644 index 0fcea8aa93..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/software_inventory_filter.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover.png new file mode 100644 index 0000000000..6af1526538 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover360.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover360.png new file mode 100644 index 0000000000..35c8dbc5f1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-device-hover360.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score350.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score350.png new file mode 100644 index 0000000000..310f1cb878 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score350.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score400.png deleted file mode 100644 index dd5df1eee4..0000000000 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-event-timeline-exposure-score400.png and /dev/null differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exposed-devices-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exposed-devices-filter.png new file mode 100644 index 0000000000..5d8923690e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-exposed-devices-filter.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-age.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-age.png new file mode 100644 index 0000000000..14d90bbdd1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-age.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-exploit-availability.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-exploit-availability.png new file mode 100644 index 0000000000..3e77bcb4e1 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-exploit-availability.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-os.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-os.png new file mode 100644 index 0000000000..63ac8f881e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-os.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-severity.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-severity.png new file mode 100644 index 0000000000..d411f09db8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-severity.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-version.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-version.png new file mode 100644 index 0000000000..a500131ad0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-report-version.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory.png new file mode 100644 index 0000000000..ce9e1d955b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-software-inventory.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-unsupported-software-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-unsupported-software-filter.png new file mode 100644 index 0000000000..02364432af Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-unsupported-software-filter.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg new file mode 100644 index 0000000000..e0fa906808 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-patch.jpg differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png new file mode 100644 index 0000000000..a1f9e7d70a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-security-recommendation.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png new file mode 100644 index 0000000000..04b9835601 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout-400.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png new file mode 100644 index 0000000000..941dd99ba8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-flyout.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png new file mode 100644 index 0000000000..b4b4696b61 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-inventory.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png new file mode 100644 index 0000000000..b3fd3b18a8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-software-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-security-recommendations.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-security-recommendations.png new file mode 100644 index 0000000000..1957e7f571 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-security-recommendations.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-software.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-software.png new file mode 100644 index 0000000000..094e2a7992 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-top-software.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png new file mode 100644 index 0000000000..ac2610fdaa Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/tvm-zero-day-weakness-name.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index ad7c9cbaa9..f496d2d153 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -22,7 +22,7 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](microsoft-defender-advanced-threat-protection.md) +* [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md) Exploit protection helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md index cfff5ce687..feab52dd1a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md @@ -24,10 +24,10 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) You can create indicators for certificates. Some common use cases include: diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md index 8a5a15bf39..3e7b8c855d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md @@ -24,10 +24,10 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. @@ -46,7 +46,7 @@ It's important to understand the following prerequisites prior to creating indic >[!IMPORTANT] >- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action ->- Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications. +>- Trusted signed files will be treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications. >[!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md index 4769eb6666..4cff1f1817 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md @@ -24,13 +24,13 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) -Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser. +Defender for Endpoint can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser. The threat intelligence data set for this has been managed by Microsoft. @@ -38,7 +38,7 @@ By creating indicators for IPs and URLs or domains, you can now allow or block I ### Before you begin It's important to understand the following prerequisites prior to creating indicators for IPS, URLs, or domains: -- URL/IP allow and block relies on the Microsoft Defender ATP component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md). +- URL/IP allow and block relies on the Defender for Endpoint component Network Protection to be enabled in block mode. For more information on Network Protection and configuration instructions, see [Enable network protection](enable-network-protection.md). - The Antimalware client version must be 4.18.1906.x or later. - Supported on machines on Windows 10, version 1709 or later. - Ensure that **Custom network indicators** is enabled in **Microsoft Defender Security Center > Settings > Advanced features**. For more information, see [Advanced features](advanced-features.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md index 54d2c70de6..3cb8685e67 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md @@ -2,7 +2,7 @@ title: Manage indicators ms.reviewer: description: Manage indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities. -keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -24,10 +24,10 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) 1. In the navigation pane, select **Settings** > **Indicators**. @@ -65,8 +65,13 @@ expirationTime | DateTimeOffset | The expiration time of the indicator in the fo severity | Enum | The severity of the indicator. Possible values are: "Informational", "Low", "Medium" and "High". **Optional** recommendedActions | String | TI indicator alert recommended actions. **Optional** rbacGroupNames | String | Comma-separated list of RBAC group names the indicator would be applied to. **Optional** +category | String | Category of the alert. Examples include: Execution and credential access. **Optional** +mitretechniques| String | MITRE techniques code/id (comma separated). For more information, see [Enterprise tactics](https://attack.mitre.org/tactics/enterprise/). **Optional** It is recommended to add a value in category when a MITRE technique. -## Related topics +For more information, see [Microsoft Defender ATP alert categories are now aligned with MITRE ATT&CK!](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-atp-alert-categories-are-now-aligned-with/ba-p/732748). + + +## See also - [Create indicators](manage-indicators.md) - [Create indicators for files](indicator-file.md) - [Create indicators for IPs and URLs/domains](indicator-ip-domain.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index 17b7c51fcd..74f53cc04c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -24,7 +24,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] @@ -34,7 +34,7 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr >[!TIP] > Read our blog post about how [Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices](https://cloudblogs.microsoft.com/microsoftsecure/2019/01/17/windows-defender-atp-integrates-with-microsoft-information-protection-to-discover-protect-and-monitor-sensitive-data-on-windows-devices/). -Microsoft Defender ATP applies the following methods to discover, classify, and protect data: +Defender for Endpoint applies the following methods to discover, classify, and protect data: - **Data discovery** - Identify sensitive data on Windows devices at risk - **Data classification** - Automatically classify data based on common Microsoft Information Protection (MIP) policies managed in Office 365 Security & Compliance Center. Auto-classification allows you to protect sensitive data even if the end user hasn’t manually classified it. @@ -42,7 +42,7 @@ Microsoft Defender ATP applies the following methods to discover, classify, and ## Data discovery and data classification -Microsoft Defender ATP automatically discovers files with sensitivity labels and files that contain sensitive information types. +Defender for Endpoint automatically discovers files with sensitivity labels and files that contain sensitive information types. Sensitivity labels classify and help protect sensitive content. @@ -55,9 +55,9 @@ Default sensitive information types include information such as bank account num Custom types are ones that you define and is designed to protect a different type of sensitive information (for example, employee IDs or project numbers). For more information see, [Create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type). -When a file is created or edited on a Windows device, Microsoft Defender ATP scans the content to evaluate if it contains sensitive information. +When a file is created or edited on a Windows device, Defender for Endpoint scans the content to evaluate if it contains sensitive information. -Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Microsoft Defender ATP though labels or information types, it is automatically forwarded to Azure Information Protection from the device. +Turn on the Azure Information Protection integration so that when a file that contains sensitive information is discovered by Defender for Endpoint though labels or information types, it is automatically forwarded to Azure Information Protection from the device. ![Image of settings page with Azure Information Protection](images/atp-settings-aip.png) @@ -65,11 +65,11 @@ The reported signals can be viewed on the Azure Information Protection – Data ## Azure Information Protection - Data discovery dashboard -This dashboard presents a summarized discovery information of data discovered by both Microsoft Defender ATP and Azure Information Protection. Data from Microsoft Defender ATP is marked with Location Type - Endpoint. +This dashboard presents a summarized discovery information of data discovered by both Defender for Endpoint and Azure Information Protection. Data from Defender for Endpoint is marked with Location Type - Endpoint. ![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png) -Notice the Device Risk column on the right, this device risk is derived directly from Microsoft Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Microsoft Defender ATP. +Notice the Device Risk column on the right, this device risk is derived directly from Defender for Endpoint, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Defender for Endpoint. Click on a device to view a list of files observed on this device, with their sensitivity labels and information types. @@ -78,13 +78,13 @@ Click on a device to view a list of files observed on this device, with their se ## Log Analytics -Data discovery based on Microsoft Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data. +Data discovery based on Defender for Endpoint is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data. For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip). Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic). -To view Microsoft Defender ATP data, perform a query that contains: +To view Defender for Endpoint data, perform a query that contains: ``` InformationProtectionLogs_CL diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md index 4c595bdec5..30a7574c30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md @@ -23,11 +23,11 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) A typical advanced persistent threat lifecycle involves data exfiltration. In a security incident, it's important to have the ability to prioritize investigations where sensitive files may be jeopardy so that corporate data and information are protected. -Microsoft Defender ATP helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve devices with sensitive information such as confidential information. +Defender for Endpoint helps to make the prioritization of security incidents much simpler with the use of sensitivity labels. Sensitivity labels quickly identify incidents that may involve devices with sensitive information such as confidential information. ## Investigate incidents that involve sensitive data Learn how to use data sensitivity labels to prioritize incident investigation. diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index f464c54bde..683be6e6bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -36,7 +36,7 @@ Start automated investigation on a device. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md index 1b20360ecd..e9ad5814eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md @@ -27,11 +27,11 @@ ms.date: 04/24/2018 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatealerts-abovefoldlink) Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. @@ -101,12 +101,12 @@ The **Artifact timeline** feature provides an additional view of the evidence th Selecting an alert detail brings up the **Details pane** where you'll be able to see more information about the alert such as file details, detections, instances of it observed worldwide, and in the organization. ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) +- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md) +- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md) +- [Investigate a file associated with a Defender for Endpoint alert](investigate-files.md) +- [Investigate devices in the Defender for Endpoint Devices list](investigate-machines.md) +- [Investigate an IP address associated with a Defender for Endpoint alert](investigate-ip.md) +- [Investigate a domain associated with a Defender for Endpoint alert](investigate-domain.md) +- [Investigate a user account in Defender for Endpoint](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md index 37ca52cd85..42e6837413 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md @@ -26,15 +26,15 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) -Microsoft Defender ATP supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet. +Defender for Endpoint supports network connection monitoring from different levels of the network stack. A challenging case is when the network uses a forward proxy as a gateway to the Internet. The proxy acts as if it was the target endpoint. In these cases, simple network connection monitors will audit the connections with the proxy which is correct but has lower investigation value. -Microsoft Defender ATP supports advanced HTTP level monitoring through network protection. When turned on, a new type of event is surfaced which exposes the real target domain names. +Defender for Endpoint supports advanced HTTP level monitoring through network protection. When turned on, a new type of event is surfaced which exposes the real target domain names. ## Use network protection to monitor network connection behind a firewall Monitoring network connection behind a forward proxy is possible due to additional network events that originate from network protection. To see them on a device timeline, turn network protection on (at the minimum in audit mode). diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md index 7bd899fd9b..bee61aaabc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md @@ -19,7 +19,7 @@ ms.collection: ms.topic: article ms.date: 04/24/2018 --- -# Investigate a domain associated with a Microsoft Defender ATP alert +# Investigate a domain associated with a Microsoft Defender for Endpoint alert [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -27,11 +27,11 @@ ms.date: 04/24/2018 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatedomain-abovefoldlink) Investigate a domain to see if devices and servers in your enterprise network have been communicating with a known malicious domain. @@ -80,9 +80,9 @@ You can view events from different periods of time by entering the dates into th ## Related topics - [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) +- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md) +- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md) +- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md) +- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md index f5c2fcb4ce..a9e415015a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md @@ -27,11 +27,10 @@ ms.date: 04/24/2018 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -[!include[Prerelease information](../../includes/prerelease.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatefiles-abovefoldlink) Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. @@ -101,11 +100,11 @@ The **File names** tab lists all names the file has been observed to use, within ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) -- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) +- [View and organize the Microsoft Defender for Endpoint queue](alerts-queue.md) +- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md) +- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) +- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md) +- [Investigate an IP address associated with a Microsoft Defender for Endpoint alert](investigate-ip.md) +- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md) - [Take response actions on a file](respond-file-alerts.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md index 419b64c153..003cb02227 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md @@ -19,13 +19,13 @@ ms.collection: ms.topic: article --- -# Investigate incidents in Microsoft Defender ATP +# Investigate incidents in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them. @@ -68,24 +68,25 @@ Select **Investigations** to see all the automatic investigations launched by th ![Image of investigations tab in incident details page](images/atp-incident-investigations-tab.png) ## Going through the evidence -Microsoft Defender Advanced Threat Protection automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with auto-response and information about the important files, processes, services, and more. This helps quickly detect and block potential threats in the incident. +Microsoft Defender for Endpoint automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with autoresponse and information about the important files, processes, services, and more. + Each of the analyzed entities will be marked as infected, remediated, or suspicious. ![Image of evidence tab in incident details page](images/atp-incident-evidence-tab.png) ## Visualizing associated cybersecurity threats -Microsoft Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. +Microsoft Defender for Endpoint aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. ### Incident graph The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which device. etc. ![Image of the incident graph](images/atp-incident-graph-tab.png) -You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many instances. +You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances have there been worldwide, whether it’s been observed in your organization, if so, how many instances. ![Image of incident details](images/atp-incident-graph-details.png) ## Related topics - [Incidents queue](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue) -- [Investigate incidents in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents) -- [Manage Microsoft Defender ATP incidents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-incidents) +- [Investigate incidents in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents) +- [Manage Microsoft Defender for Endpoint incidents](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-incidents) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md index fb1109d764..3647ff20ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md @@ -20,16 +20,16 @@ ms.topic: article ms.date: 04/24/2018 --- -# Investigate an IP address associated with a Microsoft Defender ATP alert +# Investigate an IP address associated with a Microsoft Defender for Endpoint alert [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigateip-abovefoldlink) Examine possible communication between your devices and external internet protocol (IP) addresses. @@ -80,10 +80,10 @@ Clicking any of the device names will take you to that device's view, where you ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) +- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md) +- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md) +- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) +- [Investigate a file associated with a Microsoft Defender for Endpoint alert](investigate-files.md) +- [Investigate devices in the Microsoft Defender for Endpoint Devices list](investigate-machines.md) +- [Investigate a domain associated with a Microsoft Defender for Endpoint alert](investigate-domain.md) +- [Investigate a user account in Microsoft Defender for Endpoint](investigate-user.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index 5419c76996..aa657d9821 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -1,5 +1,5 @@ --- -title: Investigate devices in the Microsoft Defender ATP Devices list +title: Investigate devices in the Defender for Endpoint Defender ATP Devices list description: Investigate affected devices by reviewing alerts, network connection information, adding device tags and groups, and checking the service health. keywords: devices, tags, groups, endpoint, alerts queue, alerts, device name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health search.product: eADQiWindows 10XVcnh @@ -19,16 +19,16 @@ ms.collection: ms.topic: article --- -# Investigate devices in the Microsoft Defender ATP Devices list +# Investigate devices in the Microsoft Defender for Endpoint Devices list [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) Investigate the details of an alert raised on a specific device to identify other behaviors or events that might be related to the alert or the potential scope of the breach. @@ -173,7 +173,7 @@ The **Azure Advanced Threat Protection** card will display a high-level overview ![Image of active alerts card](images/risk-level-small.png) >[!NOTE] ->You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md). +>You'll need to enable the integration on both Azure ATP and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md). ### Logged on users @@ -189,12 +189,12 @@ The **Security assessments** card shows the overall exposure level, security rec ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) -- [Investigate a user account in Microsoft Defender ATP](investigate-user.md) +- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md) +- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md) +- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) +- [Investigate a file associated with a Defender for Endpoint alert](investigate-files.md) +- [Investigate an IP address associated with a Defender for Endpoint alert](investigate-ip.md) +- [Investigate a domain associated with a Defender for Endpoint alert](investigate-domain.md) +- [Investigate a user account in Defender for Endpoint](investigate-user.md) - [Security recommendation](tvm-security-recommendation.md) - [Software inventory](tvm-software-inventory.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md index 7593f22e63..292ee98eec 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md @@ -19,16 +19,16 @@ ms.collection: ms.topic: article ms.date: 04/24/2018 --- -# Investigate a user account in Microsoft Defender ATP +# Investigate a user account in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink) +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-investigatgeuser-abovefoldlink) ## Investigate user account entities @@ -56,7 +56,7 @@ When you investigate a user account entity, you'll see: The **User details** pane on left provides information about the user, such as related open incidents, active alerts, SAM name, SID, Azure ATP alerts, number of devices the user is logged on to, when the user was first and last seen, role, and logon types. Depending on the integration features you've enabled, you'll see other details. For example, if you enable the Skype for business integration, you'll be able to contact the user from the portal. The **Azure ATP alerts** section contains a link that will take you to the Azure ATP page, if you have enabled the Azure ATP feature, and there are alerts related to the user. The Azure ATP page will provide more information about the alerts. >[!NOTE] ->You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md). +>You'll need to enable the integration on both Azure ATP and Defender for Endpoint to use this feature. In Defender for Endpoint, you can enable this feature in advanced features. For more information on how to enable advanced features, see [Turn on advanced features](advanced-features.md). The Overview, Alerts, and Observed in organization are different tabs that display various attributes about the user account. @@ -92,10 +92,10 @@ You can filter the results by the following time periods: ## Related topics -- [View and organize the Microsoft Defender Advanced Threat Protection Alerts queue](alerts-queue.md) -- [Manage Microsoft Defender Advanced Threat Protection alerts](manage-alerts.md) -- [Investigate Microsoft Defender Advanced Threat Protection alerts](investigate-alerts.md) -- [Investigate a file associated with a Microsoft Defender ATP alert](investigate-files.md) -- [Investigate devices in the Microsoft Defender ATP Devices list](investigate-machines.md) -- [Investigate an IP address associated with a Microsoft Defender ATP alert](investigate-ip.md) -- [Investigate a domain associated with a Microsoft Defender ATP alert](investigate-domain.md) +- [View and organize the Microsoft Defender for Endpoint Alerts queue](alerts-queue.md) +- [Manage Microsoft Defender for Endpoint alerts](manage-alerts.md) +- [Investigate Microsoft Defender for Endpoint alerts](investigate-alerts.md) +- [Investigate a file associated with a Defender for Endpoint alert](investigate-files.md) +- [Investigate devices in the Defender for Endpoint Devices list](investigate-machines.md) +- [Investigate an IP address associated with a Defender for Endpoint alert](investigate-ip.md) +- [Investigate a domain associated with a Defender for Endpoint alert](investigate-domain.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md index 87bac34185..9a079ca9cb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md @@ -23,11 +23,11 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Represent an Automated Investigation entity in Microsoft Defender ATP. +Represent an Automated Investigation entity in Defender for Endpoint.
    See [Overview of automated investigations](automated-investigations.md) for more information. ## Methods diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index abb45e662b..e44fe3a67f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -20,7 +20,7 @@ ms.collection: ms.topic: conceptual --- -# Configure Microsoft Defender ATP for iOS features +# Configure Microsoft Defender for Endpoint for iOS features [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -33,17 +33,17 @@ ms.topic: conceptual ## Configure custom indicators -Microsoft Defender ATP for iOS enables admins to configure custom indicators on +Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. Refer to [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) on how to configure custom indicators ## Web Protection -By default, Microsoft Defender ATP for iOS includes and enables the web +By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks. >[!NOTE] ->Microsoft Defender ATP for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. +>Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md index be3fe61fbf..2404da2be6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md @@ -20,7 +20,7 @@ ms.collection: ms.topic: conceptual --- -# App-based deployment for Microsoft Defender ATP for iOS +# App-based deployment for Microsoft Defender for Endpoint for iOS [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -31,7 +31,7 @@ ms.topic: conceptual > > As with any pre-release solution, remember to exercise caution when determining the target population for your deployments. -Microsoft Defender ATP for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store. +Defender for Endpoint for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store. Deployment devices need to be enrolled on Intune Company portal. Refer to [Enroll your @@ -43,33 +43,32 @@ learn more about Intune device enrollment - Ensure you have access to [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -- Ensure iOS enrollment is done for your users. Users need to have Microsoft Defender ATP - license assigned in order to use Microsoft Defender ATP for iOS. Refer [Assign licenses to +- Ensure iOS enrollment is done for your users. Users need to have Defender for Endpoint + license assigned in order to use Defender for Endpoint for iOS. Refer [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign) for instructions on how to assign licenses. ## Deployment steps -To install Microsoft Defender ATP for iOS, end-users can visit +To install Defender for Endpoint for iOS, end-users can visit on their iOS devices. This link will open the TestFlight application on their device or prompt them to install TestFlight. On -the TestFlight app, follow the onscreen instructions to install Microsoft -Defender ATP. +the TestFlight app, follow the onscreen instructions to install Defender for Endpoint. ![Image of deployment steps](images/testflight-get.png) ## Complete onboarding and check status -1. Once Microsoft Defender ATP for iOS has been installed on the device, you +1. Once Defender for Endpoint for iOS has been installed on the device, you will see the app icon. ![A screen shot of a smart phone Description automatically generated](images/41627a709700c324849bf7e13510c516.png) -2. Tap the Microsoft Defender ATP app icon and follow the on-screen +2. Tap the Defender for Endpoint app icon and follow the on-screen instructions to complete the onboarding steps. The details include end-user - acceptance of iOS permissions required by Microsoft Defender ATP for iOS. + acceptance of iOS permissions required by Defender for Endpoint for iOS. 3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center. @@ -79,4 +78,4 @@ Defender ATP. ## Next Steps -[Configure Microsoft Defender ATP for iOS features](ios-configure-features.md) +[Configure Defender for Endpoint for iOS features](ios-configure-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md index 1bef25da5f..31ee7b41b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md @@ -23,18 +23,18 @@ hideEdit: true **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for iOS](microsoft-defender-atp-ios.md) +- [Microsoft Defender for Endpoint](microsoft-defender-atp-ios.md) >[!NOTE] -> Microsoft Defender ATP for iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. Microsoft or your organization **does not see your browsing activity**. +> Defender for Endpoint for iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. Microsoft or your organization **does not see your browsing activity**. -Microsoft Defender ATP for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Microsoft Defender ATP. +Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. -Information is collected to help keep Microsoft Defender ATP for iOS secure, up-to-date, performing as expected and to support the service. +Information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected and to support the service. ## Required data -Required data consists of data that is necessary to make Microsoft Defender ATP for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected: +Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected: ### Web page / Network information diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md index 39f57d1213..997e5ed226 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md @@ -21,12 +21,12 @@ ms.topic: conceptual hideEdit: true --- -# Microsoft Defender ATP for iOS application license terms +# Microsoft Defender for Endpoint for iOS application license terms [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP +## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER FOR ENDPOINT These license terms ("Terms") are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They @@ -53,7 +53,7 @@ DO NOT USE THE APPLICATION.** 1. **Installation and Use.** You may install and use any number of copies of this application on iOS enabled device or devices which you own or control. You may use this application with your company's valid - subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or + subscription of Defender for Endpoint or an online service that includes MDATP functionalities. 2. **Updates.** Updates or upgrades to MDATP may be required for full @@ -162,7 +162,7 @@ DO NOT USE THE APPLICATION.** enforce and rely upon any provision of these Terms that grants them a benefit or rights. -9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and +9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender for Endpoint and Microsoft 365 are registered or common-law trademarks of Microsoft Corporation in the United States and/or other countries. diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index c16a3f2448..98cfaa0d40 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description @@ -37,7 +37,7 @@ Isolates a device from accessing external network. [!include[Device actions note](../../includes/machineactionsnote.md)] ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender ATP APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) Permission type | Permission | Permission display name :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md index 8bee109c6f..e1e14ad345 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md @@ -19,30 +19,30 @@ ms.collection: ms.topic: conceptual --- -# Configure and validate exclusions for Microsoft Defender ATP for Linux +# Configure and validate exclusions for Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring. > [!IMPORTANT] -> The exclusions described in this article don't apply to other Microsoft Defender ATP for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. +> The exclusions described in this article don't apply to other Defender for Endpoint for Linux capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. -You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Linux scans. +You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint for Linux scans. -Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Linux. +Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Defender for Endpoint for Linux. > [!WARNING] -> Defining exclusions lowers the protection offered by Microsoft Defender ATP for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. +> Defining exclusions lowers the protection offered by Defender for Endpoint for Linux. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. ## Supported exclusion types -The follow table shows the exclusion types supported by Microsoft Defender ATP for Linux. +The follow table shows the exclusion types supported by Defender for Endpoint for Linux. Exclusion | Definition | Examples ---|---|--- @@ -65,7 +65,7 @@ Wildcard | Description | Example | Matches | Does not match ### From the management console -For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md). +For more information on how to configure exclusions from Puppet, Ansible, or another management console, see [Set preferences for Defender for Endpoint for Linux](linux-preferences.md). ### From the command line @@ -145,7 +145,7 @@ In the following Bash snippet, replace `test.txt` with a file that conforms to y curl -o test.txt https://www.eicar.org/download/eicar.com.txt ``` -If Microsoft Defender ATP for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html). +If Defender for Endpoint for Linux reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html). If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command: diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 3012e87c2c..2a491e271a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -20,16 +20,16 @@ ms.collection: ms.topic: conceptual --- -# Deploy Microsoft Defender ATP for Linux manually +# Deploy Microsoft Defender for Endpoint for Linux manually [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) -This article describes how to deploy Microsoft Defender ATP for Linux manually. A successful deployment requires the completion of all of the following tasks: +This article describes how to deploy Microsoft Defender for Endpoint for Linux manually. A successful deployment requires the completion of all of the following tasks: - [Configure the Linux software repository](#configure-the-linux-software-repository) - [Application installation](#application-installation) @@ -42,7 +42,7 @@ Before you get started, see [Microsoft Defender ATP for Linux](microsoft-defende ## Configure the Linux software repository -Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below. +Defender for Endpoint for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. Instructions for configuring your device to use one of these repositories are provided below. The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*. @@ -301,7 +301,7 @@ Download the onboarding package from Microsoft Defender Security Center: > ```bash > mdatp health --field definitions_status > ``` - > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Microsoft Defender ATP for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration). + > Please note that you may also need to configure a proxy after completing the initial installation. See [Configure Defender for Endpoint for Linux for static proxy discovery: Post-installation configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration#post-installation-configuration). 5. Run a detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device: @@ -317,7 +317,7 @@ Download the onboarding package from Microsoft Defender Security Center: curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt ``` - - The file should have been quarantined by Microsoft Defender ATP for Linux. Use the following command to list all the detected threats: + - The file should have been quarantined by Defender for Endpoint for Linux. Use the following command to list all the detected threats: ```bash mdatp threat list @@ -329,8 +329,8 @@ See [Log installation issues](linux-resources.md#log-installation-issues) for mo ## Operating system upgrades -When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device. +When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint for Linux, install the upgrade, and finally reconfigure Defender for Endpoint for Linux on your device. ## Uninstallation -See [Uninstall](linux-resources.md#uninstall) for details on how to remove Microsoft Defender ATP for Linux from client devices. +See [Uninstall](linux-resources.md#uninstall) for details on how to remove Defender for Endpoint for Linux from client devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 2cc5610a4c..35fe0795ab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -20,16 +20,16 @@ ms.collection: ms.topic: conceptual --- -# Deploy Microsoft Defender ATP for Linux with Ansible +# Deploy Microsoft Defender for Endpoint for Linux with Ansible [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) -This article describes how to deploy Microsoft Defender ATP for Linux using Ansible. A successful deployment requires the completion of all of the following tasks: +This article describes how to deploy Defender for Endpoint for Linux using Ansible. A successful deployment requires the completion of all of the following tasks: - [Download the onboarding package](#download-the-onboarding-package) - [Create Ansible YAML files](#create-ansible-yaml-files) @@ -38,7 +38,7 @@ This article describes how to deploy Microsoft Defender ATP for Linux using Ansi ## Prerequisites and system requirements -Before you get started, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [the main Defender for Endpoint for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version. In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Refer to the [Ansible documentation](https://docs.ansible.com/) for details. @@ -120,9 +120,9 @@ Create a subtask or role files that contribute to an playbook or task. when: not mdatp_onboard.stat.exists ``` -- Add the Microsoft Defender ATP repository and key. +- Add the Defender for Endpoint repository and key. - Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. + Defender for Endpoint for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*. @@ -156,7 +156,7 @@ Create a subtask or role files that contribute to an playbook or task. - name: Add Microsoft yum repository for MDATP yum_repository: name: packages-microsoft-com-prod-[channel] - description: Microsoft Defender ATP + description: Microsoft Defender for Endpoint file: microsoft-[channel] baseurl: https://packages.microsoft.com/[distro]/[version]/[channel]/ gpgcheck: yes @@ -254,7 +254,7 @@ See [Log installation issues](linux-resources.md#log-installation-issues) for mo ## Operating system upgrades -When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device. +When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint for Linux, install the upgrade, and finally reconfigure Defender for Endpoint for Linux on your device. ## References diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 68fe2b6926..46100ac983 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -20,16 +20,16 @@ ms.collection: ms.topic: conceptual --- -# Deploy Microsoft Defender ATP for Linux with Puppet +# Deploy Microsoft Defender for Endpoint for Linux with Puppet [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) -This article describes how to deploy Microsoft Defender ATP for Linux using Puppet. A successful deployment requires the completion of all of the following tasks: +This article describes how to deploy Defender for Endpoint for Linux using Puppet. A successful deployment requires the completion of all of the following tasks: - [Download the onboarding package](#download-the-onboarding-package) - [Create Puppet manifest](#create-a-puppet-manifest) @@ -38,7 +38,7 @@ This article describes how to deploy Microsoft Defender ATP for Linux using Pupp ## Prerequisites and system requirements - For a description of prerequisites and system requirements for the current software version, see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md). + For a description of prerequisites and system requirements for the current software version, see [the main Defender for Endpoint for Linux page](microsoft-defender-atp-linux.md). In addition, for Puppet deployment, you need to be familiar with Puppet administration tasks, have Puppet configured, and know how to deploy packages. Puppet has many ways to complete the same task. These instructions assume availability of supported Puppet modules, such as *apt* to help deploy the package. Your organization might use a different workflow. Refer to the [Puppet documentation](https://puppet.com/docs) for details. @@ -72,7 +72,7 @@ Download the onboarding package from Microsoft Defender Security Center: ## Create a Puppet manifest -You need to create a Puppet manifest for deploying Microsoft Defender ATP for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server. +You need to create a Puppet manifest for deploying Defender for Endpoint for Linux to devices managed by a Puppet server. This example makes use of the *apt* and *yumrepo* modules available from puppetlabs, and assumes that the modules have been installed on your Puppet server. Create the folders *install_mdatp/files* and *install_mdatp/manifests* under the modules folder of your Puppet installation. This folder is typically located in */etc/puppetlabs/code/environments/production/modules* on your Puppet server. Copy the mdatp_onboard.json file created above to the *install_mdatp/files* folder. Create an *init.pp* file that contains the deployment instructions: @@ -96,7 +96,7 @@ install_mdatp ### Contents of `install_mdatp/manifests/init.pp` -Microsoft Defender ATP for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. +Defender for Endpoint for Linux can be deployed from one of the following channels (denoted below as *[channel]*): *insiders-fast*, *insiders-slow*, or *prod*. Each of these channels corresponds to a Linux software repository. The choice of the channel determines the type and frequency of updates that are offered to your device. Devices in *insiders-fast* are the first ones to receive updates and new features, followed later by *insiders-slow* and lastly by *prod*. @@ -205,7 +205,7 @@ org_id : "[your organization identifier]" - **licensed**: This confirms that the device is tied to your organization. -- **orgId**: This is your Microsoft Defender ATP organization identifier. +- **orgId**: This is your Defender for Endpoint organization identifier. ## Check onboarding status @@ -231,7 +231,7 @@ If the product is not healthy, the exit code (which can be checked through `echo ## Operating system upgrades -When upgrading your operating system to a new major version, you must first uninstall Microsoft Defender ATP for Linux, install the upgrade, and finally reconfigure Microsoft Defender ATP for Linux on your device. +When upgrading your operating system to a new major version, you must first uninstall Defender for Endpoint for Linux, install the upgrade, and finally reconfigure Defender for Endpoint for Linux on your device. ## Uninstallation diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md index e2944beb87..2ec4ae0d08 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md @@ -20,19 +20,19 @@ ms.collection: ms.topic: conceptual --- -# Set preferences for Microsoft Defender ATP for Linux +# Set preferences for Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) >[!IMPORTANT] ->This topic contains instructions for how to set preferences for Microsoft Defender ATP for Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see [Resources](linux-resources.md#configure-from-the-command-line). +>This topic contains instructions for how to set preferences for Defender for Endpoint for Linux in enterprise environments. If you are interested in configuring the product on a device from the command-line, see [Resources](linux-resources.md#configure-from-the-command-line). -In enterprise environments, Microsoft Defender ATP for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile. +In enterprise environments, Defender for Endpoint for Linux can be managed through a configuration profile. This profile is deployed from the management tool of your choice. Preferences managed by the enterprise take precedence over the ones set locally on the device. In other words, users in your enterprise are not able to change preferences that are set through this configuration profile. This article describes the structure of this profile (including a recommended profile that you can use to get started) and instructions on how to deploy the profile. @@ -78,7 +78,7 @@ Determines whether the antivirus engine runs in passive mode or not. In passive | **Key** | passiveMode | | **Data type** | Boolean | | **Possible values** | false (default)
    true | -| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. | +| **Comments** | Available in Defender for Endpoint version 100.67.60 or higher. | #### Exclusion merge policy @@ -89,7 +89,7 @@ Specifies the merge policy for exclusions. It can be a combination of administra | **Key** | exclusionsMergePolicy | | **Data type** | String | | **Possible values** | merge (default)
    admin_only | -| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | +| **Comments** | Available in Defender for Endpoint version 100.83.73 or higher. | #### Scan exclusions @@ -173,7 +173,7 @@ Restricts the actions that the local user of a device can take when threats are | **Key** | disallowedThreatActions | | **Data type** | Array of strings | | **Possible values** | allow (restricts users from allowing threats)
    restore (restricts users from restoring threats from the quarantine) | -| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | +| **Comments** | Available in Defender for Endpoint version 100.83.73 or higher. | #### Threat type settings @@ -218,7 +218,7 @@ Specifies the merge policy for threat type settings. This can be a combination o | **Key** | threatTypeSettingsMergePolicy | | **Data type** | String | | **Possible values** | merge (default)
    admin_only | -| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | +| **Comments** | Available in Defender for Endpoint version 100.83.73 or higher. | #### Antivirus scan history retention (in days) @@ -229,7 +229,7 @@ Specify the number of days that results are retained in the scan history on the | **Key** | scanResultsRetentionDays | | **Data type** | String | | **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. | -| **Comments** | Available in Microsoft Defender ATP version 101.04.76 or higher. | +| **Comments** | Available in Defender for Endpoint version 101.04.76 or higher. | #### Maximum number of items in the antivirus scan history @@ -240,7 +240,7 @@ Specify the maximum number of entries to keep in the scan history. Entries inclu | **Key** | scanHistoryMaximumItems | | **Data type** | String | | **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. | -| **Comments** | Available in Microsoft Defender ATP version 101.04.76 or higher. | +| **Comments** | Available in Defender for Endpoint version 101.04.76 or higher. | ### Cloud-delivered protection preferences @@ -264,7 +264,7 @@ Determines whether cloud-delivered protection is enabled on the device or not. T #### Diagnostic collection level -Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft. +Diagnostic data is used to keep Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by the product to Microsoft. ||| |:---|:---| @@ -298,7 +298,7 @@ Determines whether security intelligence updates are installed automatically: ## Recommended configuration profile -To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides. +To get started, we recommend the following configuration profile for your enterprise to take advantage of all protection features that Defender for Endpoint provides. The following configuration profile will: @@ -407,4 +407,4 @@ If the JSON is well-formed, the above command outputs it back to the Terminal an ## Configuration profile deployment -Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Microsoft Defender ATP for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file. +Once you've built the configuration profile for your enterprise, you can deploy it through the management tool that your enterprise is using. Defender for Endpoint for Linux reads the managed configuration from the */etc/opt/microsoft/mdatp/managed/mdatp_managed.json* file. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md index e5d120eb83..60205953d5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md @@ -17,32 +17,32 @@ ms.collection: M365-security-compliance ms.topic: conceptual --- -# Privacy for Microsoft Defender ATP for Linux +# Privacy for Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint](microsoft-defender-atp-linux.md) -Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Linux. +Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Defender for Endpoint for Linux. This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected. -## Overview of privacy controls in Microsoft Defender ATP for Linux +## Overview of privacy controls in Microsoft Defender for Endpoint for Linux -This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Linux. +This section describes the privacy controls for the different types of data collected by Defender for Endpoint for Linux. ### Diagnostic data -Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. +Diagnostic data is used to keep Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations. -There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from: +There are two levels of diagnostic data for Defender for Endpoint client software that you can choose from: -* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device it’s installed on. +* **Required**: The minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and performing as expected on the device it’s installed on. * **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues. @@ -68,7 +68,7 @@ There are three levels for controlling sample submission: If you're an IT administrator, you might want to configure these controls at the enterprise level. -The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md). +The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md). As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization. @@ -89,20 +89,20 @@ The following fields are considered common for all events: | org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. | | hostname | Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | | product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. | -| app_version | Version of the Microsoft Defender ATP for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| +| app_version | Version of the Defender for Endpoint for Linux application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| | sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. | | supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. | | release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. | ### Required diagnostic data -**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device it’s installed on. +**Required diagnostic data** is the minimum data necessary to help keep Defender for Endpoint secure, up-to-date, and perform as expected on the device it’s installed on. -Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced. +Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Defender for Endpoint feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Defender for Endpoint features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced. #### Software setup and inventory data events -**Microsoft Defender ATP installation / uninstallation** +**Microsoft Defender for Endpoint installation / uninstallation** The following fields are collected: @@ -114,7 +114,7 @@ The following fields are collected: | code | Code that describes the operation. | | text | Additional information associated with the product installation. | -**Microsoft Defender ATP configuration** +**Microsoft Defender for Endpoint configuration** The following fields are collected: @@ -123,7 +123,7 @@ The following fields are collected: | antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. | | antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. | | cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. | -| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. | +| cloud_service.timeout | Time out when the application communicates with the Defender for Endpoint cloud. | | cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. | | cloud_service.service_uri | URI used to communicate with the cloud. | | cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). | @@ -156,7 +156,7 @@ The following fields are collected: | Field | Description | | ---------------- | ----------- | -| version | Version of Microsoft Defender ATP for Linux. | +| version | Version of Defender for Endpoint for Linux. | | instance_id | Unique identifier generated on kernel extension startup. | | trace_level | Trace level of the kernel extension. | | subsystem | The underlying subsystem used for real-time protection. | @@ -171,7 +171,7 @@ The following fields are collected: Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs: - All files under */var/log/microsoft/mdatp* -- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Microsoft Defender ATP for Linux +- Subset of files under */etc/opt/microsoft/mdatp* that are created and used by Defender for Endpoint for Linux - Product installation and uninstallation logs under */var/log/microsoft_mdatp_\*.log* ### Optional diagnostic data @@ -184,7 +184,7 @@ Examples of optional diagnostic data include data Microsoft collects about produ #### Software setup and inventory data events -**Microsoft Defender ATP configuration** +**Microsoft Defender for Endpoint configuration** The following fields are collected: diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md index 58b9c14323..ff2da099a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md @@ -19,16 +19,16 @@ ms.collection: ms.topic: conceptual --- -# Detect and block potentially unwanted applications with Microsoft Defender ATP for Linux +# Detect and block potentially unwanted applications with Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) -The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Linux can detect and block PUA files on endpoints in your network. +The potentially unwanted application (PUA) protection feature in Defender for Endpoint for Linux can detect and block PUA files on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. @@ -36,13 +36,13 @@ These applications can increase the risk of your network being infected with mal ## How it works -Microsoft Defender ATP for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. +Defender for Endpoint for Linux can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. -When a PUA is detected on an endpoint, Microsoft Defender ATP for Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application". +When a PUA is detected on an endpoint, Defender for Endpoint for Linux keeps a record of the infection in the threat history. The history can be visualized from the Microsoft Defender Security Center portal or through the `mdatp` command-line tool. The threat name will contain the word "Application". ## Configure PUA protection -PUA protection in Microsoft Defender ATP for Linux can be configured in one of the following ways: +PUA protection in Defender for Endpoint for Linux can be configured in one of the following ways: - **Off**: PUA protection is disabled. - **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No record of the infection is stored in the threat history and no action is taken by the product. @@ -63,8 +63,8 @@ mdatp threat policy set --type potentially_unwanted_application --action [off|au ### Use the management console to configure PUA protection: -In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) article. +In your enterprise, you can configure PUA protection from a management console, such as Puppet or Ansible, similarly to how other product settings are configured. For more information, see the [Threat type settings](linux-preferences.md#threat-type-settings) section of the [Set preferences for Defender for Endpoint for Linux](linux-preferences.md) article. ## Related articles -- [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md) +- [Set preferences for Defender for Endpoint for Linux](linux-preferences.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md index 7c779b7d9d..3b12f36855 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md @@ -27,7 +27,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) ## Collect diagnostic information @@ -44,7 +44,7 @@ If you can reproduce a problem, first increase the logging level, run the system 2. Reproduce the problem. -3. Run the following command to back up Microsoft Defender ATP's logs. The files will be stored inside of a .zip archive. +3. Run the following command to back up Defender for Endpoint's logs. The files will be stored inside of a .zip archive. ```bash sudo mdatp diagnostic create @@ -71,7 +71,7 @@ The detailed log will be saved to `/var/log/microsoft/mdatp_install.log`. If you ## Uninstall -There are several ways to uninstall Microsoft Defender ATP for Linux. If you are using a configuration tool such as Puppet, follow the package uninstallation instructions for the configuration tool. +There are several ways to uninstall Defender for Endpoint for Linux. If you are using a configuration tool such as Puppet, follow the package uninstallation instructions for the configuration tool. ### Manual uninstallation @@ -125,9 +125,9 @@ The following table lists commands for some of the most common scenarios. Run `m |Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine remove --id [threat-id]` | |Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine restore --id [threat-id]` | -## Microsoft Defender ATP portal information +## Microsoft Defender for Endpoint portal information -In the Microsoft Defender ATP portal, you'll see two categories of information: +In the Defender for Endpoint portal, you'll see two categories of information: - Antivirus alerts, including: - Severity diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md index d3b7796378..6f0bf1667a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-static-proxy-configuration.md @@ -20,14 +20,14 @@ ms.collection: ms.topic: conceptual --- -# Configure Microsoft Defender ATP for Linux for static proxy discovery +# Configure Microsoft Defender for Endpoint for Linux for static proxy discovery [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) Microsoft Defender ATP can discover a proxy server using the ```HTTPS_PROXY``` environment variable. This setting must be configured **both** at installation time and after the product has been installed. @@ -50,7 +50,7 @@ During installation, the ```HTTPS_PROXY``` environment variable must be passed t > [!CAUTION] > Note that above two methods could define the proxy to use for other applications on your system. Use this method with caution, or only if this is meant to be a generally global configuration. -- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender ATP: +- The `HTTPS_PROXY` variable is prepended to the installation or uninstallation commands. For example, with the APT package manager, prepend the variable as follows when installing Microsoft Defender for Endpoint: ```bash HTTPS_PROXY="http://proxy.server:port/" apt install mdatp @@ -65,7 +65,7 @@ Note that installation and uninstallation will not necessarily fail if a proxy i ## Post installation configuration -After installation, the `HTTPS_PROXY` environment variable must be defined in the Microsoft Defender ATP service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways: +After installation, the `HTTPS_PROXY` environment variable must be defined in the Defender for Endpoint service file. To do this, open `/lib/systemd/system/mdatp.service` in a text editor while running as the root user. You can then propagate the variable to the service in one of two ways: - Uncomment the line `#Environment="HTTPS_PROXY=http://address:port"` and specify your static proxy address. diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md index 3406767afa..74db615cdb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md @@ -20,18 +20,18 @@ ms.collection: ms.topic: conceptual --- -# Troubleshoot cloud connectivity issues for Microsoft Defender ATP for Linux +# Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) ## Run the connectivity test -To test if Microsoft Defender ATP for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line: +To test if Defender for Endpoint for Linux can communicate to the cloud with the current network settings, run a connectivity test from the command line: ```bash mdatp connectivity test @@ -59,7 +59,7 @@ OK https://cdn.x.cp.wd.microsoft.com/ping > [!WARNING] > PAC, WPAD, and authenticated proxies are not supported. Ensure that only a static proxy or transparent proxy is being used. > -> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Microsoft Defender ATP for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. +> SSL inspection and intercepting proxies are also not supported for security reasons. Configure an exception for SSL inspection and your proxy server to directly pass through data from Defender for Endpoint for Linux to the relevant URLs without interception. Adding your interception certificate to the global store will not allow for interception. If a static proxy is required, add a proxy parameter to the above command, where `proxy_address:port` correspond to the proxy address and port: @@ -80,7 +80,7 @@ To use a static proxy, the `mdatp.service` file must be modified. Ensure the lea Also ensure that the correct static proxy address is filled in to replace `address:port`. -If this file is correct, try running the following command in the terminal to reload Microsoft Defender ATP for Linux and propagate the setting: +If this file is correct, try running the following command in the terminal to reload Defender for Endpoint for Linux and propagate the setting: ```bash sudo systemctl daemon-reload; sudo systemctl restart mdatp @@ -96,4 +96,4 @@ If the problem persists, contact customer support. ## Resources -- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender ATP for static proxy discovery](linux-static-proxy-configuration.md). +- For more information about how to configure the product to use a static proxy, see [Configure Microsoft Defender for Endpoint for static proxy discovery](linux-static-proxy-configuration.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md index 15d0e69c78..960de74bcc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md @@ -20,14 +20,14 @@ ms.collection: ms.topic: conceptual --- -# Troubleshoot installation issues for Microsoft Defender ATP for Linux +# Troubleshoot installation issues for Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) ## Verify if installation succeeded diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md index 8390f37105..e8173e8958 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md @@ -19,24 +19,24 @@ mms.collection: ms.topic: conceptual --- -# Troubleshoot performance issues for Microsoft Defender ATP for Linux +# Troubleshoot performance issues for Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) -This article provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Linux. +This article provides some general steps that can be used to narrow down performance issues related to Defender for Endpoint for Linux. -Real-time protection (RTP) is a feature of Microsoft Defender ATP for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics. +Real-time protection (RTP) is a feature of Defender for Endpoint for Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics. -Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Linux. +Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Defender for Endpoint for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Defender for Endpoint for Linux. The following steps can be used to troubleshoot and mitigate these issues: -1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Linux is contributing to the performance issues. +1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Defender for Endpoint for Linux is contributing to the performance issues. If your device is not managed by your organization, real-time protection can be disabled from the command line: @@ -47,9 +47,9 @@ The following steps can be used to troubleshoot and mitigate these issues: Configuration property updated ``` - If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Linux](linux-preferences.md). + If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md). -2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Microsoft Defender ATP for Linux. +2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux. > [!NOTE] > This feature is available in version 100.90.70 or newer. @@ -81,13 +81,13 @@ The following steps can be used to troubleshoot and mitigate these issues: mdatp diagnostic real_time_protection_statistics # you can use ‘> stat.log’ to redirect to file ``` - The output of this command will show all processes and their associated scan activity. To improve the performance of Microsoft Defender ATP for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + The output of this command will show all processes and their associated scan activity. To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). > [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted. 3. Use the `top` command-line tool and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. -4. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. +4. Configure Defender for Endpoint for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. - For more details, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md). + For more details, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md index dd01c882b0..7c9fe1e51e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-updates.md @@ -20,24 +20,24 @@ ms.collection: ms.topic: conceptual --- -# Deploy updates for Microsoft Defender ATP for Linux +# Deploy updates for Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Linux](microsoft-defender-atp-linux.md) +- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md) Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. > [!WARNING] -> Each version of Microsoft Defender ATP for Linux has an expiration date, after which it will no longer continue to protect your device. You must update the product prior to this date. To check the expiration date, run the following command: +> Each version of Defender for Endpoint for Linux has an expiration date, after which it will no longer continue to protect your device. You must update the product prior to this date. To check the expiration date, run the following command: > ```bash > mdatp health --field product_expiration > ``` -To update Microsoft Defender ATP for Linux manually, execute one of the following commands: +To update Defender for Endpoint for Linux manually, execute one of the following commands: ## RHEL and variants (CentOS and Oracle Linux) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md index 8e290c8ff5..85ee3ab500 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-whatsnew.md @@ -19,7 +19,7 @@ ms.collection: ms.topic: conceptual --- -# What's new in Microsoft Defender Advanced Threat Protection for Linux +# What's new in Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md index 68a0143833..7c5bb16771 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +- [Microsoft Defender for Endpoint](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Learn about common commands used in live response and see examples on how they are typically used. diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 35a1c20298..312550fb3f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats—in real time. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md index 3eeb408c4d..04b95ce93b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md @@ -19,30 +19,30 @@ ms.collection: ms.topic: conceptual --- -# Configure and validate exclusions for Microsoft Defender ATP for Mac +# Configure and validate exclusions for Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) This article provides information on how to define exclusions that apply to on-demand scans, and real-time protection and monitoring. >[!IMPORTANT] ->The exclusions described in this article don't apply to other Microsoft Defender ATP for Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. +>The exclusions described in this article don't apply to other Defender for Endpoint for Mac capabilities, including endpoint detection and response (EDR). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. -You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender ATP for Mac scans. +You can exclude certain files, folders, processes, and process-opened files from Defender for Endpoint for Mac scans. -Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Microsoft Defender ATP for Mac. +Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. They can also be useful for mitigating performance issues caused by Defender for Endpoint for Mac. >[!WARNING] ->Defining exclusions lowers the protection offered by Microsoft Defender ATP for Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. +>Defining exclusions lowers the protection offered by Defender for Endpoint for Mac. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. ## Supported exclusion types -The follow table shows the exclusion types supported by Microsoft Defender ATP for Mac. +The follow table shows the exclusion types supported by Defender for Endpoint for Mac. Exclusion | Definition | Examples ---|---|--- @@ -62,11 +62,11 @@ Wildcard | Description | Example | Matches | Does not match ### From the management console -For more information on how to configure exclusions from JAMF, Intune, or another management console, see [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md). +For more information on how to configure exclusions from JAMF, Intune, or another management console, see [Set preferences for Defender for Endpoint for Mac](mac-preferences.md). ### From the user interface -Open the Microsoft Defender ATP application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot: +Open the Defender for Endpoint application and navigate to **Manage settings** > **Add or Remove Exclusion...**, as shown in the following screenshot: ![Manage exclusions screenshot](../microsoft-defender-antivirus/images/mdatp-37-exclusions.png) @@ -82,7 +82,7 @@ In the following Bash snippet, replace `test.txt` with a file that conforms to y curl -o test.txt https://www.eicar.org/download/eicar.com.txt ``` -If Microsoft Defender ATP for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html). +If Defender for Endpoint for Mac reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm that the contents are the same as what is described on the [EICAR test file website](http://2016.eicar.org/86-0-Intended-use.html). If you do not have Internet access, you can create your own EICAR test file. Write the EICAR string to a new text file with the following Bash command: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md index 59d65172e9..d1f6337306 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md @@ -26,7 +26,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) 1. Enter your credentials. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index 3f720e90e8..7f15b5ad73 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -19,16 +19,16 @@ ms.collection: ms.topic: conceptual --- -# Manual deployment for Microsoft Defender ATP for macOS +# Manual deployment for Microsoft Defender for Endpoint for macOS [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for macOS](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for macOS](microsoft-defender-atp-mac.md) -This topic describes how to deploy Microsoft Defender ATP for macOS manually. A successful deployment requires the completion of all of the following steps: +This topic describes how to deploy Microsoft Defender for Endpoint for macOS manually. A successful deployment requires the completion of all of the following steps: - [Download installation and onboarding packages](#download-installation-and-onboarding-packages) - [Application installation (macOS 10.15 and older versions)](#application-installation-macos-1015-and-older-versions) - [Application installation (macOS 11 and newer versions)](#application-installation-macos-11-and-newer-versions) @@ -36,7 +36,7 @@ This topic describes how to deploy Microsoft Defender ATP for macOS manually. A ## Prerequisites and system requirements -Before you get started, see [the main Microsoft Defender ATP for macOS page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [the main Microsoft Defender for Endpoint for macOS page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Download installation and onboarding packages @@ -75,10 +75,10 @@ To complete this process, you must have admin privileges on the device. The installation proceeds. > [!CAUTION] - > If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](mac-support-kext.md) for information on how to resolve this. + > If you don't select **Allow**, the installation will proceed after 5 minutes. Microsoft Defender for Endpoint will be loaded, but some features, such as real-time protection, will be disabled. See [Troubleshoot kernel extension issues](mac-support-kext.md) for information on how to resolve this. > [!NOTE] -> macOS may request to reboot the device upon the first installation of Microsoft Defender. Real-time protection will not be available until the device is rebooted. +> macOS may request to reboot the device upon the first installation of Microsoft Defender for Endpoint. Real-time protection will not be available until the device is rebooted. ## Application installation (macOS 11 and newer versions) @@ -98,9 +98,9 @@ To complete this process, you must have admin privileges on the device. ![System extension security preferences](images/big-sur-install-3.png) -5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender ATP for Mac. +5. Repeat steps 3 & 4 for all system extensions distributed with Microsoft Defender for Endpoint for Mac. -6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender ATP permissions to filter network traffic, select **Allow**. +6. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. When prompted to grant Microsoft Defender for Endpoint permissions to filter network traffic, select **Allow**. ![System extension security preferences](images/big-sur-install-4.png) @@ -110,7 +110,7 @@ To complete this process, you must have admin privileges on the device. ## Client configuration -1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender ATP for macOS. +1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the device where you deploy Microsoft Defender for Endpoint for macOS. The client device is not associated with orgId. Note that the *orgId* attribute is blank. @@ -138,9 +138,9 @@ After installation, you'll see the Microsoft Defender icon in the macOS status b ## How to Allow Full Disk Access > [!CAUTION] -> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. +> macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device. -To grant consent, open System Preferences -> Security & Privacy -> Privacy -> Full Disk Access. Click the lock icon to make changes (bottom of the dialog box). Select Microsoft Defender ATP. +To grant consent, open System Preferences -> Security & Privacy -> Privacy -> Full Disk Access. Click the lock icon to make changes (bottom of the dialog box). Select Microsoft Defender for Endpoint. ## Logging installation issues @@ -148,4 +148,4 @@ See [Logging installation issues](mac-resources.md#logging-installation-issues) ## Uninstallation -See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for macOS from client devices. +See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender for Endpoint for macOS from client devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index a1fd86434f..87c1b96104 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -19,20 +19,20 @@ ms.collection: ms.topic: conceptual --- -# Intune-based deployment for Microsoft Defender ATP for Mac +# Intune-based deployment for Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] > [!NOTE] -> This documentation explains the legacy method for deploying and configuring Microsoft Defender ATP on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and deploy the application and send it down to macOS devices.

    ->The blog post [MEM simplifies deployment of Microsoft Defender ATP for macOS](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995) explains the new features. To configure the app, go to [Settings for Microsoft Defender ATP for Mac in Microsoft InTune](https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos). To deploy the app, go to [Add Microsoft Defender ATP to macOS devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos). +> This documentation explains the legacy method for deploying and configuring Microsoft Defender for Endpoint on macOS devices. The native experience is now available in the MEM console. The release of the native UI in the MEM console provide admins with a much simpler way to configure and deploy the application and send it down to macOS devices.

    +>The blog post [MEM simplifies deployment of Microsoft Defender for Endpoint for macOS](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/microsoft-endpoint-manager-simplifies-deployment-of-microsoft/ba-p/1322995) explains the new features. To configure the app, go to [Settings for Microsoft Defender for Endpoint for Mac in Microsoft InTune](https://docs.microsoft.com/mem/intune/protect/antivirus-microsoft-defender-settings-macos). To deploy the app, go to [Add Microsoft Defender for Endpoint to macOS devices using Microsoft Intune](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos). **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) -This topic describes how to deploy Microsoft Defender ATP for Mac through Intune. A successful deployment requires the completion of all of the following steps: +This topic describes how to deploy Microsoft Defender for Endpoint for Mac through Intune. A successful deployment requires the completion of all of the following steps: 1. [Download installation and onboarding packages](#download-installation-and-onboarding-packages) 1. [Client device setup](#client-device-setup) @@ -42,22 +42,22 @@ This topic describes how to deploy Microsoft Defender ATP for Mac through Intune ## Prerequisites and system requirements -Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [the main MIcrosoft Defender for EndpointP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Overview -The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender ATP for Macs, via Intune. More detailed steps are available below. +The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender for Endpoint for Macs, via Intune. More detailed steps are available below. | Step | Sample file names | BundleIdentifier | |-|-|-| | [Download installation and onboarding packages](#download-installation-and-onboarding-packages) | WindowsDefenderATPOnboarding__MDATP_wdav.atp.xml | com.microsoft.wdav.atp | -| [Approve System Extension for Microsoft Defender ATP](#approve-system-extensions) | MDATP_SysExt.xml | N/A | -| [Approve Kernel Extension for Microsoft Defender ATP](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A | -| [Grant full disk access to Microsoft Defender ATP](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc | +| [Approve System Extension for Microsoft Defender for Endpoint](#approve-system-extensions) | MDATP_SysExt.xml | N/A | +| [Approve Kernel Extension for Microsoft Defender for Endpoint](#download-installation-and-onboarding-packages) | MDATP_KExt.xml | N/A | +| [Grant full disk access to Microsoft Defender for Endpoint](#create-system-configuration-profiles-step-8) | MDATP_tcc_Catalina_or_newer.xml | com.microsoft.wdav.tcc | | [Network Extension policy](#create-system-configuration-profiles-step-9) | MDATP_NetExt.xml | N/A | | [Configure Microsoft AutoUpdate (MAU)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-updates#intune) | MDATP_Microsoft_AutoUpdate.xml | com.microsoft.autoupdate2 | -| [Microsoft Defender ATP configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

    **Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | -| [Configure Microsoft Defender ATP and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray | +| [Microsoft Defender for Endpoint configuration settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-preferences#intune-profile-1)

    **Note:** If you are planning to run a third party AV for macOS, set `passiveMode` to `true`. | MDATP_WDAV_and_exclusion_settings_Preferences.xml | com.microsoft.wdav | +| [Configure Microsoft Defender for Endpoint and MS AutoUpdate (MAU) notifications](#create-system-configuration-profiles-step-10) | MDATP_MDAV_Tray_and_AutoUpdate2.mobileconfig | com.microsoft.autoupdate2 or com.microsoft.wdav.tray | ## Download installation and onboarding packages @@ -191,13 +191,13 @@ To approve the system extensions: 8. Download `fulldisk.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) and save it as `tcc.xml`. Create another profile, give it any name and upload this file to it.     > [!CAUTION] - > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. + > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device. > - > This configuration profile grants Full Disk Access to Microsoft Defender ATP. If you previously configured Microsoft Defender ATP through Intune, we recommend you update the deployment with this configuration profile. + > This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Intune, we recommend you update the deployment with this configuration profile. -9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections. +9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections. -10. To allow Microsoft Defender ATP for Mac and Microsoft Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload. +10. To allow Microsoft Defender for Endpoint for Mac and Microsoft Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload. 11. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. @@ -221,10 +221,10 @@ Once the Intune changes are propagated to the enrolled devices, you can see them 6. Set *Ignore app version* to **Yes**. Other settings can be any arbitrary value. > [!CAUTION] - > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. + > Setting *Ignore app version* to **No** impacts the ability of the application to receive updates through Microsoft AutoUpdate. See [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md) for additional information about how the product is updated. > - > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Defender. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender ATP for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Defender with *Ignore app version* set to **No**, please change it to **Yes**. If Defender still cannot be installed on a client device, then uninstall Defender and push the updated policy. - + > If the version uploaded by Intune is lower than the version on the device, then the lower version will be installed, effectively downgrading Microsoft Defender for Endpoint. This could result in a non-functioning application. See [Deploy updates for Microsoft Defender for Endpoint for Mac](mac-updates.md) for additional information about how the product is updated. If you deployed Microsoft Defender for Endpoint with *Ignore app version* set to **No**, please change it to **Yes**. If Microsoft Defender for Endpoint still cannot be installed on a client device, then uninstall Microsoft Defender for Endpoint and push the updated policy. + > [!div class="mx-imgBorder"] > ![Device status blade screenshot](../microsoft-defender-antivirus/images/MDATP-8-IntuneAppInfo.png) @@ -277,4 +277,4 @@ For more information on how to find the automatically generated log that is crea ## Uninstallation -See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices. +See [Uninstalling](mac-resources.md#uninstalling) for details on how to remove Microsoft Defender for Endpoint for Mac from client devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index b02fdd72d5..1585ac5850 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -19,23 +19,23 @@ ms.collection: ms.topic: conceptual --- -# Deploying Microsoft Defender ATP for macOS with Jamf Pro +# Deploying Microsoft Defender for Endpoint for macOS with Jamf Pro [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) -Learn how to deploy Microsoft Defender ATP for macOS with Jamf Pro. +Learn how to deploy Microsoft Defender for Endpoint for macOS with Jamf Pro. This is a multi step process. You'll need to complete all of the following steps: - [Login to the Jamf Portal](mac-install-jamfpro-login.md) -- [Setup the Microsoft Defender ATP for macOS device groups in Jamf Pro](mac-jamfpro-device-groups.md) -- [Setup the Microsoft Defender ATP for macOS policies in Jamf Pro](mac-jamfpro-policies.md) -- [Enroll the Microsoft Defender ATP for macOS devices into Jamf Pro](mac-jamfpro-enroll-devices.md) +- [Setup the Microsoft Defender for Endpoint for macOS device groups in Jamf Pro](mac-jamfpro-device-groups.md) +- [Setup the Microsoft Defender for Endpoint for macOS policies in Jamf Pro](mac-jamfpro-policies.md) +- [Enroll the Microsoft Defender for Endpoint for macOS devices into Jamf Pro](mac-jamfpro-enroll-devices.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md index 1e43a13d07..68a77f3f8f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md @@ -19,27 +19,27 @@ ms.collection: ms.topic: conceptual --- -# Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender ATP for Mac +# Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) ## Prerequisites and system requirements -Before you get started, see [the main Microsoft Defender ATP for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. +Before you get started, see [the main Microsoft Defender for Endpoint for Mac page](microsoft-defender-atp-mac.md) for a description of prerequisites and system requirements for the current software version. ## Approach > [!CAUTION] -> Currently, Microsoft oficially supports only Intune and JAMF for the deployment and management of Microsoft Defender ATP for Mac. Microsoft makes no warranties, express or implied, with respect to the information provided below. +> Currently, Microsoft oficially supports only Intune and JAMF for the deployment and management of Microsoft Defender for Endpoint for Mac. Microsoft makes no warranties, express or implied, with respect to the information provided below. -If your organization uses a Mobile Device Management (MDM) solution that is not officially supported, this does not mean you are unable to deploy or run Microsoft Defender ATP for Mac. +If your organization uses a Mobile Device Management (MDM) solution that is not officially supported, this does not mean you are unable to deploy or run Microsoft Defender for Endpoint for Mac. -Microsoft Defender ATP for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features: +Microsoft Defender for Endpoint for Mac does not depend on any vendor-specific features. It can be used with any MDM solution that supports the following features: - Deploy a macOS .pkg to managed devices. - Deploy macOS system configuration profiles to managed devices. @@ -66,7 +66,7 @@ In order to deploy the package to your enterprise, use the instructions associat ### License settings Set up [a system configuration profile](mac-install-with-jamf.md). -Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender ATP for Mac is not part of macOS. +Your MDM solution may call it something like "Custom Settings Profile", as Microsoft Defender for Endpoint for Mac is not part of macOS. Use the property list, jamf/WindowsDefenderATPOnboarding.plist, which can be extracted from an onboarding package downloaded from [Microsoft Defender Security Center](mac-install-with-jamf.md). Your system may support an arbitrary property list in XML format. You can upload the jamf/WindowsDefenderATPOnboarding.plist file as-is in that case. @@ -90,19 +90,19 @@ Set up a system extension policy. Use team identifier **UBF8T346G9** and approve Grant Full Disk Access to the following components: -- Microsoft Defender ATP +- Microsoft Defender for Endpoint - Identifier: `com.microsoft.wdav` - Identifier Type: Bundle ID - Code Requirement: identifier "com.microsoft.wdav" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /\* exists \*/ and certificate leaf[field.1.2.840.113635.100.6.1.13] /\* exists \*/ and certificate leaf[subject.OU] = UBF8T346G9 -- Microsoft Defender ATP Endpoint Security Extension +- Microsoft Defender for Endpoint Endpoint Security Extension - Identifier: `com.microsoft.wdav.epsext` - Identifier Type: Bundle ID - Code Requirement: identifier "com.microsoft.wdav.epsext" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = UBF8T346G9 ### Network extension policy -As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. +As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. - Filter type: Plugin - Plugin bundle identifier: `com.microsoft.wdav` diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md index 04cb07cd04..d0bde6a3d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md @@ -19,14 +19,14 @@ ms.collection: ms.topic: conceptual --- -# Set up Microsoft Defender ATP for macOS device groups in Jamf Pro +# Set up Microsoft c for macOS device groups in Jamf Pro [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) Set up the device groups similar to Group policy organizational unite (OUs), Microsoft Endpoint Configuration Manager's device collection, and Intune's device groups. @@ -45,4 +45,4 @@ Set up the device groups similar to Group policy organizational unite (OUs), Mi ![Image of Jamf Pro](images/contoso-machine-group.png) ## Next step -- [Set up Microsoft Defender ATP for macOS policies in Jamf Pro](mac-jamfpro-policies.md) +- [Set up Microsoft Defender for Endpoint for macOS policies in Jamf Pro](mac-jamfpro-policies.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md index ffd3980a4a..d6954e0d90 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md @@ -19,14 +19,14 @@ ms.collection: ms.topic: conceptual --- -# Enroll Microsoft Defender ATP for macOS devices into Jamf Pro +# Enroll Microsoft Defender for Endpoint for macOS devices into Jamf Pro [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) ## Enroll macOS devices diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md index a56afd0ef7..5faeec9c8d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md @@ -19,43 +19,43 @@ ms.collection: ms.topic: conceptual --- -# Set up the Microsoft Defender ATP for macOS policies in Jamf Pro +# Set up the Microsoft Defender for Endpoint for macOS policies in Jamf Pro [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) This page will guide you through the steps you need to take to set up macOS policies in Jamf Pro. You'll need to take the following steps: -1. [Get the Microsoft Defender ATP onboarding package](#step-1-get-the-microsoft-defender-atp-onboarding-package) +1. [Get the Microsoft Defender for Endpoint onboarding package](#step-1-get-the-microsoft-defender-for-endpoint-onboarding-package) 2. [Create a configuration profile in Jamf Pro using the onboarding package](#step-2-create-a-configuration-profile-in-jamf-pro-using-the-onboarding-package) -3. [Configure Microsoft Defender ATP settings](#step-3-configure-microsoft-defender-atp-settings) +3. [Configure Microsoft Defender for Endpoint settings](#step-3-configure-microsoft-defender-for-endpoint-settings) -4. [Configure Microsoft Defender ATP notification settings](#step-4-configure-notifications-settings) +4. [Configure Microsoft Defender for Endpoint notification settings](#step-4-configure-notifications-settings) 5. [Configure Microsoft AutoUpdate (MAU)](#step-5-configure-microsoft-autoupdate-mau) -6. [Grant full disk access to Microsoft Defender ATP](#step-6-grant-full-disk-access-to-microsoft-defender-atp) +6. [Grant full disk access to Microsoft Defender for Endpoint](#step-6-grant-full-disk-access-to-microsoft-defender-for-endpoint) -7. [Approve Kernel extension for Microsoft Defender ATP](#step-7-approve-kernel-extension-for-microsoft-defender-atp) +7. [Approve Kernel extension for Microsoft Defender for Endpoint](#step-7-approve-kernel-extension-for-microsoft-defender-for-endpoint) -8. [Approve System extensions for Microsoft Defender ATP](#step-8-approve-system-extensions-for-microsoft-defender-atp) +8. [Approve System extensions for Microsoft Defender for Endpoint](#step-8-approve-system-extensions-for-microsoft-defender-for-endpoint) 9. [Configure Network Extension](#step-9-configure-network-extension) -10. [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp) +10. [Schedule scans with Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp) -11. [Deploy Microsoft Defender ATP for macOS](#step-11-deploy-microsoft-defender-atp-for-macos) +11. [Deploy Microsoft Defender for Endpoint for macOS](#step-11-deploy-microsoft-defender-for-endpoint-for-macos) -## Step 1: Get the Microsoft Defender ATP onboarding package +## Step 1: Get the Microsoft Defender for Endpoint onboarding package 1. In [Microsoft Defender Security Center](https://securitycenter.microsoft.com ), navigate to **Settings > Onboarding**. @@ -131,9 +131,9 @@ You'll need to take the following steps: ![List of configuration profiles](images/jamfpro-configuration-policies.png) -## Step 3: Configure Microsoft Defender ATP settings +## Step 3: Configure Microsoft Defender for Endpoint settings -1. Use the following Microsoft Defender ATP configuration settings: +1. Use the following Microsoft Defender for Endpoint configuration settings: - enableRealTimeProtection - passiveMode @@ -401,7 +401,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer. ## Step 5: Configure Microsoft AutoUpdate (MAU) -1. Use the following Microsoft Defender ATP configuration settings: +1. Use the following Microsoft Defender for Endpoint configuration settings: ```XML @@ -483,7 +483,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer. ![Image of configuration setting](images/ba44cdb77e4781aa8b940fb83e3c21f7.png) -## Step 6: Grant full disk access to Microsoft Defender ATP +## Step 6: Grant full disk access to Microsoft Defender for Endpoint 1. In the Jamf Pro dashboard, select **Configuration Profiles**. @@ -573,7 +573,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer. ![Image of configuration setting](images/6c8b406ee224335a8c65d06953dc756e.png) -## Step 7: Approve Kernel extension for Microsoft Defender ATP +## Step 7: Approve Kernel extension for Microsoft Defender for Endpoint 1. In the **Configuration Profiles**, select **+ New**. @@ -624,7 +624,7 @@ These steps are applicable of macOS 10.15 (Catalina) or newer. ![Image of configuration settings](images/1c9bd3f68db20b80193dac18f33c22d0.png) -## Step 8: Approve System extensions for Microsoft Defender ATP +## Step 8: Approve System extensions for Microsoft Defender for Endpoint 1. In the **Configuration Profiles**, select **+ New**. @@ -679,10 +679,10 @@ These steps are applicable of macOS 10.15 (Catalina) or newer. ## Step 9: Configure Network Extension -As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. +As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. >[!NOTE] ->JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. +>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender for Endpoint for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. >As such, the following steps provide a workaround that involve signing the configuration profile. 1. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig) to your device and save it as `com.microsoft.network-extension.mobileconfig` @@ -733,10 +733,10 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender ![Image of configuration settings](images/netext-final.png) -## Step 10: Schedule scans with Microsoft Defender ATP for Mac -Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp). +## Step 10: Schedule scans with Microsoft Defender for Endpoint for Mac +Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp). -## Step 11: Deploy Microsoft Defender ATP for macOS +## Step 11: Deploy Microsoft Defender for Endpoint for macOS 1. Navigate to where you saved `wdav.pkg`. @@ -776,8 +776,6 @@ Follow the instructions on [Schedule scans with Microsoft Defender ATP for Mac]( 8. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. - - Manifest File: Select **Upload Manifest File**. - **Options tab**
    Keep default values. **Limitations tab**
    Keep default values. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index ec94cef29a..615f212fd6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -19,21 +19,21 @@ ms.collection: ms.topic: conceptual --- -# Set preferences for Microsoft Defender ATP for Mac +# Set preferences for Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) >[!IMPORTANT] ->This article contains instructions for how to set preferences for Microsoft Defender ATP for Mac in enterprise organizations. To configure Microsoft Defender ATP for Mac using the command-line interface, see [Resources](mac-resources.md#configuring-from-the-command-line). +>This article contains instructions for how to set preferences for Microsoft Defender for Endpoint for Mac in enterprise organizations. To configure Microsoft Defender for Endpoint for Mac using the command-line interface, see [Resources](mac-resources.md#configuring-from-the-command-line). ## Summary -In enterprise organizations, Microsoft Defender ATP for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Changing the preferences that are set through the configuration profile requires escalated privileges and is not available for users without administrative permissions. +In enterprise organizations, Microsoft Defender for Endpoint for Mac can be managed through a configuration profile that is deployed by using one of several management tools. Preferences that are managed by your security operations team take precedence over preferences that are set locally on the device. Changing the preferences that are set through the configuration profile requires escalated privileges and is not available for users without administrative permissions. This article describes the structure of the configuration profile, includes a recommended profile that you can use to get started, and provides instructions on how to deploy the profile. @@ -44,11 +44,11 @@ The configuration profile is a *.plist* file that consists of entries identified >[!CAUTION] >The layout of the configuration profile depends on the management console that you are using. The following sections contain examples of configuration profiles for JAMF and Intune. -The top level of the configuration profile includes product-wide preferences and entries for subareas of Microsoft Defender ATP, which are explained in more detail in the next sections. +The top level of the configuration profile includes product-wide preferences and entries for subareas of Microsoft Defender for Endpoint, which are explained in more detail in the next sections. ### Antivirus engine preferences -The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of Microsoft Defender ATP. +The *antivirusEngine* section of the configuration profile is used to manage the preferences of the antivirus component of Microsoft Defender for Endpoint. ||| |:---|:---| @@ -83,7 +83,7 @@ Specify whether the antivirus engine runs in passive mode. Passive mode has the | **Key** | passiveMode | | **Data type** | Boolean | | **Possible values** | false (default)
    true | -| **Comments** | Available in Microsoft Defender ATP version 100.67.60 or higher. | +| **Comments** | Available in Microsoft Defender for Endpoint version 100.67.60 or higher. | #### Exclusion merge policy @@ -95,7 +95,7 @@ Specify the merge policy for exclusions. This can be a combination of administra | **Key** | exclusionsMergePolicy | | **Data type** | String | | **Possible values** | merge (default)
    admin_only | -| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | +| **Comments** | Available in Microsoft Defender for Endpoint version 100.83.73 or higher. | #### Scan exclusions @@ -169,7 +169,7 @@ Specify a process for which all file activity is excluded from scanning. The pro #### Allowed threats -Specify threats by name that are not blocked by Microsoft Defender ATP for Mac. These threats will be allowed to run. +Specify threats by name that are not blocked by Defender for Endpoint for Mac. These threats will be allowed to run. ||| |:---|:---| @@ -187,11 +187,11 @@ Restricts the actions that the local user of a device can take when threats are | **Key** | disallowedThreatActions | | **Data type** | Array of strings | | **Possible values** | allow (restricts users from allowing threats)
    restore (restricts users from restoring threats from the quarantine) | -| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | +| **Comments** | Available in Microsoft Defender for Endpoint version 100.83.73 or higher. | #### Threat type settings -Specify how certain threat types are handled by Microsoft Defender ATP for Mac. +Specify how certain threat types are handled by Microsoft Defender for Endpoint for Mac. ||| |:---|:---| @@ -236,7 +236,7 @@ Specify the merge policy for threat type settings. This can be a combination of | **Key** | threatTypeSettingsMergePolicy | | **Data type** | String | | **Possible values** | merge (default)
    admin_only | -| **Comments** | Available in Microsoft Defender ATP version 100.83.73 or higher. | +| **Comments** | Available in Microsoft Defender for Endpoint version 100.83.73 or higher. | #### Antivirus scan history retention (in days) @@ -248,7 +248,7 @@ Specify the number of days that results are retained in the scan history on the | **Key** | scanResultsRetentionDays | | **Data type** | String | | **Possible values** | 90 (default). Allowed values are from 1 day to 180 days. | -| **Comments** | Available in Microsoft Defender ATP version 101.07.23 or higher. | +| **Comments** | Available in Microsoft Defender for Endpoint version 101.07.23 or higher. | #### Maximum number of items in the antivirus scan history @@ -260,11 +260,11 @@ Specify the maximum number of entries to keep in the scan history. Entries inclu | **Key** | scanHistoryMaximumItems | | **Data type** | String | | **Possible values** | 10000 (default). Allowed values are from 5000 items to 15000 items. | -| **Comments** | Available in Microsoft Defender ATP version 101.07.23 or higher. | +| **Comments** | Available in Microsoft Defender for Endpoint version 101.07.23 or higher. | ### Cloud-delivered protection preferences -Configure the cloud-driven protection features of Microsoft Defender ATP for Mac. +Configure the cloud-driven protection features of Microsoft Defender for Endpoint for Mac. ||| |:---|:---| @@ -286,7 +286,7 @@ Specify whether to enable cloud-delivered protection the device or not. To impro #### Diagnostic collection level -Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by Microsoft Defender ATP to Microsoft. +Diagnostic data is used to keep Microsoft Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. This setting determines the level of diagnostics sent by Microsoft Defender for Endpoint to Microsoft. ||| |:---|:---| @@ -318,7 +318,7 @@ Determines whether security intelligence updates are installed automatically: ### User interface preferences -Manage the preferences for the user interface of Microsoft Defender ATP for Mac. +Manage the preferences for the user interface of Microsoft Defender for Endpoint for Mac. ||| |:---|:---| @@ -338,9 +338,21 @@ Specify whether to show or hide the status menu icon in the top-right corner of | **Data type** | Boolean | | **Possible values** | false (default)
    true | +#### Show / hide option to send feedback + +Specify whether users can submit feedback to Microsoft by going to `Help` > `Send Feedback`. + +||| +|:---|:---| +| **Domain** | `com.microsoft.wdav` | +| **Key** | userInitiatedFeedback | +| **Data type** | String | +| **Possible values** | enabled (default)
    disabled | +| **Comments** | Available in Microsoft Defender for Endpoint version 101.19.61 or higher. | + ### Endpoint detection and response preferences -Manage the preferences of the endpoint detection and response (EDR) component of Microsoft Defender ATP for Mac. +Manage the preferences of the endpoint detection and response (EDR) component of Microsoft Defender for Endpoint for Mac. ||| |:---|:---| @@ -390,13 +402,13 @@ Specifies the value of tag ## Recommended configuration profile -To get started, we recommend the following configuration for your enterprise to take advantage of all protection features that Microsoft Defender ATP provides. +To get started, we recommend the following configuration for your enterprise to take advantage of all protection features that Microsoft Defender for Endpoint provides. The following configuration profile (or, in case of JAMF, a property list that could be uploaded into the custom settings configuration profile) will: - Enable real-time protection (RTP) - Specify how the following threat types are handled: - **Potentially unwanted applications (PUA)** are blocked - - **Archive bombs** (file with a high compression rate) are audited to Microsoft Defender ATP logs + - **Archive bombs** (file with a high compression rate) are audited to Microsoft Defender for Endpoint logs - Enable automatic security intelligence updates - Enable cloud-delivered protection - Enable automatic sample submission @@ -457,9 +469,9 @@ The following configuration profile (or, in case of JAMF, a property list that c PayloadIdentifier com.microsoft.wdav PayloadDisplayName - Microsoft Defender ATP settings + Microsoft Defender for Endpoint settings PayloadDescription - Microsoft Defender ATP configuration settings + Microsoft Defender for Endpoint configuration settings PayloadVersion 1 PayloadEnabled @@ -480,7 +492,7 @@ The following configuration profile (or, in case of JAMF, a property list that c PayloadIdentifier com.microsoft.wdav PayloadDisplayName - Microsoft Defender ATP configuration settings + Microsoft Defender for Endpoint configuration settings PayloadDescription PayloadVersion @@ -524,7 +536,7 @@ The following configuration profile (or, in case of JAMF, a property list that c ## Full configuration profile example -The following templates contain entries for all settings described in this document and can be used for more advanced scenarios where you want more control over Microsoft Defender ATP for Mac. +The following templates contain entries for all settings described in this document and can be used for more advanced scenarios where you want more control over Microsoft Defender for Endpoint for Mac. ### Property list for JAMF configuration profile @@ -626,6 +638,8 @@ The following templates contain entries for all settings described in this docum hideStatusMenuIcon + userInitiatedFeedback + enabled @@ -643,9 +657,9 @@ The following templates contain entries for all settings described in this docum PayloadIdentifier C4E6A782-0C8D-44AB-A025-EB893987A295 PayloadDisplayName - Microsoft Defender ATP settings + Microsoft Defender for Endpoint settings PayloadDescription - Microsoft Defender ATP configuration settings + Microsoft Defender for Endpoint configuration settings PayloadVersion 1 PayloadEnabled @@ -666,7 +680,7 @@ The following templates contain entries for all settings described in this docum PayloadIdentifier 99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295 PayloadDisplayName - Microsoft Defender ATP configuration settings + Microsoft Defender for Endpoint configuration settings PayloadDescription PayloadVersion @@ -766,6 +780,8 @@ The following templates contain entries for all settings described in this docum hideStatusMenuIcon + userInitiatedFeedback + enabled @@ -793,7 +809,7 @@ Once you've built the configuration profile for your enterprise, you can deploy From the JAMF console, open **Computers** > **Configuration Profiles**, navigate to the configuration profile you'd like to use, then select **Custom Settings**. Create an entry with `com.microsoft.wdav` as the preference domain and upload the *.plist* produced earlier. >[!CAUTION] ->You must enter the correct preference domain (`com.microsoft.wdav`); otherwise, the preferences will not be recognized by Microsoft Defender ATP. +>You must enter the correct preference domain (`com.microsoft.wdav`); otherwise, the preferences will not be recognized by Microsoft Defender for Endpoint. ### Intune deployment @@ -812,7 +828,7 @@ From the JAMF console, open **Computers** > **Configuration Profiles**, navigate 7. Select **Manage** > **Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. >[!CAUTION] ->You must enter the correct custom configuration profile name; otherwise, these preferences will not be recognized by Microsoft Defender ATP. +>You must enter the correct custom configuration profile name; otherwise, these preferences will not be recognized by Microsoft Defender for Endpoint. ## Resources diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md index 42d1a1e3fd..2bf5eaf608 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md @@ -19,32 +19,32 @@ ms.collection: ms.topic: conceptual --- -# Privacy for Microsoft Defender ATP for Mac +# Privacy for Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) -Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender ATP for Mac. +Microsoft is committed to providing you with the information and controls you need to make choices about how your data is collected and used when you’re using Microsoft Defender for Endpoint for Mac. This topic describes the privacy controls available within the product, how to manage these controls with policy settings and more details on the data events that are collected. -## Overview of privacy controls in Microsoft Defender ATP for Mac +## Overview of privacy controls in Microsoft Defender for Endpoint for Mac -This section describes the privacy controls for the different types of data collected by Microsoft Defender ATP for Mac. +This section describes the privacy controls for the different types of data collected by Microsoft Defender for Endpoint for Mac. ### Diagnostic data -Diagnostic data is used to keep Microsoft Defender ATP secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. +Diagnostic data is used to keep Microsoft Defender for Endpoint secure and up-to-date, detect, diagnose and fix problems, and also make product improvements. Some diagnostic data is required, while some diagnostic data is optional. We give you the ability to choose whether to send us required or optional diagnostic data through the use of privacy controls, such as policy settings for organizations. -There are two levels of diagnostic data for Microsoft Defender ATP client software that you can choose from: +There are two levels of diagnostic data for Microsoft Defender for Endpoint client software that you can choose from: -* **Required**: The minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and performing as expected on the device it’s installed on. +* **Required**: The minimum data necessary to help keep Microsoft Defender for Endpoint secure, up-to-date, and performing as expected on the device it’s installed on. * **Optional**: Additional data that helps Microsoft make product improvements and provides enhanced information to help detect, diagnose, and remediate issues. @@ -66,7 +66,7 @@ When this feature is enabled and the sample that is collected is likely to conta If you're an IT administrator, you might want to configure these controls at the enterprise level. -The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md). +The privacy controls for the various types of data described in the preceding section are described in detail in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). As with any new policy settings, you should carefully test them out in a limited, controlled environment to ensure the settings that you configure have the desired effect before you implement the policy settings more widely in your organization. @@ -87,7 +87,7 @@ The following fields are considered common for all events: | org_id | Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. | | hostname | Local device name (without DNS suffix). Allows Microsoft to identify whether issues are impacting a select set of installs and how many users are impacted. | | product_guid | Unique identifier of the product. Allows Microsoft to differentiate issues impacting different flavors of the product. | -| app_version | Version of the Microsoft Defender ATP for Mac application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| +| app_version | Version of the Microsoft Defender for Endpoint for Mac application. Allows Microsoft to identify which versions of the product are showing an issue so that it can correctly be prioritized.| | sig_version | Version of security intelligence database. Allows Microsoft to identify which versions of the security intelligence are showing an issue so that it can correctly be prioritized. | | supported_compressions | List of compression algorithms supported by the application, for example `['gzip']`. Allows Microsoft to understand what types of compressions can be used when it communicates with the application. | | release_ring | Ring that the device is associated with (for example Insider Fast, Insider Slow, Production). Allows Microsoft to identify on which release ring an issue may be occurring so that it can correctly be prioritized. | @@ -95,13 +95,13 @@ The following fields are considered common for all events: ### Required diagnostic data -**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender ATP secure, up-to-date, and perform as expected on the device it’s installed on. +**Required diagnostic data** is the minimum data necessary to help keep Microsoft Defender for Endpoint secure, up-to-date, and perform as expected on the device it’s installed on. -Required diagnostic data helps to identify problems with Microsoft Defender ATP that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender ATP feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender ATP features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced. +Required diagnostic data helps to identify problems with Microsoft Defender for Endpoint that may be related to a device or software configuration. For example, it can help determine if a Microsoft Defender for Endpoint feature crashes more frequently on a particular operating system version, with newly introduced features, or when certain Microsoft Defender for Endpoint features are disabled. Required diagnostic data helps Microsoft detect, diagnose, and fix these problems more quickly so the impact to users or organizations is reduced. #### Software setup and inventory data events -**Microsoft Defender ATP installation / uninstallation** +**Microsoft Defender for Endpoint installation / uninstallation** The following fields are collected: @@ -113,7 +113,7 @@ The following fields are collected: | code | Code that describes the operation. | | text | Additional information associated with the product installation. | -**Microsoft Defender ATP configuration** +**Microsoft Defender for Endpoint configuration** The following fields are collected: @@ -122,7 +122,7 @@ The following fields are collected: | antivirus_engine.enable_real_time_protection | Whether real-time protection is enabled on the device or not. | | antivirus_engine.passive_mode | Whether passive mode is enabled on the device or not. | | cloud_service.enabled | Whether cloud delivered protection is enabled on the device or not. | -| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender ATP cloud. | +| cloud_service.timeout | Time out when the application communicates with the Microsoft Defender for Endpoint cloud. | | cloud_service.heartbeat_interval | Interval between consecutive heartbeats sent by the product to the cloud. | | cloud_service.service_uri | URI used to communicate with the cloud. | | cloud_service.diagnostic_level | Diagnostic level of the device (required, optional). | @@ -155,7 +155,7 @@ The following fields are collected: | Field | Description | | ---------------- | ----------- | -| version | Version of Microsoft Defender ATP for Mac. | +| version | Version of Microsoft Defender for Endpoint for Mac. | | instance_id | Unique identifier generated on kernel extension startup. | | trace_level | Trace level of the kernel extension. | | subsystem | The underlying subsystem used for real-time protection. | @@ -170,8 +170,8 @@ The following fields are collected: Diagnostic logs are collected only with the consent of the user as part of the feedback submission feature. The following files are collected as part of the support logs: - All files under */Library/Logs/Microsoft/mdatp/* -- Subset of files under */Library/Application Support/Microsoft/Defender/* that are created and used by Microsoft Defender ATP for Mac -- Subset of files under */Library/Managed Preferences* that are used by Microsoft Defender ATP for Mac +- Subset of files under */Library/Application Support/Microsoft/Defender/* that are created and used by Microsoft Defender for Endpoint for Mac +- Subset of files under */Library/Managed Preferences* that are used by Microsoft Defender for Endpoint for Mac - /Library/Logs/Microsoft/autoupdate.log - $HOME/Library/Preferences/com.microsoft.autoupdate2.plist @@ -185,7 +185,7 @@ Examples of optional diagnostic data include data Microsoft collects about produ #### Software setup and inventory data events -**Microsoft Defender ATP configuration** +**Microsoft Defender for Endpoint configuration** The following fields are collected: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md index 266a05a30f..7668c4bfd0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md @@ -19,16 +19,16 @@ ms.collection: ms.topic: conceptual --- -# Detect and block potentially unwanted applications with Microsoft Defender ATP for Mac +# Detect and block potentially unwanted applications with Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) -The potentially unwanted application (PUA) protection feature in Microsoft Defender ATP for Mac can detect and block PUA files on endpoints in your network. +The potentially unwanted application (PUA) protection feature in Microsoft Defender for Endpoint for Mac can detect and block PUA files on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. PUA can also refer to applications that are considered to have poor reputation. @@ -36,13 +36,13 @@ These applications can increase the risk of your network being infected with mal ## How it works -Microsoft Defender ATP for Mac can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. +Microsoft Defender for Endpoint for Mac can detect and report PUA files. When configured in blocking mode, PUA files are moved to the quarantine. -When a PUA is detected on an endpoint, Microsoft Defender ATP for Mac presents a notification to the user, unless notifications have been disabled. The threat name will contain the word "Application". +When a PUA is detected on an endpoint, Microsoft Defender for Endpoint for Mac presents a notification to the user, unless notifications have been disabled. The threat name will contain the word "Application". ## Configure PUA protection -PUA protection in Microsoft Defender ATP for Mac can be configured in one of the following ways: +PUA protection in Microsoft Defender for Endpoint for Mac can be configured in one of the following ways: - **Off**: PUA protection is disabled. - **Audit**: PUA files are reported in the product logs, but not in Microsoft Defender Security Center. No notification is presented to the user and no action is taken by the product. @@ -63,8 +63,8 @@ mdatp --threat --type-handling potentially_unwanted_application [off|audit|block ### Use the management console to configure PUA protection: -In your enterprise, you can configure PUA protection from a management console, such as JAMF or Intune, similarly to how other product settings are configured. For more information, see the [Threat type settings](mac-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md) topic. +In your enterprise, you can configure PUA protection from a management console, such as JAMF or Intune, similarly to how other product settings are configured. For more information, see the [Threat type settings](mac-preferences.md#threat-type-settings) section of the [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md) topic. ## Related topics -- [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md) +- [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index 83030035f2..c6833b26ec 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -19,14 +19,14 @@ ms.collection: ms.topic: conceptual --- -# Resources for Microsoft Defender ATP for Mac +# Resources for Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) ## Collecting diagnostic information @@ -44,7 +44,7 @@ If you can reproduce a problem, increase the logging level, run the system for s 2. Reproduce the problem -3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds. +3. Run `sudo mdatp diagnostic create` to back up the Microsoft Defender for Endpoint logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds. > [!TIP] > By default, diagnostic logs are saved to `/Library/Application Support/Microsoft/Defender/wdavdiag/`. To change the directory where diagnostic logs are saved, pass `--path [directory]` to the below command, replacing `[directory]` with the desired directory. @@ -73,7 +73,7 @@ The detailed log will be saved to `/Library/Logs/Microsoft/mdatp/install.log`. I ## Uninstalling -There are several ways to uninstall Microsoft Defender ATP for Mac. Note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. +There are several ways to uninstall Microsoft Defender for Endpoint for Mac. Note that while centrally managed uninstall is available on JAMF, it is not yet available for Microsoft Intune. ### Interactive uninstallation @@ -137,7 +137,7 @@ To enable autocompletion in `zsh`: echo "autoload -Uz compinit && compinit" >> ~/.zshrc ``` -- Run the following commands to enable autocompletion for Microsoft Defender ATP for Mac and restart the Terminal session: +- Run the following commands to enable autocompletion for Microsoft Defender for Endpoint for Mac and restart the Terminal session: ```zsh sudo mkdir -p /usr/local/share/zsh/site-functions @@ -146,10 +146,10 @@ To enable autocompletion in `zsh`: sudo ln -svf "/Applications/Microsoft Defender ATP.app/Contents/Resources/Tools/mdatp_completion.zsh" /usr/local/share/zsh/site-functions/_mdatp ``` -## Client Microsoft Defender ATP quarantine directory +## Client Microsoft Defender for Endpoint quarantine directory `/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`. -## Microsoft Defender ATP portal information +## Microsoft Defender for Endpoint portal information -[This blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect in Microsoft Defender ATP Security Center. +[This blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect in Microsoft Defender for Endpoint Security Center. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md index fdad212625..98d0151efc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md @@ -19,12 +19,12 @@ ms.collection: ms.topic: conceptual --- -# Schedule scans with Microsoft Defender ATP for Mac +# Schedule scans with Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -While you can start a threat scan at any time with Microsoft Defender ATP, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. +While you can start a threat scan at any time with Microsoft Defender for Endpoint, your enterprise might benefit from scheduled or timed scans. For example, you can schedule a scan to run at the beginning of every workday or week. ## Schedule a scan with *launchd* diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md index f4a32380f3..4df09099cf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-install.md @@ -19,14 +19,14 @@ ms.collection: ms.topic: conceptual --- -# Troubleshoot installation issues for Microsoft Defender ATP for Mac +# Troubleshoot installation issues for Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) ## Installation failed diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md index d369e94d36..9241a56fdf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-kext.md @@ -19,20 +19,20 @@ ms.collection: ms.topic: conceptual --- -# Troubleshoot kernel extension issues in Microsoft Defender ATP for Mac +# Troubleshoot kernel extension issues in Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) -This article provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender ATP for Mac. +This article provides information on how to troubleshoot issues with the kernel extension that is installed as part of Microsoft Defender for Endpoint for Mac. Starting with macOS High Sierra (10.13), macOS requires all kernel extensions to be explicitly approved before they are allowed to run on the device. -If you did not approve the kernel extension during the deployment/installation of Microsoft Defender ATP for Mac, the application displays a banner prompting you to enable it: +If you did not approve the kernel extension during the deployment/installation of Microsoft Defender for Endpoint for Mac, the application displays a banner prompting you to enable it: ![RTP disabled screenshot](../microsoft-defender-antivirus/images/MDATP-32-Main-App-Fix.png) @@ -48,7 +48,7 @@ realTimeProtectionEnabled : true ... ``` -The following sections provide guidance on how to address this issue, depending on the method that you used to deploy Microsoft Defender ATP for Mac. +The following sections provide guidance on how to address this issue, depending on the method that you used to deploy Microsoft Defender for Endpoint for Mac. ## Managed deployment diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md index a05f815303..742a7507d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md @@ -19,16 +19,16 @@ ms.collection: ms.topic: conceptual --- -# Troubleshoot license issues for Microsoft Defender ATP for Mac +# Troubleshoot license issues for Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) -While you are going through [Microsoft Defender ATP for Mac](microsoft-defender-atp-mac.md) and [Manual deployment](mac-install-manually.md) testing or a Proof Of Concept (PoC), you might get the following error: +While you are going through [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) and [Manual deployment](mac-install-manually.md) testing or a Proof Of Concept (PoC), you might get the following error: ![Image of license error](images/no-license-found.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md index 385a3fddb2..40e8240cbf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-perf.md @@ -19,28 +19,28 @@ ms.collection: ms.topic: conceptual --- -# Troubleshoot performance issues for Microsoft Defender ATP for Mac +# Troubleshoot performance issues for Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) -This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender ATP for Mac. +This topic provides some general steps that can be used to narrow down performance issues related to Microsoft Defender for Endpoint for Mac. -Real-time protection (RTP) is a feature of Microsoft Defender ATP for Mac that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics. +Real-time protection (RTP) is a feature of Microsoft Defender for Endpoint for Mac that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics. -Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender ATP for Mac. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender ATP for Mac. +Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Microsoft Defender for Endpoint for Mac. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Microsoft Defender for Endpoint for Mac. The following steps can be used to troubleshoot and mitigate these issues: -1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender ATP for Mac is contributing to the performance issues. +1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Microsoft Defender for Endpoint for Mac is contributing to the performance issues. If your device is not managed by your organization, real-time protection can be disabled using one of the following options: - - From the user interface. Open Microsoft Defender ATP for Mac and navigate to **Manage settings**. + - From the user interface. Open Microsoft Defender for Endpoint for Mac and navigate to **Manage settings**. ![Manage real-time protection screenshot](../microsoft-defender-antivirus/images/mdatp-36-rtp.png) @@ -50,10 +50,10 @@ The following steps can be used to troubleshoot and mitigate these issues: mdatp --config realTimeProtectionEnabled false ``` - If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender ATP for Mac](mac-preferences.md). + If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Microsoft Defender for Endpoint for Mac](mac-preferences.md). 2. Open Finder and navigate to **Applications** > **Utilities**. Open **Activity Monitor** and analyze which applications are using the resources on your system. Typical examples include software updaters and compilers. -3. Configure Microsoft Defender ATP for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. +3. Configure Microsoft Defender for Endpoint for Mac with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection. - See [Configure and validate exclusions for Microsoft Defender ATP for Mac](mac-exclusions.md) for details. + See [Configure and validate exclusions for Microsoft Defender for Endpoint for Mac](mac-exclusions.md) for details. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md index f53075c405..9b20ff2260 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md @@ -25,9 +25,9 @@ ROBOTS: noindex,nofollow [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS. +In alignment with macOS evolution, we are preparing a Microsoft Defender for Endpoint for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS. -If you have deployed Microsoft Defender ATP for Mac in a managed environment (through JAMF, Intune, or another MDM solution), you must deploy new configuration profiles. Failure to do these steps will result in users getting approval prompts to run these new components. +If you have deployed Microsoft Defender for Endpoint for Mac in a managed environment (through JAMF, Intune, or another MDM solution), you must deploy new configuration profiles. Failure to do these steps will result in users getting approval prompts to run these new components. ## JAMF @@ -47,7 +47,7 @@ To approve the system extensions, create the following payload: ### Privacy Preferences Policy Control -Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender ATP Endpoint Security Extension. This policy is a pre-requisite for running the extension on your device. +Add the following JAMF payload to grant Full Disk Access to the Microsoft Defender for Endpoint Endpoint Security Extension. This policy is a pre-requisite for running the extension on your device. 1. Select **Options** > **Privacy Preferences Policy Control**. 2. Use `com.microsoft.wdav.epsext` as the **Identifier** and `Bundle ID` as **Bundle type**. @@ -58,10 +58,10 @@ Add the following JAMF payload to grant Full Disk Access to the Microsoft Defend ### Network Extension Policy -As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. +As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. >[!NOTE] ->JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. +>JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender for Endpoint for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. >As such, the following steps provide a workaround that involve signing the configuration profile. 1. Save the following content to your device as `com.microsoft.network-extension.mobileconfig` using a text editor: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md index 86a435cc65..9eacf9f1c6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-preview.md @@ -20,16 +20,16 @@ ms.topic: conceptual ROBOTS: noindex,nofollow --- -# Microsoft Defender ATP for Mac - System Extensions (Public Preview) +# Microsoft Defender for Endpoint for Mac - System Extensions (Public Preview) [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -In alignment with macOS evolution, we are preparing a Microsoft Defender ATP for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS. +In alignment with macOS evolution, we are preparing a Defender for Endpoint for Mac update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS. This functionality is currently in public preview. This article contains instructions for enabling this functionality on your device. You can choose to try out this feature locally on your own device or configure it remotely through a management tool. -These steps assume you already have Microsoft Defender ATP running on your device. For more information, see [this page](microsoft-defender-atp-mac.md). +These steps assume you already have Defender for Endpoint running on your device. For more information, see [this page](microsoft-defender-atp-mac.md). ## Known issues @@ -65,7 +65,7 @@ Select the deployment steps corresponding to your environment and your preferred Once all deployment prerequisites are met, restart your device to start the system extension approval and activation process. -You will be presented series of system prompts to approve the Microsoft Defender ATP system extensions. You must approve ALL prompts from the series, because macOS requires an explicit approval for each extension that Microsoft Defender ATP for Mac installs on the device. +You will be presented series of system prompts to approve the Defender for Endpoint system extensions. You must approve ALL prompts from the series, because macOS requires an explicit approval for each extension that Defender for Endpoint for Mac installs on the device. For each approval, click **Open Security Preferences** and then click **Allow** to allow the system extension to run. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md index 740aaacb77..7db11e8873 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-updates.md @@ -19,18 +19,18 @@ ms.collection: ms.topic: conceptual --- -# Deploy updates for Microsoft Defender ATP for Mac +# Deploy updates for Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md) +- [Microsoft Defender for Endpoint for Mac](microsoft-defender-atp-mac.md) Microsoft regularly publishes software updates to improve performance, security, and to deliver new features. -To update Microsoft Defender ATP for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually. +To update Microsoft Defender for Endpoint for Mac, a program named Microsoft AutoUpdate (MAU) is used. By default, MAU automatically checks for updates daily, but you can change that to weekly, monthly, or manually. ![MAU screenshot](../microsoft-defender-antivirus/images/MDATP-34-MAU.png) @@ -40,7 +40,7 @@ If you decide to deploy updates by using your software distribution tools, you s MAU includes a command-line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate). -In MAU, the application identifier for Microsoft Defender ATP for Mac is *WDAV00*. To download and install the latest updates for Microsoft Defender ATP for Mac, execute the following command from a Terminal window: +In MAU, the application identifier for Microsoft Defender for Endpoint for Mac is *WDAV00*. To download and install the latest updates for Microsoft Defender for Endpoint for Mac, execute the following command from a Terminal window: ``` ./msupdate --install --apps wdav00 @@ -67,7 +67,7 @@ The `Production` channel contains the most stable version of the product. | **Possible values** | InsiderFast
    External
    Production | >[!WARNING] ->This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender ATP for Mac, execute the following command after replacing `[channel-name]` with the desired channel: +>This setting changes the channel for all applications that are updated through Microsoft AutoUpdate. To change the channel only for Microsoft Defender for Endpoint for Mac, execute the following command after replacing `[channel-name]` with the desired channel: > ```bash > defaults write com.microsoft.autoupdate2 Applications -dict-add "/Applications/Microsoft Defender ATP.app" " { 'Application ID' = 'WDAV00' ; 'App Domain' = 'com.microsoft.wdav' ; LCID = 1033 ; ChannelName = '[channel-name]' ; }" > ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index ca4617cc28..7c00c8af5a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -19,34 +19,48 @@ ms.collection: ms.topic: conceptual --- -# What's new in Microsoft Defender Advanced Threat Protection for Mac +# What's new in Microsoft Defender for Endpoint for Mac [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] > [!IMPORTANT] -> In preparation for macOS 11 Big Sur, we are getting ready to release an update to Microsoft Defender ATP for Mac that will leverage new system extensions instead of kernel extensions. Apple will stop supporting kernel extensions starting macOS 11 Big Sur version. Therefore an update to the Microsoft Defender ATP for Mac agent is required on all eligible macOS devices prior to moving these devices to macOS 11. +> In preparation for macOS 11 Big Sur, we are getting ready to release an update to Microsoft Defender for Endpoint for Mac that will leverage new system extensions instead of kernel extensions. Apple will stop supporting kernel extensions starting macOS 11 Big Sur version. Therefore an update to the Microsoft Defender for Endpoint for Mac agent is required on all eligible macOS devices prior to moving these devices to macOS 11. > > The update is applicable to devices running macOS version 10.15.4 or later. > -> To ensure that the Microsoft Defender ATP for Mac update is delivered and applied seamlessly from an end-user experience perspective, a new remote configuration must be deployed to all eligible macOS devices before Microsoft publishes the new agent version. If the configuration is not deployed prior to the Microsoft Defender ATP for Mac agent update, end-users will be presented with a series of system dialogs asking to grant the agent all necessary permissions associated with the new system extensions. +> To ensure that the Microsoft Defender for Endpoint for Mac update is delivered and applied seamlessly from an end-user experience perspective, a new remote configuration must be deployed to all eligible macOS devices before Microsoft publishes the new agent version. If the configuration is not deployed prior to the Microsoft Defender for Endpoint for Mac agent update, end-users will be presented with a series of system dialogs asking to grant the agent all necessary permissions associated with the new system extensions. > > Timing: -> - Organizations that previously opted into Microsoft Defender ATP preview features in Microsoft Defender Security Center, must be ready for Microsoft Defender ATP for Mac agent update **by August 10, 2020**. -> - Organizations that do not participate in public previews for Microsoft Defender ATP features, must be ready **by September 07, 2020**. +> - Organizations that previously opted into Microsoft Defender for Endpoint preview features in Microsoft Defender Security Center, must be ready for Microsoft Defender for Endpoint for Mac agent update **by August 10, 2020**. +> - Organizations that do not participate in public previews for Microsoft Defender for Endpoint features, must be ready **by September 07, 2020**. > > Action is needed by IT administrator. Review the steps below and assess the impact on your organization: > > 1. Deploy the specified remote configuration to eligible macOS devices before Microsoft publishes the new agent version.
    -> Even though Microsoft Defender ATP for Mac new implementation based on system extensions is only applicable to devices running macOS version 10.15.4 or later, deploying configuration proactively across the entire macOS fleet will ensure that even down-level devices are prepared for the day when Apple releases macOS 11 Big Sur and will ensure that Microsoft Defender ATP for Mac continues protecting all macOS devices regardless OS version they were running prior to the Big Sur upgrade. +> Even though Microsoft Defender for Endpoint for Mac new implementation based on system extensions is only applicable to devices running macOS version 10.15.4 or later, deploying configuration proactively across the entire macOS fleet will ensure that even down-level devices are prepared for the day when Apple releases macOS 11 Big Sur and will ensure that Microsoft Defender for Endpoint for Mac continues protecting all macOS devices regardless OS version they were running prior to the Big Sur upgrade. > > 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md). > 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update. +## 101.10.72 + +- Bug fixes + +## 101.09.61 + +- Added a new managed preference for [disabling the option to send feedback](mac-preferences.md#show--hide-option-to-send-feedback) +- Status menu icon now shows a healthy state when the product settings are managed. Previously, the status menu icon was displaying a warning or error state, even though the product settings were managed by the administrator +- Performance improvements & bug fixes + ## 101.09.50 - This product version has been validated on macOS Big Sur 11 beta 9 -- The new syntax for the `mdatp` command-line tool is now the default one. For more information on the new syntax, see [Resources for Microsoft Defender ATP for Mac](mac-resources.md#configuring-from-the-command-line) + + > [!IMPORTANT] + > Extensive testing of MDE (Microsoft Defender for Endpoint) with new macOS system extensions revealed an intermittent issue that impacts macOS devices with specific graphic cards models. In rare cases on impacted macOS devices calls into macOS system extensions were seen resulting in kernel panic. Microsoft is actively working with Apple engineering to clarify profile of impacted devices and to address this macOS issue. + +- The new syntax for the `mdatp` command-line tool is now the default one. For more information on the new syntax, see [Resources for Microsoft Defender for Endpoint for Mac](mac-resources.md#configuring-from-the-command-line) > [!NOTE] > The old command-line tool syntax will be removed from the product on **January 1st, 2021**. @@ -105,13 +119,13 @@ ms.topic: conceptual - Improved [product onboarding experience for Intune users](https://docs.microsoft.com/mem/intune/apps/apps-advanced-threat-protection-macos) - Antivirus [exclusions now support wildcards](mac-exclusions.md#supported-exclusion-types) -- Added the ability to trigger antivirus scans from the macOS contextual menu. You can now right-click a file or a folder in Finder and select **Scan with Microsoft Defender ATP** +- Added the ability to trigger antivirus scans from the macOS contextual menu. You can now right-click a file or a folder in Finder and select **Scan with Microsoft Defender for Endpoint** - In-place product downgrades are now explicitly disallowed by the installer. If you need to downgrade, first uninstall the existing version and reconfigure your device - Other performance improvements & bug fixes ## 100.90.27 -- You can now [set an update channel](mac-updates.md#set-the-channel-name) for Microsoft Defender ATP for Mac that is different from the system-wide update channel +- You can now [set an update channel](mac-updates.md#set-the-channel-name) for Microsoft Defender for Endpoint for Mac that is different from the system-wide update channel - New product icon - Other user experience improvements - Bug fixes @@ -148,7 +162,7 @@ ms.topic: conceptual ## 100.79.42 -- Fixed an issue where Microsoft Defender ATP for Mac was sometimes interfering with Time Machine +- Fixed an issue where Microsoft Defender for Endpoint for Mac was sometimes interfering with Time Machine - Added a new switch to the command-line utility for testing the connectivity with the backend service ```bash mdatp --connectivity-test @@ -162,7 +176,7 @@ ms.topic: conceptual ## 100.70.99 -- Addressed an issue that impacts the ability of some users to upgrade to macOS Catalina when real-time protection is enabled. This sporadic issue was caused by Microsoft Defender ATP locking files within Catalina upgrade package while scanning them for threats, which led to failures in the upgrade sequence. +- Addressed an issue that impacts the ability of some users to upgrade to macOS Catalina when real-time protection is enabled. This sporadic issue was caused by Microsoft Defender for Endpoint locking files within Catalina upgrade package while scanning them for threats, which led to failures in the upgrade sequence. ## 100.68.99 @@ -174,9 +188,9 @@ ms.topic: conceptual - Added support for macOS Catalina > [!CAUTION] - > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender ATP is not able to fully protect your device. + > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device. > - > The mechanism for granting this consent depends on how you deployed Microsoft Defender ATP: + > The mechanism for granting this consent depends on how you deployed Microsoft Defender for Endpoint: > > - For manual deployments, see the updated instructions in the [Manual deployment](mac-install-manually.md#how-to-allow-full-disk-access) topic. > - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md index 678340162e..3b19a5d4f9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-groups.md @@ -26,11 +26,11 @@ ms.topic: article - Azure Active Directory - Office 365 -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) In an enterprise scenario, security operation teams are typically assigned a set of devices. These devices are grouped together based on a set of attributes such as their domains, computer names, or designated tags. -In Microsoft Defender ATP, you can create device groups and use them to: +In Microsoft Defender for Endpoint, you can create device groups and use them to: - Limit access to related alerts and data to specific Azure AD user groups with [assigned RBAC roles](rbac.md) - Configure different auto-remediation settings for different sets of devices - Assign specific remediation levels to apply during automated investigations diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md index 3349058516..45864dd1d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-reports.md @@ -17,13 +17,13 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Device health and compliance report in Microsoft Defender ATP +# Device health and compliance report in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) The devices status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md index e2bb55c2a6..b234d37124 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md @@ -21,9 +21,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) [!include[Prerelease information](../../includes/prerelease.md)] @@ -41,7 +41,7 @@ Method|Return Type |Description [Add or Remove machine tags](add-or-remove-machine-tags.md) | [machine](machine.md) | Add or Remove tag to a specific machine. [Find machines by IP](find-machines-by-ip.md) | [machine](machine.md) collection | Find machines seen with IP. [Get missing KBs](get-missing-kbs-machine.md) | KB collection | Get a list of missing KBs associated with the machine ID -[Set device value](set-device-value.md)| [machine](machine.md) collection | Set the value of a device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md). +[Set device value](set-device-value.md)| [machine](machine.md) collection | Set the [value of a device](tvm-assign-device-value.md). ## Properties @@ -49,8 +49,8 @@ Property | Type | Description :---|:---|:--- id | String | [machine](machine.md) identity. computerDnsName | String | [machine](machine.md) fully qualified name. -firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender ATP. -lastSeen | DateTimeOffset | Last date and time where the [machine](machine.md) was observed by Microsoft Defender ATP. +firstSeen | DateTimeOffset | First date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint. +lastSeen | DateTimeOffset | Last date and time where the [machine](machine.md) was observed by Microsoft Defender for Endpoint. osPlatform | String | Operating system platform. version | String | Operating system Version. osBuild | Nullable long | Operating system build number. @@ -59,10 +59,10 @@ lastExternalIpAddress | String | Last IP through which the [machine](machine.md) healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" rbacGroupName | String | Machine group Name. rbacGroupId | Int | Machine group unique ID. -riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. -exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. -aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is Aad Joined). +riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'. +exposureScore | Nullable Enum | [Exposure score](tvm-exposure-score.md) as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'. +aadDeviceId | Nullable representation Guid | AAD Device ID (when [machine](machine.md) is AAD Joined). machineTags | String collection | Set of [machine](machine.md) tags. -exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender ATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. -deviceValue | Nullable Enum | The value of the device, See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md). Possible values are: 'Normal', 'Low' and 'High'. +exposureLevel | Nullable Enum | Exposure level as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Low', 'Medium' and 'High'. +deviceValue | Nullable Enum | The [value of the device](tvm-assign-device-value.md). Possible values are: 'Normal', 'Low' and 'High'. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md index 683d807480..94f6a0a86b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md @@ -21,11 +21,11 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -- See [Response Actions](respond-machine-alerts.md) for more information +- For more information, see [Response Actions](respond-machine-alerts.md). | Method | Return Type | Description | |:------------------------------------------------------------------|:-----------------------------------|:------------------------------------------------------------| @@ -38,7 +38,7 @@ ms.topic: article | [Restrict app execution](restrict-code-execution.md) | [Machine Action](machineaction.md) | Restrict application execution. | | [Remove app restriction](unrestrict-code-execution.md) | [Machine Action](machineaction.md) | Remove application execution restriction. | | [Run antivirus scan](run-av-scan.md) | [Machine Action](machineaction.md) | Run an AV scan using Windows Defender (when applicable). | -| [Offboard machine](offboard-machine-api.md) | [Machine Action](machineaction.md) | Offboard [machine](machine.md) from Microsoft Defender ATP. | +| [Offboard machine](offboard-machine-api.md) | [Machine Action](machineaction.md) | Offboard [machine](machine.md) from Microsoft Defender for Endpoint. | | [Stop and quarantine file](stop-and-quarantine-file.md) | [Machine Action](machineaction.md) | Stop execution of a file on a machine and delete it. |
    @@ -47,17 +47,17 @@ ms.topic: article | Property | Type | Description | |:--------------------|:---------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| id | Guid | Identity of the [Machine Action](machineaction.md) entity. | +| ID | Guid | Identity of the [Machine Action](machineaction.md) entity. | | type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" | -| scope | string | Scope of the action. "Full" or "Selective" in case of Isolation, "Quick" or "Full" in case of Anti-Virus scan. | +| scope | string | Scope of the action. "Full" or "Selective" for Isolation, "Quick" or "Full" for Anti-Virus scan. | | requestor | String | Identity of the person that executed the action. | | requestorComment | String | Comment that was written when issuing the action. | -| status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled". | -| machineId | String | Id of the [machine](machine.md) on which the action was executed. | +| status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Canceled". | +| machineId | String | ID of the [machine](machine.md) on which the action was executed. | | machineId | String | Name of the [machine](machine.md) on which the action was executed. | | creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. | | lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. | -| relatedFileInfo | Class | Contains two Properties. string ```fileIdentifier```, Enum ```fileIdentifierType``` with the possible values: "Sha1" ,"Sha256" and "Md5". | +| relatedFileInfo | Class | Contains two Properties. string ```fileIdentifier```, Enum ```fileIdentifierType``` with the possible values: "Sha1", "Sha256" and "Md5". | ## Json representation diff --git a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md index ff9c54a53f..c4df93659f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machines-view-overview.md @@ -24,7 +24,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-machinesview-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index c4d934024e..9a210d00da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md index c086033e55..a0a93f2dc7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md @@ -28,7 +28,7 @@ ms.reviewer: chventou **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) We recommend using We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) (Intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction) (Configuration Manager) to manage your organization's threat protection features for devices (also referred to as endpoints). - [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md index 512edb5f3c..c9fe3f4c85 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md @@ -28,7 +28,7 @@ ms.reviewer: chventou **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!NOTE] > We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction). **[Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview)**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md index eb630aad88..36d77dce37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md @@ -28,7 +28,7 @@ ms.reviewer: chventou **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem), which includes Microsoft Intune (Intune) to manage your organization's threat protection features for devices (also referred to as endpoints). [Learn more about Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md index 111459747f..339857a351 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md @@ -28,7 +28,7 @@ ms.reviewer: chventou **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!NOTE] > We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem) to manage your organization's threat protection features for devices (also referred to as endpoints). Endpoint Manager includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction). diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md index 246b542364..7d186a373a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md @@ -28,7 +28,7 @@ ms.reviewer: chventou **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) After you have moved from your previous endpoint protection and antivirus solution to Microsoft Defender for Endpoint, your next step is to manage your features and capabilities. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), which includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction), to manage your organization's devices and security settings. However, you can use other tools/methods, such as [Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy). diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index ab130cb910..9eb235425e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -50,7 +50,6 @@ Whether taken automatically or upon approval, remediation actions following an a - Remove a registry key - Kill a process - Stop a service -- Remove a registry key - Disable a driver - Remove a scheduled task diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md index 5dfefb6a2a..0b5d31597f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md @@ -25,7 +25,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md index 056f3d9d05..29529c8847 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md @@ -25,7 +25,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md index 04dc76e4e3..f0cd8403c1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md @@ -25,7 +25,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index b8a672c6a3..d5186273e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -24,7 +24,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-automationexclusionlist-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md index 2db2ff913f..d13aa975d2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md @@ -24,7 +24,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) There might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization. For more information on how to suppress alerts, see [Suppress alerts](manage-alerts.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md index 45de6c024c..c3176ac54a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md @@ -24,7 +24,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mgt-apis-abovefoldlink) @@ -55,12 +55,12 @@ The Microsoft Defender ATP APIs can be grouped into three: ## Microsoft Defender ATP APIs -Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form. +Microsoft Defender ATP offers a layered API model exposing data and capabilities in a structured, clear, and easy to use model, exposed through a standard Azure AD-based authentication and authorization model allowing access in context of users or SaaS applications. The API model was designed to expose entities and capabilities in a consistent form. Watch this video for a quick overview of Microsoft Defender ATP's APIs. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M] -The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information see, [Supported APIs](exposed-apis-list.md). +The **Investigation API** exposes the richness of Microsoft Defender ATP - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see, [Supported APIs](exposed-apis-list.md). The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate devices from the network, quarantine files, and others. @@ -69,11 +69,11 @@ Microsoft Defender ATP raw data streaming API provides the ability for customers The Microsoft Defender ATP event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines. -For more information see, [Raw data streaming API](raw-data-export.md). +For more information, see, [Raw data streaming API](raw-data-export.md). ## SIEM API -When you enable security information and event management (SIEM) integration it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. For more information see, [SIEM integration](enable-siem-integration.md) +When you enable security information and event management (SIEM) integration, it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant. For more information, see, [SIEM integration](enable-siem-integration.md) ## Related topics - [Access the Microsoft Defender Advanced Threat Protection APIs ](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md index 2049e0d9bd..16dd867662 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md @@ -25,9 +25,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -[!include[Prerelease information](../../includes/prerelease.md)] +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) To benefit from Microsoft Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md index a6f03c17c5..a23303c507 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md @@ -24,7 +24,7 @@ ms.date: 10/18/2018 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index d45c5c585e..b37274b4cb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -22,8 +22,6 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink) -> > For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy). Microsoft Defender Advanced Threat Protection is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. @@ -33,8 +31,7 @@ Microsoft Defender Advanced Threat Protection is an enterprise endpoint security Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: -- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors - collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP. +- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system and send this sensor data to your private, isolated, cloud instance of Microsoft Defender ATP. - **Cloud security analytics**: Leveraging big-data, device-learning, and @@ -46,7 +43,7 @@ Microsoft Defender ATP uses the following combination of technology built into W - **Threat intelligence**: Generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Microsoft Defender ATP to identify attacker - tools, techniques, and procedures, and generate alerts when these + tools, techniques, and procedures, and generate alerts when they are observed in collected sensor data. @@ -86,7 +83,7 @@ This built-in capability uses a game-changing risk-based approach to the discove **[Attack surface reduction](overview-attack-surface-reduction.md)**
    -The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs. +The attack surface reduction set of capabilities provides the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, the capabilities resist attacks and exploitation. This set of capabilities also includes [network protection](network-protection.md) and [web protection](web-protection-overview.md), which regulate access to malicious IP addresses, domains, and URLs. @@ -135,7 +132,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf - Microsoft Cloud App Security **[Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)**
    - With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate and automatically respond to sophisticated attacks. + With Microsoft Threat Protection, Microsoft Defender ATP and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. ## Related topic diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md new file mode 100644 index 0000000000..b5143827c8 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios-privacy-information.md @@ -0,0 +1,92 @@ +--- +title: Microsoft Defender ATP for iOS - Privacy information +ms.reviewer: +description: Describes privacy information for Microsoft Defender ATP for iOS +keywords: microsoft, defender, atp, ios, policy, overview +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +--- + +# Privacy information - Microsoft Defender for Endpoint for iOS + +> [!NOTE] +> Defender for Endpoint for iOS uses a VPN to provide the Web Protection feature. This is not a regular VPN and is a local or self-looping VPN that does not take traffic outside the device. **Microsoft or your organization, does not see your browsing activity.** + +Defender for Endpoint for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Defender for Endpoint. The information is collected to help keep Defender for Endpoint for iOS secure, up-to-date, performing as expected, and to support the service. + +For more details about data storage, see [Microsoft Defender for Endpoint data storage and privacy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). + +## Required data + +Required data consists of data that is necessary to make Defender for Endpoint for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. + +Here is a list of the types of data being collected: + +### Web page or Network information + +- Connection information only when a malicious connection or web page is detected. + +- Protocol type (such as HTTP, HTTPS, etc.) only when a malicious connection or web page is detected. + +### Device and account information + +- Device information such as date & time, iOS version, CPU info, and Device identifier, where Device identifier is one of the following: + + - Wi-Fi adapter MAC address + + - Randomly generated globally unique identifier (GUID) + +- Tenant, Device and User information + + - Azure Active Directory (AD) Device ID and Azure User ID - Uniquely identifies the device, User respectively at Azure Active directory. + + - Azure tenant ID - GUID that identifies your organization within Azure Active Directory. + + - Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted. + + - User Principal Name – Email ID of the user. + +### Product and service usage data + +The following information is collected only for Microsoft Defender for Endpoint app installed on the device. + +- App package info, including name, version, and app upgrade status. + +- Actions performed in the app. + +- Crash report logs generated by iOS. + +- Memory usage data. + +## Optional Data + +Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself. + +Optional diagnostic data includes: + +- App, CPU, and network usage for Defender for Endpoint. + +- Features configured by the admin for Defender for Endpoint. + +Feedback Data is collected through in-app feedback provided by the user. + +- The user’s email address, if they choose to provide it. + +- Feedback type (smile, frown, idea) and any feedback comments submitted by the user. + +For more information, see [More on Privacy](https://aka.ms/mdatpiosprivacystatement). + + diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index ea21452763..b53befb8a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -97,10 +97,9 @@ After you've enabled the service, you may need to configure your network or fire The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them. - -|**Item**|**Description**| +|**Spreadsheet of domains list**|**Description**| |:-----|:-----| -|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
    [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. +|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)
    | Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

    [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 06899fd04e..4f2891c210 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -90,9 +90,9 @@ The following downloadable spreadsheet lists the services and their associated U -|**Item**|**Description**| +|**Spreadsheet of domains list**|**Description**| |:-----|:-----| -|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
    [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. +|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)
    | Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

    [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index 4aed901842..47fcaf8d7d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -25,7 +25,7 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Threat Experts is a managed threat hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don’t get missed. diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 3e712cd6f9..0f05ee52c8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -23,7 +23,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) There are some minimum requirements for onboarding devices to the service. Learn about the licensing, hardware and software requirements, and other configuration settings to onboard devices to the service. @@ -51,8 +51,8 @@ Microsoft Defender Advanced Threat Protection requires one of the following Micr Microsoft Defender Advanced Threat Protection, on Windows Server, requires one of the following licensing options: -- [Azure Security Center Standard plan](https://docs.microsoft.com/azure/security-center/security-center-pricing) (per node) -- Microsoft Defender ATP for Servers (one per covered Server) +- [Azure Security Center with Azure Defender enabled](https://docs.microsoft.com/azure/security-center/security-center-pricing) +- Microsoft Defender ATP for Servers (one per covered server) > [!NOTE] > Customers with a combined minimum of 50 licenses for one or more of the following may acquire Server SLs for Microsoft Defender Advanced Threat Protection for Servers (one per covered Server OSE): Microsoft Defender Advanced Threat Protection, Windows E5/A5, Microsoft 365 E5/A5 and Microsoft 365 E5 Security User SLs. This license applies to Microsoft Defender ATP for Linux. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md index e04b5fd740..36d7f8db37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md @@ -21,7 +21,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Logo |Partner name | Description :---|:---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md index 6f1d18b0e5..6982d30ef4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md @@ -23,7 +23,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index ea52e95529..eec4470439 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -25,7 +25,7 @@ ms.custom: asr **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index a0f4515971..54a1538ebe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -14,17 +14,16 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: conceptual +ms.topic: overview --- # Threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) @@ -42,63 +41,49 @@ Threat and vulnerability management is built in, real time, and cloud powered. I Vulnerability management is the first solution in the industry to bridge the gap between security administration and IT administration during remediation process. Create a security task or ticket by integrating with Microsoft Intune and Microsoft Endpoint Configuration Manager. -It provides the following solutions to frequently cited gaps across security operations, security administration, and IT administration workflows and communication: - -- Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities -- Linked device vulnerability and security configuration assessment data in the context of exposure discovery -- Built-in remediation processes through Microsoft Intune and Configuration Manager - ### Real-time discovery To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Microsoft Defender ATP sensors to reduce cumbersome network scans and IT overhead. It also provides: -- Real-time device inventory. Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. -- Visibility into software and vulnerabilities. Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. -- Application runtime context. Visibility on application usage patterns for better prioritization and decision-making. -- Configuration posture. Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations. +- **Real-time device inventory** - Devices onboarded to Microsoft Defender ATP automatically report and push vulnerability and security configuration data to the dashboard. +- **Visibility into software and vulnerabilities** - Optics into the organization's software inventory, and software changes like installations, uninstalls, and patches. Newly discovered vulnerabilities are reported with actionable mitigation recommendations for 1st and 3rd party applications. +- **Application runtime context** - Visibility on application usage patterns for better prioritization and decision-making. +- **Configuration posture** - Visibility into organizational security configuration or misconfigurations. Issues are reported in the dashboard with actionable security recommendations. ### Intelligence-driven prioritization -Threat and vulnerability management helps customers prioritize and focus on those weaknesses that pose the most urgent and the highest risk to the organization. Rather than using static prioritization by severity scores, threat and vulnerability management highlights the most critical weaknesses that need attention. It fuses security recommendations with dynamic threat and business context: +Threat and vulnerability management helps customers prioritize and focus on the weaknesses that pose the most urgent and the highest risk to the organization. It fuses security recommendations with dynamic threat and business context: -- Exposing emerging attacks in the wild. Through its advanced cyber data and threat analytics platform, threat and vulnerability management dynamically aligns the prioritization of its security recommendations. It focuses on vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk. -- Pinpointing active breaches. Microsoft Defender ATP correlates threat and vulnerability management and EDR insights to prioritize vulnerabilities being exploited in an active breach within the organization. -- Protecting high-value assets. Microsoft Defender ATP's integration with Azure Information Protection allows threat and vulnerability management to identify the exposed devices with business-critical applications, confidential data, or high-value users. +- **Exposing emerging attacks in the wild** - Dynamically aligns the prioritization of security recommendations. Threat and vulnerability management focuses on vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk. +- **Pinpointing active breaches** - Correlates threat and vulnerability management and EDR insights to prioritize vulnerabilities being exploited in an active breach within the organization. +- **Protecting high-value assets** - Identify the exposed devices with business-critical applications, confidential data, or high-value users. ### Seamless remediation -Microsoft Defender ATP's threat and vulnerability management capability allows security administrators and IT administrators to collaborate seamlessly to remediate issues. +Threat and vulnerability management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. -- Remediation requests to IT. Through Microsoft Defender ATP's integration with Microsoft Intune and Microsoft Endpoint Configuration Manager, security administrators can create a remediation task in Microsoft Intune from the Security recommendation pages. We plan to expand this capability to other IT security management platforms. -- Alternate mitigations. Threat and vulnerability management provides insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. -- Real-time remediation status. Microsoft Defender ATP provides real-time monitoring of the status and progress of remediation activities across the organization. +- **Remediation requests sent to IT** - Create a remediation task in Microsoft Intune from a specific security recommendation. We plan to expand this capability to other IT security management platforms. +- **Alternate mitigations** - Gain insights on additional mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities. +- **Real-time remediation status** - Real-time monitoring of the status and progress of remediation activities across the organization. -## Reduce organizational risk with threat and vulnerability management +## Threat and vulnerability management walk-through Watch this video for a comprehensive walk-through of threat and vulnerability management. >[!VIDEO https://aka.ms/MDATP-TVM-Interactive-Guide] -## Before you begin +## Navigation pane -Ensure that your devices: - -- Are onboarded to Microsoft Defender Advanced Threat Protection -- Run [supported operating systems and platforms](tvm-supported-os.md) -- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates: - -> Release | Security update KB number and link -> :---|:--- -> Windows 10 Version 1709 | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) -> Windows 10 Version 1803 | [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) -> Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) -> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) - -- Are onboarded to [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure). If you're using Configuration Manager, update your console to the latest version. -- Have at least one security recommendation that can be viewed in the device page -- Are tagged or marked as co-managed +Area | Description +:---|:--- +**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data. +[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations and related threat information. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP. +[**Remediation**](tvm-remediation.md) | See remediation activities you've created and recommendation exceptions. +[**Software inventory**](tvm-software-inventory.md) | See the list of vulnerable software in your organization, along with weakness and threat information. +[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures (CVEs) in your organization. +[**Event timeline**](threat-and-vuln-mgt-event-timeline.md) | View events that may impact your organization's risk. ## APIs @@ -118,14 +103,4 @@ See the following articles for related APIs: - [Supported operating systems and platforms](tvm-supported-os.md) - [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) -- [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md index 36cab9ff28..2de422a306 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md @@ -23,7 +23,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft has been on a journey to extend its industry leading endpoint security diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index 6046e47262..19496bd97c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md index fdfda0129e..7d9a09d143 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md @@ -27,7 +27,7 @@ ms.topic: conceptual - Linux - Windows Server 2012 R2 - Windows Server 2016 -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-offboarddevices-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md index 3f37f66880..dab5b79f99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md @@ -23,7 +23,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] @@ -40,6 +40,20 @@ In general, to onboard devices to the service: >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr] +## Onboarding tool options +The following table lists the available tools based on the endpoint that you need to onboard. + +| Endpoint | Tool options | +|--------------|------------------------------------------| +| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md)
    [Group Policy](configure-endpoints-gp.md)
    [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md)
    [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
    [VDI scripts](configure-endpoints-vdi.md) | +| **macOS** | [Local scripts](mac-install-manually.md)
    [Microsoft Endpoint Manager](mac-install-with-intune.md)
    [JAMF Pro](mac-install-with-jamf.md)
    [Mobile Device Management](mac-install-with-other-mdm.md) | +| **Linux Server** | [Local script](linux-install-manually.md)
    [Puppet](linux-install-with-puppet.md)
    [Ansible](linux-install-with-ansible.md)| +| **iOS** | [App-based](ios-install.md) | +| **Android** | [Microsoft Endpoint Manager](android-intune.md) | + + + + ## In this section Topic | Description :---|:--- diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md index 86e8968854..ca403709b0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md @@ -28,7 +28,7 @@ ms.topic: article - Windows 7 SP1 Pro - Windows 8.1 Pro - Windows 8.1 Enterprise -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-downlevel-abovefoldlink). diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md index cb3d0ee177..41098d9b2e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md @@ -24,7 +24,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) To onboard devices without Internet access, you'll need to take the following general steps: @@ -40,14 +40,14 @@ Windows Server 2016 and earlier or Windows 8.1 and earlier. For more information about onboarding methods, see the following articles: - [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel) -- [Onboard servers to the Microsoft Defender ATP service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) +- [Onboard servers to the Microsoft Defender for Endpoint service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-2008-r2-sp1--windows-server-2012-r2-and-windows-server-2016) - [Configure device proxy and Internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#configure-the-proxy-server-manually-using-a-registry-based-static-proxy) ## On-premise devices - Setup Azure Log Analytics (formerly known as OMS Gateway) to act as proxy or hub: - [Azure Log Analytics Agent](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) - - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID + - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint) point to Microsoft Defender ATP Workspace key & ID - Offline devices in the same network of Azure Log Analytics - Configure MMA to point to: @@ -59,7 +59,7 @@ For more information about onboarding methods, see the following articles: - Setup Azure Log Analytics Gateway (formerly known as OMS Gateway) to act as proxy or hub: - [Azure Log Analytics Gateway](https://docs.microsoft.com/azure/azure-monitor/platform/gateway#download-the-log-analytics-gateway) - - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp) point to Microsoft Defender ATP Workspace key & ID + - [Install and configure Microsoft Monitoring Agent (MMA)](configure-server-endpoints.md#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-for-endpoint) point to Microsoft Defender ATP Workspace key & ID - Offline Azure VMs in the same network of OMS Gateway - Configure Azure Log Analytics IP as a proxy - Azure Log Analytics Workspace Key & ID diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index ca17dbdcd7..78edeae3ef 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -1,7 +1,7 @@ --- title: Configure and manage Microsoft Defender ATP capabilities ms.reviewer: -description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, next-generation protection, and security controls +description: Configure and manage Microsoft Defender ATP capabilities such as attack surface reduction, and next-generation protection keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -24,7 +24,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Configure and manage all the Microsoft Defender ATP capabilities to get the best security protection for your organization. @@ -32,12 +32,12 @@ Configure and manage all the Microsoft Defender ATP capabilities to get the best ## In this section Topic | Description :---|:--- -[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. +[Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. [Configure next-generation protection](../microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md) | Configure next-generation protection to catch all types of emerging threats. [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts. [Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP. [Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. -[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. +[Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal-related settings such as general settings, advanced features, enable the preview experience and others. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md index c09d936fcd..7435ab66b6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md @@ -24,18 +24,42 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) -## Collection creation +This article is part of the Deployment guide and acts as an example onboarding method that guides users in: +- Step 1: Onboarding Windows devices to the service +- Step 2: Configuring Microsoft Defender ATP capabilities + +This onboarding guidance will walk you through the following basic steps that you need to take when using Microsoft Endpoint Configuration Manager: +- **Creating a collection in Microsoft Endpoint Configuration Manager** +- **Configuring Microsoft Defender ATP capabilities using Microsoft Endpoint Configuration Manager** + +>[!NOTE] +>Only Windows devices are covered in this example deployment. + +While Microsoft Defender ATP supports onboarding of various endpoints and tools, this article does not cover them. + +For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). + + +## Step 1: Onboard Windows devices using Microsoft Endpoint Configuration Manager + +### Collection creation To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the -deployment can target either and existing collection or a new collection can be -created for testing. The onboarding like group policy or manual method does -not install any agent on the system. Within the Configuration Manager console +deployment can target an existing collection or a new collection can be +created for testing. + +Onboarding using tools such as Group policy or manual method does not install any agent on the system. + +Within the Microsoft Endpoint Configuration Manager console the onboarding process will be configured as part of the compliance settings -within the console. Any system that receives this required configuration will +within the console. + +Any system that receives this required configuration will maintain that configuration for as long as the Configuration Manager client -continues to receive this policy from the management point. Follow the steps -below to onboard systems with Configuration Manager. +continues to receive this policy from the management point. + +Follow the steps below to onboard endpoints using Microsoft Endpoint Configuration Manager. 1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. @@ -75,8 +99,17 @@ below to onboard systems with Configuration Manager. After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. -## Endpoint detection and response -### Windows 10 + +## Step 2: Configure Microsoft Defender ATP capabilities +This section guides you in configuring the following capabilities using Microsoft Endpoint Configuration Manager on Windows devices: + +- [**Endpoint detection and response**](#endpoint-detection-and-response) +- [**Next-generation protection**](#next-generation-protection) +- [**Attack surface reduction**](#attack-surface-reduction) + + +### Endpoint detection and response +#### Windows 10 From within the Microsoft Defender Security Center it is possible to download the '.onboarding' policy that can be used to create the policy in System Center Configuration Manager and deploy that policy to Windows 10 devices. @@ -132,7 +165,7 @@ Manager and deploy that policy to Windows 10 devices. ![Image of configuration settings](images/configmgr-select-collection.png) -### Previous versions of Windows Client (Windows 7 and Windows 8.1) +#### Previous versions of Windows Client (Windows 7 and Windows 8.1) Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows. 1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**. @@ -183,7 +216,7 @@ Follow the steps below to identify the Microsoft Defender ATP Workspace ID and W Once completed, you should see onboarded endpoints in the portal within an hour. -## Next generation protection +### Next generation protection Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. 1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**. @@ -230,7 +263,7 @@ needs on how Antivirus is configured. After completing this task, you now have successfully configured Windows Defender Antivirus. -## Attack surface reduction +### Attack surface reduction The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit Protection. @@ -295,7 +328,7 @@ See [Optimize ASR rule deployment and detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details. -### To set Network Protection rules in Audit mode: +#### Set Network Protection rules in Audit mode: 1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. ![A screenshot System Center Configuration Manager](images/728c10ef26042bbdbcd270b6343f1a8a.png) @@ -325,7 +358,7 @@ detections](https://docs.microsoft.com/windows/security/threat-protection/micros After completing this task, you now have successfully configured Network Protection in audit mode. -### To set Controlled Folder Access rules in Audit mode: +#### To set Controlled Folder Access rules in Audit mode: 1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md index 76f2c2c7e7..29548856da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md @@ -24,27 +24,28 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) -In this section, we will be using Microsoft Endpoint Manager (MEM) to deploy -Microsoft Defender ATP to your endpoints. - -For more information about MEM, check out these resources: -- [Microsoft Endpoint Manager page](https://docs.microsoft.com/mem/) -- [Blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/) -- [Introduction video on MEM](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace) -This process is a multi-step process, you'll need to: +This article is part of the Deployment guide and acts as an example onboarding method that guides users in: +- Step 1: Onboarding devices to the service by creating a group in Microsoft Endpoint Manager (MEM) to assign configurations on +- Step 2: Configuring Microsoft Defender ATP capabilities using Microsoft Endpoint Manager -- Identify target devices or users +This onboarding guidance will walk you through the following basic steps that you need to take when using Microsoft Endpoint Manager: - - Create an Azure Active Directory group (User or Device) +- [Identifying target devices or users](#identify-target-devices-or-users) -- Create a Configuration Profile + - Creating an Azure Active Directory group (User or Device) - - In MEM, we'll guide you in creating a separate policy for each feature +- [Creating a Configuration Profile](#step-2-create-configuration-policies-to-configure-microsoft-defender-atp-capabilities) + + - In Microsoft Endpoint Manager, we'll guide you in creating a separate policy for each capability. + +While Microsoft Defender ATP supports onboarding of various endpoints and tools, this article does not cover them. + +For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). ## Resources @@ -57,7 +58,13 @@ Here are the links you'll need for the rest of the process: - [Intune Security baselines](https://docs.microsoft.com/mem/intune/protect/security-baseline-settings-defender-atp#microsoft-defender) -## Identify target devices or users +For more information about Microsoft Endpoint Manager, check out these resources: +- [Microsoft Endpoint Manager page](https://docs.microsoft.com/mem/) +- [Blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/) +- [Introduction video on MEM](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace) + +## Step 1: Onboard devices by creating a group in MEM to assign configurations on +### Identify target devices or users In this section, we will create a test group to assign your configurations on. >[!NOTE] @@ -72,11 +79,13 @@ needs.
    2. Open **Groups > New Group**. - ![Image of Microsoft Endpoint Manager portal](images/66f724598d9c3319cba27f79dd4617a4.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/66f724598d9c3319cba27f79dd4617a4.png) 3. Enter details and create a new group. - ![Image of Microsoft Endpoint Manager portal](images/b1e0206d675ad07db218b63cd9b9abc3.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/b1e0206d675ad07db218b63cd9b9abc3.png) 4. Add your test user or device. @@ -86,15 +95,23 @@ needs.
    7. Find your test user or device and select it. - ![Image of Microsoft Endpoint Manager portal](images/149cbfdf221cdbde8159d0ab72644cd0.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/149cbfdf221cdbde8159d0ab72644cd0.png) 8. Your testing group now has a member to test. -## Create configuration policies +## Step 2: Create configuration policies to configure Microsoft Defender ATP capabilities In the following section, you'll create a number of configuration policies. + First is a configuration policy to select which groups of users or devices will -be onboarded to Microsoft Defender ATP. Then you will continue by creating several -different types of Endpoint security policies. +be onboarded to Microsoft Defender ATP. + +Then you will continue by creating several +different types of endpoint security policies. + +- [Endpoint detection and response](#endpoint-detection-and-response) +- [Next-generation protection](#next-generation-protection) +- [Attack surface reduction](#attack-surface-reduction--attack-surface-reduction-rules) ### Endpoint detection and response @@ -103,40 +120,48 @@ different types of Endpoint security policies. 2. Navigate to **Endpoint security > Endpoint detection and response**. Click on **Create Profile**. - ![Image of Microsoft Endpoint Manager portal](images/58dcd48811147feb4ddc17212b7fe840.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/58dcd48811147feb4ddc17212b7fe840.png) 3. Under **Platform, select Windows 10 and Later, Profile - Endpoint detection and response > Create**. 4. Enter a name and description, then select **Next**. - ![Image of Microsoft Endpoint Manager portal](images/a5b2d23bdd50b160fef4afd25dda28d4.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/a5b2d23bdd50b160fef4afd25dda28d4.png) 5. Select settings as required, then select **Next**. - ![Image of Microsoft Endpoint Manager portal](images/cea7e288b5d42a9baf1aef0754ade910.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/cea7e288b5d42a9baf1aef0754ade910.png) - >[!NOTE] - >In this instance, this has been auto populated as Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp).
    - - - ![Image of Microsoft Endpoint Manager portal](images/2466460812371ffae2d19a10c347d6f4.png) + > [!NOTE] + > In this instance, this has been auto populated as Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp). + > + > The following image is an example of what you'll see when Microsoft Defender ATP is NOT integrated with Intune: + > + > ![Image of Microsoft Endpoint Manager portal](images/2466460812371ffae2d19a10c347d6f4.png) 6. Add scope tags if necessary, then select **Next**. - ![Image of Microsoft Endpoint Manager portal](images/ef844f52ec2c0d737ce793f68b5e8408.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/ef844f52ec2c0d737ce793f68b5e8408.png) 7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**. - ![Image of Microsoft Endpoint Manager portal](images/fc3525e20752da026ec9f46ab4fec64f.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/fc3525e20752da026ec9f46ab4fec64f.png) 8. Review and accept, then select **Create**. - ![Image of Microsoft Endpoint Manager portal](images/289172dbd7bd34d55d24810d9d4d8158.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/289172dbd7bd34d55d24810d9d4d8158.png) 9. You can view your completed policy. - ![Image of Microsoft Endpoint Manager portal](images/5a568b6878be8243ea2b9d82d41ed297.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/5a568b6878be8243ea2b9d82d41ed297.png) ### Next-generation protection @@ -144,36 +169,43 @@ different types of Endpoint security policies. 2. Navigate to **Endpoint security > Antivirus > Create Policy**. - ![Image of Microsoft Endpoint Manager portal](images/6b728d6e0d71108d768e368b416ff8ba.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/6b728d6e0d71108d768e368b416ff8ba.png) 3. Select **Platform - Windows 10 and Later - Windows and Profile – Microsoft Defender Antivirus > Create**. 4. Enter name and description, then select **Next**. - ![Image of Microsoft Endpoint Manager portal](images/a7d738dd4509d65407b7d12beaa3e917.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/a7d738dd4509d65407b7d12beaa3e917.png) 5. In the **Configuration settings page**: Set the configurations you require for Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time Protection, and Remediation). - ![Image of Microsoft Endpoint Manager portal](images/3840b1576d6f79a1d72eb14760ef5e8c.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/3840b1576d6f79a1d72eb14760ef5e8c.png) 6. Add scope tags if necessary, then select **Next**. - ![Image of Microsoft Endpoint Manager portal](images/2055e4f9b9141525c0eb681e7ba19381.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/2055e4f9b9141525c0eb681e7ba19381.png) 7. Select groups to include, assign to your test group, then select **Next**. - ![Image of Microsoft Endpoint Manager portal](images/48318a51adee06bff3908e8ad4944dc9.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/48318a51adee06bff3908e8ad4944dc9.png) 8. Review and create, then select **Create**. - ![Image of Microsoft Endpoint Manager portal](images/dfdadab79112d61bd3693d957084b0ec.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/dfdadab79112d61bd3693d957084b0ec.png) 9. You'll see the configuration policy you created. - ![Image of Microsoft Endpoint Manager portal](images/38180219e632d6e4ec7bd25a46398da8.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/38180219e632d6e4ec7bd25a46398da8.png) ### Attack Surface Reduction – Attack surface reduction rules @@ -186,37 +218,44 @@ different types of Endpoint security policies. 4. Select **Platform - Windows 10 and Later – Profile - Attack surface reduction rules > Create**. - ![Image of Microsoft Endpoint Manager portal](images/522d9bb4288dc9c1a957392b51384fdd.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/522d9bb4288dc9c1a957392b51384fdd.png) 5. Enter a name and description, then select **Next**. - ![Image of Microsoft Endpoint Manager portal](images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png) 6. In the **Configuration settings page**: Set the configurations you require for Attack surface reduction rules, then select **Next**. - >[!NOTE] - >We will be configuring all of the Attack surface reduction rules to Audit. + > [!NOTE] + > We will be configuring all of the Attack surface reduction rules to Audit. + > + > For more information, see [Attack surface reduction rules](attack-surface-reduction.md). - For more information, see [Attack surface reduction rules](attack-surface-reduction.md). - - ![Image of Microsoft Endpoint Manager portal](images/dd0c00efe615a64a4a368f54257777d0.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/dd0c00efe615a64a4a368f54257777d0.png) 7. Add Scope Tags as required, then select **Next**. - ![Image of Microsoft Endpoint Manager portal](images/6daa8d347c98fe94a0d9c22797ff6f28.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/6daa8d347c98fe94a0d9c22797ff6f28.png) 8. Select groups to include and assign to test group, then select **Next**. - ![Image of Microsoft Endpoint Manager portal](images/45cefc8e4e474321b4d47b4626346597.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/45cefc8e4e474321b4d47b4626346597.png) 9. Review the details, then select **Create**. - ![Image of Microsoft Endpoint Manager portal](images/2c2e87c5fedc87eba17be0cdeffdb17f.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/2c2e87c5fedc87eba17be0cdeffdb17f.png) 10. View the policy. - ![Image of Microsoft Endpoint Manager portal](images/7a631d17cc42500dacad4e995823ffef.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/7a631d17cc42500dacad4e995823ffef.png) ### Attack Surface Reduction – Web Protection @@ -228,37 +267,44 @@ different types of Endpoint security policies. 4. Select **Windows 10 and Later – Web protection > Create**. - ![Image of Microsoft Endpoint Manager portal](images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png) 5. Enter a name and description, then select **Next**. - ![Image of Microsoft Endpoint Manager portal](images/5be573a60cd4fa56a86a6668b62dd808.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/5be573a60cd4fa56a86a6668b62dd808.png) 6. In the **Configuration settings page**: Set the configurations you require for Web Protection, then select **Next**. - >[!NOTE] - >We are configuring Web Protection to Block. + > [!NOTE] + > We are configuring Web Protection to Block. + > + > For more information, see [Web Protection](web-protection-overview.md). - For more information, see [Web Protection](web-protection-overview.md). - - ![Image of Microsoft Endpoint Manager portal](images/6104aa33a56fab750cf30ecabef9f5b6.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/6104aa33a56fab750cf30ecabef9f5b6.png) 7. Add **Scope Tags as required > Next**. - ![Image of Microsoft Endpoint Manager portal](images/6daa8d347c98fe94a0d9c22797ff6f28.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/6daa8d347c98fe94a0d9c22797ff6f28.png) 8. Select **Assign to test group > Next**. - ![Image of Microsoft Endpoint Manager portal](images/45cefc8e4e474321b4d47b4626346597.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/45cefc8e4e474321b4d47b4626346597.png) 9. Select **Review and Create > Create**. - ![Image of Microsoft Endpoint Manager portal](images/8ee0405f1a96c23d2eb6f737f11c1ae5.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/8ee0405f1a96c23d2eb6f737f11c1ae5.png) 10. View the policy. - ![Image of Microsoft Endpoint Manager portal](images/e74f6f6c150d017a286e6ed3dffb7757.png) + > [!div class="mx-imgBorder"] + > ![Image of Microsoft Endpoint Manager portal](images/e74f6f6c150d017a286e6ed3dffb7757.png) ## Validate configuration settings @@ -275,26 +321,31 @@ To confirm that the configuration policy has been applied to your test device, f 1. Open the MEM portal and navigate to the relevant policy as shown in the steps above. The following example shows the next generation protection settings. - ![Image of Microsoft Endpoint Manager portal](images/43ab6aa74471ee2977e154a4a5ef2d39.png) + > [!div class="mx-imgBorder"] + > [ ![Image of Microsoft Endpoint Manager portal](images/43ab6aa74471ee2977e154a4a5ef2d39.png) ](images/43ab6aa74471ee2977e154a4a5ef2d39.png#lightbox) 2. Select the **Configuration Policy** to view the policy status. - ![Image of Microsoft Endpoint Manager portal](images/55ecaca0e4a022f0e29d45aeed724e6c.png) + > [!div class="mx-imgBorder"] + > [ ![Image of Microsoft Endpoint Manager portal](images/55ecaca0e4a022f0e29d45aeed724e6c.png) ](images/55ecaca0e4a022f0e29d45aeed724e6c.png#lightbox) 3. Select **Device Status** to see the status. - ![Image of Microsoft Endpoint Manager portal](images/18a50df62cc38749000dbfb48e9a4c9b.png) + > [!div class="mx-imgBorder"] + > [ ![Image of Microsoft Endpoint Manager portal](images/18a50df62cc38749000dbfb48e9a4c9b.png) ](images/18a50df62cc38749000dbfb48e9a4c9b.png#lightbox) 4. Select **User Status** to see the status. - ![Image of Microsoft Endpoint Manager portal](images/4e965749ff71178af8873bc91f9fe525.png) + > [!div class="mx-imgBorder"] + > [ ![Image of Microsoft Endpoint Manager portal](images/4e965749ff71178af8873bc91f9fe525.png) ](images/4e965749ff71178af8873bc91f9fe525.png#lightbox) 5. Select **Per-setting status** to see the status. >[!TIP] >This view is very useful to identify any settings that conflict with another policy. - ![Image of Microsoft Endpoint Manager portal](images/42acc69d0128ed09804010bdbdf0a43c.png) + > [!div class="mx-imgBorder"] + > [ ![Image of Microsoft Endpoint Manager portal](images/42acc69d0128ed09804010bdbdf0a43c.png) ](images/42acc69d0128ed09804010bdbdf0a43c.png#lightbox) ### Endpoint detection and response @@ -302,33 +353,38 @@ To confirm that the configuration policy has been applied to your test device, f 1. Before applying the configuration, the Microsoft Defender ATP Protection service should not be started. - ![Image of Services panel](images/b418a232a12b3d0a65fc98248dbb0e31.png) + > [!div class="mx-imgBorder"] + > [ ![Image of Services panel](images/b418a232a12b3d0a65fc98248dbb0e31.png) ](images/b418a232a12b3d0a65fc98248dbb0e31.png#lightbox) 2. After the configuration has been applied, the Microsoft Defender ATP Protection Service should be started. - ![Image of Services panel](images/a621b699899f1b41db211170074ea59e.png) + > [!div class="mx-imgBorder"] + > [ ![Image of Services panel](images/a621b699899f1b41db211170074ea59e.png) ](images/a621b699899f1b41db211170074ea59e.png#lightbox) 3. After the services are running on the device, the device appears in Microsoft Defender Security Center. - ![Image of Microsoft Defender Security Center](images/df0c64001b9219cfbd10f8f81a273190.png) + > [!div class="mx-imgBorder"] + > [ ![Image of Microsoft Defender Security Center](images/df0c64001b9219cfbd10f8f81a273190.png) ](images/df0c64001b9219cfbd10f8f81a273190.png#lightbox) ### Next-generation protection 1. Before applying the policy on a test device, you should be able to manually manage the settings as shown below. - ![Image of setting page](images/88efb4c3710493a53f2840c3eac3e3d3.png) + > [!div class="mx-imgBorder"] + > ![Image of setting page](images/88efb4c3710493a53f2840c3eac3e3d3.png) 2. After the policy has been applied, you should not be able to manually manage the settings. - >[!NOTE] + > [!NOTE] > In the following image **Turn on cloud-delivered protection** and - **Turn on real-time protection** are being shown as managed. + > **Turn on real-time protection** are being shown as managed. - ![Image of setting page](images/9341428b2d3164ca63d7d4eaa5cff642.png) + > [!div class="mx-imgBorder"] + > ![Image of setting page](images/9341428b2d3164ca63d7d4eaa5cff642.png) ### Attack Surface Reduction – Attack surface reduction rules @@ -337,11 +393,11 @@ To confirm that the configuration policy has been applied to your test device, f 2. This should respond with the following lines with no content: - AttackSurfaceReductionOnlyExclusions: - - AttackSurfaceReductionRules_Actions: - - AttackSurfaceReductionRules_Ids: + > AttackSurfaceReductionOnlyExclusions: + > + > AttackSurfaceReductionRules_Actions: + > + > AttackSurfaceReductionRules_Ids: ![Image of command line](images/cb0260d4b2636814e37eee427211fe71.png) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md index 7052df6942..30c80bb608 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Create a notification rule so that when a local onboarding or offboardiing script is used, you'll be notified. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index 6ac048cf9d..f26781b856 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -1,6 +1,6 @@ --- title: Onboard to the Microsoft Defender ATP service -description: +description: Learn how to onboard endpoints to Microsoft Defender ATP service keywords: search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -24,7 +24,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Deploying Microsoft Defender ATP is a three-phase process: @@ -44,28 +44,51 @@ Deploying Microsoft Defender ATP is a three-phase process:     		- Onboard + Onboard diagram
    Phase 3: Onboard
    + You are currently in the onboarding phase. +These are the steps you need to take to deploy Microsoft Defender ATP: + +- Step 1: Onboard endpoints to the service +- Step 2: Configure capabilities + +## Step 1: Onboard endpoints using any of the supported management tools +The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Microsoft Defender ATP. + +After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service. + +### Onboarding tool options + +The following table lists the available tools based on the endpoint that you need to onboard. + +| Endpoint | Tool options | +|--------------|------------------------------------------| +| **Windows** | [Local script (up to 10 devices)](configure-endpoints-script.md)
    [Group Policy](configure-endpoints-gp.md)
    [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md)
    [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)
    [VDI scripts](configure-endpoints-vdi.md) | +| **macOS** | [Local scripts](mac-install-manually.md)
    [Microsoft Endpoint Manager](mac-install-with-intune.md)
    [JAMF Pro](mac-install-with-jamf.md)
    [Mobile Device Management](mac-install-with-other-mdm.md) | +| **Linux Server** | [Local script](linux-install-manually.md)
    [Puppet](linux-install-with-puppet.md)
    [Ansible](linux-install-with-ansible.md)| +| **iOS** | [App-based](ios-install.md) | +| **Android** | [Microsoft Endpoint Manager](android-intune.md) | -To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. - -Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements. - -After onboarding the devices, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction. +## Step 2: Configure capabilities +After onboarding the endpoints, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction. -This article provides resources to guide you on: -- Using various management tools to onboard devices - - [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md) - - [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md) +## Example deployments +In this deployment guide, we'll guide you through using two deployment tools to onboard endpoints and how to configure capabilities. + +The tools in the example deployments are: +- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md) +- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md) + +Using the mentioned deployment tools above, you'll then be guided in configuring the following Microsoft Defender ATP capabilities: - Endpoint detection and response configuration - Next-generation protection configuration - Attack surface reduction configuration diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index 3996f745b3..6af7ba9c0f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -26,7 +26,7 @@ ms.topic: conceptual **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index a6bc0dc2a2..3e8077b6b8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -23,7 +23,7 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) With custom detections, you can proactively monitor for and respond to various events and system states, including suspected breach activity and misconfigured devices. You can do this with customizable detection rules that automatically trigger alerts and response actions. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md index 4c1e39e0e5..0f3c036938 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md @@ -25,7 +25,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats. diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md index cf352dd917..8b32269fe0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md @@ -22,7 +22,7 @@ ms.date: 09/07/2018 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Microsoft Defender ATP. diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md index 40d005db5a..822b5afaab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md @@ -24,15 +24,21 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform. -The support for third-party solutions help to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats. +The support for third-party solutions helps to further streamline, integrate, and orchestrate defenses from other vendors with Microsoft Defender ATP; enabling security teams to effectively respond better to modern threats. -Microsoft Defender ATP seamlessly integrates with existing security solutions — providing out of the box integration with SIEM, ticketing and IT service management solutions, managed security service providers (MSSP), IoC indicators ingestions and matching, automated device investigation and remediation based on external alerts, and integration with Security orchestration and automation response (SOAR) systems. +Microsoft Defender ATP seamlessly integrates with existing security solutions. The integration provides integration with the following solutions such as: +- SIEM +- Ticketing and IT service management solutions +- Managed security service providers (MSSP) +- IoC indicators ingestions and matching +- Automated device investigation and remediation based on external alerts +- Integration with Security orchestration and automation response (SOAR) systems ## Supported applications @@ -49,7 +55,7 @@ Logo |Partner name | Description ![Image of Micro Focus ArcSight logo](images/arcsight-logo.png) | [Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548) | Use Micro Focus ArcSight to pull Microsoft Defender ATP detections ![Image of RSA NetWitness logo](images/rsa-netwitness-logo.png) | [RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566) | Stream Microsoft Defender ATP Alerts to RSA NetWitness leveraging Microsoft Graph Security API ![Image of SafeBreach logo](images/safebreach-logo.png) | [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2114114)| Gain visibility into Microsoft Defender ATP security events that are automatically correlated with SafeBreach simulations -![Image of Skybox Vulnerability Control logo](images/skybox-logo.png) | [Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467) | Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network and threat context to uncover your riskiest vulnerabilities +![Image of Skybox Vulnerability Control logo](images/skybox-logo.png) | [Skybox Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2127467) | Skybox Vulnerability Control cuts through the noise of vulnerability management, correlating business, network, and threat context to uncover your riskiest vulnerabilities ![Image of Splunk logo](images/splunk-logo.png) | [Splunk](https://go.microsoft.com/fwlink/?linkid=2129805) | The Microsoft Defender ATP Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk ![Image of XM Cyber logo](images/xmcyber-logo.png) | [XM Cyber](https://go.microsoft.com/fwlink/?linkid=2136700) | Prioritize your response to an alert based on risk factors and high value assets @@ -60,7 +66,7 @@ Logo |Partner name | Description :---|:---|:--- ![Image of CyberSponse CyOps logo](images/cybersponse-logo.png) | [CyberSponse CyOps](https://go.microsoft.com/fwlink/?linkid=2115943) | CyOps integrates with Microsoft Defender ATP to automate customers' high-speed incident response playbooks ![Image of Delta Risk ActiveEye logo](images/delta-risk-activeeye-logo.png) | [Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468) | Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Microsoft Defender ATP with its cloud-native SOAR platform, ActiveEye. -![Image of Demisto, a Palo Alto Networks Company logo](images/demisto-logo.png) | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Microsoft Defender ATP to enable security teams to orchestrate and automate endpoint security monitoring, enrichment and response +![Image of Demisto, a Palo Alto Networks Company logo](images/demisto-logo.png) | [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414) | Demisto integrates with Microsoft Defender ATP to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response ![Image of Microsoft Flow & Azure Functions logo](images/ms-flow-logo.png) | [Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300) | Use the Microsoft Defender ATP connectors for Azure Logic Apps & Microsoft Flow to automating security procedures ![Image of Rapid7 InsightConnect logo](images/rapid7-logo.png) | [Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040) | InsightConnect integrates with Microsoft Defender ATP to accelerate, streamline, and integrate your time-intensive security processes ![Image of ServiceNow logo](images/servicenow-logo.png) | [ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621) | Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration @@ -93,7 +99,7 @@ Logo |Partner name | Description ![Image of Better Mobile logo](images/bettermobile-logo.png) | [Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)| AI based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy ![Image of Corrata logo](images/corrata-logo.png)| [Corrata](https://go.microsoft.com/fwlink/?linkid=2081148) | Mobile solution — Protect your mobile devices with granular visibility and control from Corrata ![Image of Lookout logo](images/lookout-logo.png)| [Lookout](https://go.microsoft.com/fwlink/?linkid=866935)| Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices -![Image of Symantec Endpoint Protection Mobile logo](images/symantec-logo.png) | [Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)| SEP Mobile helps businesses predict, detect and prevent security threats and vulnerabilities on mobile devices +![Image of Symantec Endpoint Protection Mobile logo](images/symantec-logo.png) | [Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)| SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices ![Image of Zimperium logo](images/zimperium-logo.png)| [Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Microsoft Defender ATP to iOS and Android with Machine Learning-based Mobile Threat Defense @@ -121,7 +127,7 @@ Microsoft Defender ATP offers unique automated investigation and remediation cap Integrating the automated investigation and response capability with other solutions such as IDS and firewalls help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices. -External alerts can be pushed into Microsoft Defender ATP and is presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert — with the real process and the full story of attack. +External alerts can be pushed into Microsoft Defender ATP and is presented side by side with additional device-based alerts from Microsoft Defender ATP. This view provides a full context of the alert — with the real process and the full story of attack. ## Indicators matching You can use threat-intelligence from providers and aggregators to maintain and use indicators of compromise (IOCs). diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md index 7c6e64db5c..7aa19efe08 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md @@ -24,33 +24,34 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Partners can easily extend their existing security offerings on top of the open framework and a rich and complete set of APIs to build extensions and integrations with Microsoft Defender ATP. -The APIs span functional areas including detection, management, response, vulnerabilities and intelligence wide range of use cases. Based on the use case and need, partners can either stream or query data from Microsoft Defender ATP. +The APIs span functional areas including detection, management, response, vulnerabilities, and intelligence-wide range of use cases. Based on the use case and need, partners can either stream or query data from Microsoft Defender ATP. ## Scenario 1: External alert correlation and Automated investigation and remediation Microsoft Defender ATP offers unique automated investigation and remediation capabilities to drive incident response at scale. -Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts and minimize the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices. +Integrating the automated investigation and response capability with other solutions such as network security products or other endpoint security products will help to address alerts. The integration also minimizes the complexities surrounding network and device signal correlation, effectively streamlining the investigation and threat remediation actions on devices. Microsoft Defender ATP adds support for this scenario in the following forms: -- External alerts can be pushed into Microsoft Defender ATP and presented side-by-side with additional device-based alerts from Microsoft Defender ATP. This view provides the full context of the alert - with the real process and the full story of attack. + +- External alerts can be pushed into Microsoft Defender ATP and presented side by side with additional device-based alerts from Microsoft Defender ATP. This view provides the full context of the alert - with the real process and the full story of attack. - Once an alert is generated, the signal is shared across all Microsoft Defender ATP protected endpoints in the enterprise. Microsoft Defender ATP takes immediate automated or operator-assisted response to address the alert. ## Scenario 2: Security orchestration and automation response (SOAR) integration -Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs exposes to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others. +Orchestration solutions can help build playbooks and integrate the rich data model and actions that Microsoft Defender ATP APIs expose to orchestrate responses, such as query for device data, trigger device isolation, block/allow, resolve alert and others. ## Scenario 3: Indicators matching -Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action. +Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability is available in Microsoft Defender ATP and gives the ability to set a list of indicators for prevention, detection, and exclusion of entities. One can define the action to be taken as well as the duration for when to apply the action. -The above scenarios serve as examples of the extensibility of the platform. You are not limited to these and we certainly encourage you leverage the open framework to discover and explore other scenarios. +The above scenarios serve as examples of the extensibility of the platform. You are not limited to the examples and we certainly encourage you to leverage the open framework to discover and explore other scenarios. Follow the steps in [Become a Microsoft Defender ATP partner](get-started-partner-integration.md) to integrate your solution in Microsoft Defender ATP. diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index f8d7446a76..699cc87da7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -23,7 +23,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index 7525f68b6e..f74d49ee22 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md index f5f432ad15..59653a5fc2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md index 9e4e98ffb5..fe2d128e37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md @@ -1,6 +1,6 @@ --- title: Prepare Microsoft Defender ATP deployment -description: Prepare stakeholder sign-off, timelines, environment considerations, and adoption order when deploying Microsoft Defender ATP +description: Prepare stakeholder approval, timelines, environment considerations, and adoption order when deploying Microsoft Defender ATP keywords: deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -26,7 +26,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) @@ -71,14 +71,14 @@ You are currently in the preparation phase. Preparation is key to any successful deployment. In this article, you'll be guided on the points you'll need to consider as you prepare to deploy Microsoft Defender ATP. -## Stakeholders and Sign-off +## Stakeholders and approval The following section serves to identify all the stakeholders that are involved -in the project and need to sign-off, review, or stay informed. +in the project and need to approve, review, or stay informed. Add stakeholders to the table below as appropriate for your organization. -- SO = Sign-off on this project +- SO = Approve project - R = Review this project and provide input @@ -90,14 +90,14 @@ to the table below as appropriate for your organization. | Enter name and email | **Head of Cyber Defense Operations Center (CDOC)** *A representative from the CDOC team in charge of defining how this change is aligned with the processes in the customers security operations team.* | SO | | Enter name and email | **Security Architect** *A representative from the Security team in charge of defining how this change is aligned with the core Security architecture in the organization.* | R | | Enter name and email | **Workplace Architect** *A representative from the IT team in charge of defining how this change is aligned with the core workplace architecture in the organization.* | R | -| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience and overall usefulness of this change from a security operations perspective.* | I | +| Enter name and email | **Security Analyst** *A representative from the CDOC team who can provide input on the detection capabilities, user experience, and overall usefulness of this change from a security operations perspective.* | I | ## Environment This section is used to ensure your environment is deeply understood by the -stakeholders which will help identify potential dependencies and/or changes +stakeholders, which will help identify potential dependencies and/or changes required in technologies or processes. | What | Description | @@ -112,14 +112,14 @@ required in technologies or processes. ## Role-based access control Microsoft recommends using the concept of least privileges. Microsoft Defender -ATP leverages built-in roles within Azure Active Directory. Microsoft recommend +ATP leverages built-in roles within Azure Active Directory. Microsoft recommends [review the different roles that are available](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles-azure-portal) and choose the right one to solve your needs for each persona for this application. Some roles may need to be applied temporarily and removed after the deployment has been completed. -| Personas | Roles | Azure AD Role (if required) | Assign to | +| Personas | Roles | Azure AD Role (if necessary) | Assign to | |------------------------------|-------|-----------------------------|-----------| | Security Administrator | | | | | Security Analyst | | | | @@ -157,13 +157,13 @@ structure required for your environment. |--------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------| | Tier 1 | **Local security operations team / IT team**
    This team usually triages and investigates alerts contained within their geolocation and escalates to Tier 2 in cases where an active remediation is required. | | | Tier 2 | **Regional security operations team**
    This team can see all the devices for their region and perform remediation actions. | View data | -| Tier 3 | **Global security operations team**
    This team consists of security experts and are authorized to see and perform all actions from the portal. | View data
    Alerts investigation Active remediation actions
    Alerts investigation Active remediation actions
    Manage portal system settings
    Manage security settings | +| Tier 3 | **Global security operations team**
    This team consists of security experts and is authorized to see and perform all actions from the portal. | View data
    Alerts investigation Active remediation actions
    Alerts investigation Active remediation actions
    Manage portal system settings
    Manage security settings | ## Adoption Order In many cases, organizations will have existing endpoint security products in -place. The bare minimum every organization should have is an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already. +place. The bare minimum every organization should have been an antivirus solution. But in some cases, an organization might also have implanted an EDR solution already. Historically, replacing any security solution used to be time intensive and difficult to achieve due to the tight hooks into the application layer and infrastructure @@ -179,7 +179,7 @@ how the endpoint security suite should be enabled. | Endpoint Detection & Response (EDR) | Microsoft Defender ATP endpoint detection and response capabilities provide advanced attack detections that are near real-time and actionable. Security analysts can prioritize alerts effectively, gain visibility into the full scope of a breach, and take response actions to remediate threats.
    [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response) | 1 | |Threat & Vulnerability Management (TVM)|Threat & Vulnerability Management is a component of Microsoft Defender ATP, and provides both security administrators and security operations teams with unique value, including:
    - Real-time endpoint detection and response (EDR) insights correlated with endpoint vulnerabilities
    - Invaluable device vulnerability context during incident investigations
    - Built-in remediation processes through Microsoft Intune and Microsoft System Center Configuration Manager
    [Learn more](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Introducing-a-risk-based-approach-to-threat-and-vulnerability/ba-p/377845).| 2 | | Next-generation protection (NGP) | Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. Microsoft Defender Antivirus includes:
    -Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Along with machine learning and the Intelligent Security Graph, cloud-delivered protection is part of the next-gen technologies that power Microsoft Defender Antivirus.
    - Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection").
    - Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research.
    [Learn more](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). |3 | -| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP helps protect the devices and applications in the organization from new and emerging threats.
    [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 | +| Attack Surface Reduction (ASR) | Attack surface reduction capabilities in Microsoft Defender ATP help protect the devices and applications in the organization from new and emerging threats.
    [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) | 4 | | Auto Investigation & Remediation (AIR) | Microsoft Defender ATP uses Automated investigations to significantly reduce the volume of alerts that need to be investigated individually. The Automated investigation feature leverages various inspection algorithms, and processes used by analysts (such as playbooks) to examine alerts and take immediate remediation action to resolve breaches. This significantly reduces alert volume, allowing security operations experts to focus on more sophisticated threats and other high value initiatives.
    [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | Not applicable | | Microsoft Threat Experts (MTE) | Microsoft Threat Experts is a managed hunting service that provides Security Operation Centers (SOCs) with expert level monitoring and analysis to help them ensure that critical threats in their unique environments don't get missed.
    [Learn more.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts) | Not applicable | diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md index f031b9edd9..0609532537 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md @@ -22,7 +22,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-previewsettings-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index 4443433ac4..5ed93079a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -27,7 +27,7 @@ ms.topic: conceptual >The preview versions are provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) The Microsoft Defender ATP service is constantly being updated to include new feature enhancements and capabilities. @@ -60,8 +60,6 @@ The following features are included in the preview release: - [Web Content Filtering](web-content-filtering.md)
    Web content filtering is part of web protection capabilities in Microsoft Defender ATP. It enables your organization to track and regulate access to websites based on their content categories. Many of these websites, while not malicious, might be problematic because of compliance regulations, bandwidth usage, or other concerns. - - [Threat and vulnerability management supported operating systems and platforms](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os)
    Ensure that you meet the operating system or platform requisites for Threat & Vulnerability Management so the activities in your devices are properly accounted for. Threat & Vulnerability Management supports Windows 7, Windows 10 1607-1703, Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, Windows Server 2019.

    Secure Configuration Assessment (SCA) supports Windows 10 1709+, Windows Server 2008R2, Windows Server 2012R2, Windows Server 2016, and Windows Server 2019. - - [Device health and compliance report](machine-reports.md)
    The device health and compliance report provides high-level information about the devices in your organization. - [Information protection](information-protection-in-windows-overview.md)
    @@ -70,11 +68,6 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr >[!NOTE] >Partially available from Windows 10, version 1809. -- [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md)
    Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored devices. - - >[!NOTE] - >Available from Windows 10, version 1809 or later. - - [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019)
    Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 4a974f0e24..a1c3772e14 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -1,7 +1,7 @@ --- title: Set up Microsoft Defender ATP deployment -description: -keywords: +description: Learn how to setup the deployment for Microsoft Defender ATP +keywords: deploy, setup, licensing validation, tenant configuration, network configuration search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 @@ -26,7 +26,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Deploying Microsoft Defender ATP is a three-phase process: @@ -46,7 +46,7 @@ Deploying Microsoft Defender ATP is a three-phase process: - Onboard + Onboard image
    Phase 3: Onboard
    @@ -54,7 +54,7 @@ Deploying Microsoft Defender ATP is a three-phase process: -You are currently in the set up phase. +You are currently in the set-up phase. In this deployment scenario, you'll be guided through the steps on: - Licensing validation @@ -69,13 +69,13 @@ In this deployment scenario, you'll be guided through the steps on: Checking for the license state and whether it got properly provisioned, can be done through the admin center or through the **Microsoft Azure portal**. -1. To view your licenses go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products). +1. To view your licenses, go to the **Microsoft Azure portal** and navigate to the [Microsoft Azure portal license section](https://portal.azure.com/#blade/Microsoft_AAD_IAM/LicensesMenuBlade/Products). ![Image of Azure Licensing page](images/atp-licensing-azure-portal.png) 1. Alternately, in the admin center, navigate to **Billing** > **Subscriptions**. - On the screen you will see all the provisioned licenses and their current **Status**. + On the screen, you will see all the provisioned licenses and their current **Status**. ![Image of billing licenses](images/atp-billing-subscriptions.png) @@ -84,9 +84,9 @@ Checking for the license state and whether it got properly provisioned, can be d To gain access into which licenses are provisioned to your company, and to check the state of the licenses, go to the admin center. -1. From the **Partner portal**, click on the **Administer services > Office 365**. +1. From the **Partner portal**, select **Administer services > Office 365**. -2. Clicking on the **Partner portal** link will leverage the **Admin on behalf** option and will give you access to the customer admin center. +2. Clicking on the **Partner portal** link will open the **Admin on behalf** option and will give you access to the customer admin center. ![Image of O365 admin portal](images/atp-O365-admin-portal-customer.png) @@ -94,7 +94,7 @@ To gain access into which licenses are provisioned to your company, and to check ## Tenant Configuration -When accessing [Microsoft Defender Security Center](https://securitycenter.windows.com/) for the first time there will be a set up wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client device. +When accessing Microsoft Defender Security Center for the first time, a wizard that will guide you through some initial steps. At the end of the setup wizard, there will be a dedicated cloud instance of Microsoft Defender ATP created. The easiest method is to perform these steps from a Windows 10 client device. 1. From a web browser, navigate to . @@ -109,9 +109,9 @@ When accessing [Microsoft Defender Security Center](https://securitycenter.windo 4. Set up preferences. - **Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU or UK. You cannot change the location after this set up and Microsoft will not transfer the data from the specified geolocation. + **Data storage location** - It's important to set this up correctly. Determine where the customer wants to be primarily hosted: US, EU, or UK. You cannot change the location after this set up and Microsoft will not transfer the data from the specified geolocation. - **Data retention** - The default is 6 months. + **Data retention** - The default is six months. **Enable preview features** - The default is on, can be changed later. @@ -137,11 +137,11 @@ WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: -**Auto-discovery methods:** +**Autodiscovery methods:** - Transparent proxy -- Web Proxy Auto-discovery Protocol (WPAD) +- Web Proxy Autodiscovery Protocol (WPAD) If a Transparent proxy or WPAD has been implemented in the network topology, there is no need for special configuration settings. For more information on @@ -155,7 +155,7 @@ Docs](https://docs.microsoft.com/windows/security/threat-protection/windows-defe **Manual static proxy configuration:** -- Registry based configuration +- Registry-based configuration - WinHTTP configured using netsh command
    Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the @@ -175,13 +175,13 @@ under: 1. Open the Group Policy Management Console. 2. Create a policy or edit an existing policy based off the organizational practices. 3. Edit the Group Policy and navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service**. - ![Image of Group Policy setting](images/atp-gpo-proxy1.png) + ![Image of Group Policy configuration](images/atp-gpo-proxy1.png) 4. Select **Enabled**. 5. Select **Disable Authenticated Proxy usage**. 6. Navigate to **Administrative Templates \> Windows Components \> Data Collection and Preview Builds \> Configure connected user experiences and telemetry**. - ![Image of Group Policy setting](images/atp-gpo-proxy2.png) + ![Image of Group Policy configuration setting](images/atp-gpo-proxy2.png) 7. Select **Enabled**. 8. Enter the **Proxy Server Name**. @@ -205,7 +205,7 @@ Use netsh to configure a system-wide static proxy. > - This will affect all applications including Windows services which use WinHTTP with default proxy.
    > - Laptops that are changing topology (for example: from office to home) will malfunction with netsh. Use the registry-based static proxy configuration. -1. Open an elevated command-line: +1. Open an elevated command line: 1. Go to **Start** and type **cmd**. @@ -223,7 +223,7 @@ Use netsh to configure a system-wide static proxy. ### Proxy Configuration for down-level devices Down-Level devices include Windows 7 SP1 and Windows 8.1 workstations as well -as Windows Server 2008 R2, Windows Sever 2012, Windows Server 2012 R2, and +as Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and versions of Windows Server 2016 prior to Windows Server CB 1803. These operating systems will have the proxy configured as part of the Microsoft Management Agent to handle communication from the endpoint to Azure. Refer to the @@ -238,15 +238,16 @@ needed if the device is on Windows 10, version 1803 or later. If a proxy or firewall is blocking anonymous traffic, as Microsoft Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the listed URLs. +The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. Ensure that there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an *allow* rule specifically for them. -|**Item**|**Description**| +|**Spreadsheet of domains list**|**Description**| |:-----|:-----| -|[![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx)
    [Spreadsheet](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) | The spreadsheet provides specific DNS records for service locations, geographic locations, and OS. +|![Thumb image for Microsoft Defender ATP URLs spreadsheet](images/mdatp-urls.png)
    | Spreadsheet of specific DNS records for service locations, geographic locations, and OS.

    [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) ### Microsoft Defender ATP service backend IP range -If you network devices don't support the URLs white-listed in the prior section, you can use the following information. +If you network devices don't support the URLs listed in the prior section, you can use the following information. Microsoft Defender ATP is built on Azure cloud, deployed in the following regions: diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 078b9f44ba..5ded65750b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md index 8dfa3de26f..3dd71c46a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -24,7 +24,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index 136bd67acd..ae061aa91b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -24,7 +24,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md index 70e5354db8..e5a93c9ecf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md @@ -24,7 +24,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md index 6b595daea4..d0659c30a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md @@ -24,7 +24,7 @@ ms.topic: article **Applies to:** - Azure Active Directory - Office 365 -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-rbac-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md index c094ae5bec..4e9bf9b693 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index cad6f89bbe..b22362ce0a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -24,7 +24,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) [!include[Prerelease information](../../includes/prerelease.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index 62ea654ded..89647f9832 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) @@ -110,7 +110,7 @@ The package contains the following folders: | System Information| Contains a SystemInformation.txt file which lists system information such as OS version and network cards. | | Temp Directories| Contains a set of text files that lists the files located in %Temp% for every user in the system.

    This can help to track suspicious files that an attacker may have dropped on the system.

    NOTE: If the file contains the following message: “The system cannot find the path specified”, it means that there is no temp directory for this user, and might be because the user didn’t log in to the system.
    | | Users and Groups| Provides a list of files that each represent a group and its members. | -|WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab | +|WdSupportLogs| Provides the MpCmdRunLog.txt and MPSupportFiles.cab

    NOTE: This folder will only be created on Windows 10, version 1709 or later with February 2020 update rollup or more recent installed:
    Win10 1709 (RS3) Build 16299.1717 : [KB4537816](https://support.microsoft.com/en-us/help/4537816/windows-10-update-kb4537816)
    Win10 1803 (RS4) Build 17134.1345 : [KB4537795](https://support.microsoft.com/en-us/help/4537795/windows-10-update-kb4537795)
    Win10 1809 (RS5) Build 17763.1075 : [KB4537818](https://support.microsoft.com/en-us/help/4537818/windows-10-update-kb4537818)
    Win10 1903/1909 (19h1/19h2) Builds 18362.693 and 18363.693 : [KB4535996](https://support.microsoft.com/en-us/help/4535996/windows-10-update-kb4535996)
    | | CollectionSummaryReport.xls| This file is a summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code in case of failure. You can use this report to track if the package includes all the expected data and identify if there were any errors. | ## Run Microsoft Defender Antivirus scan on devices diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index f4b6552adb..7b9e53a6e8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md index 55fe2974c7..821c82fed3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md @@ -25,15 +25,15 @@ ms.date: 5/1/2020 **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-managealerts-abovefoldlink) -[!include[Prerelease information](../../includes/prerelease.md)] +The alert page in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) provides full context to the alert, by combining attack signals and alerts related to the selected alert, to construct a detailed alert story. -The new alert page in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) provides full context to the alert, by combining attack signals and alerts related to the selected alert, to construct a detailed alert story. +Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location. Learn more in this overview. -Quickly triage, investigate, and take effective action on alerts that affect your organization. Understand why they were triggered, and their impact from one location. +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5] ## Getting started with an alert @@ -92,14 +92,6 @@ If you are experiencing a false alert with a line-of-business application, creat > [!TIP] > If you're experiencing any issues not described above, use the 🙂 button to provide feedback or open a support ticket. -## Transitioning to the new alert page - -When making the move to the new alert page you will notice that we have centralized information from the alert process tree, the incident graph, and the artifact timeline into the [alert story](#investigate-using-the-alert-story), with some information available through the [affected assets](#review-affected-assets) section. Any additional information has been consolidated into the details pane for the relevant entities. - -## Video overview of the new alert page - -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5] - ## Related topics - [View and organize the incidents queue](view-incidents-queue.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 1d8c035b5c..91772a215f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -22,7 +22,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md index 00381d0550..dfb227ec23 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md @@ -1,5 +1,5 @@ --- -title: Advanced Hunting with Powershell API Basics +title: Advanced Hunting with PowerShell API Basics ms.reviewer: description: Learn the basics of querying the Microsoft Defender Advanced Threat Protection API, using PowerShell. keywords: apis, supported apis, advanced hunting, query @@ -22,12 +22,12 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md). -In this section we share PowerShell samples to retrieve a token and use it to run a query. +In this section, we share PowerShell samples to retrieve a token and use it to run a query. ## Before you begin You first need to [create an app](apis-intro.md). @@ -40,7 +40,7 @@ You first need to [create an app](apis-intro.md). Set-ExecutionPolicy -ExecutionPolicy Bypass ``` ->For more details, see [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy) +>For more information, see [PowerShell documentation](https://docs.microsoft.com/powershell/module/microsoft.powershell.security/set-executionpolicy) ## Get token @@ -64,9 +64,9 @@ $aadToken = $response.access_token ``` where -- $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) -- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP) -- $appSecret: Secret of your AAD app +- $tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant) +- $appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP) +- $appSecret: Secret of your Azure AD app ## Run query @@ -88,7 +88,7 @@ $results = $response.Results $schema = $response.Schema ``` -- $results contains the results of your query +- $results contain the results of your query - $schema contains the schema of the results of your query ### Complex queries diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md index 282cc94d06..55f4d1ec1b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md @@ -24,17 +24,17 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md). -In this section we share Python samples to retrieve a token and use it to run a query. +In this section, we share Python samples to retrieve a token and use it to run a query. >**Prerequisite**: You first need to [create an app](apis-intro.md). ## Get token -- Run the following: +- Run the following commands: ``` @@ -67,9 +67,9 @@ aadToken = jsonResponse["access_token"] ``` where -- tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) -- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP) -- appSecret: Secret of your AAD app +- tenantId: ID of the tenant on behalf of which you want to run the query (that is, the query will be run on the data of this tenant) +- appId: ID of your Azure AD app (the app must have 'Run advanced queries' permission to Microsoft Defender ATP) +- appSecret: Secret of your Azure AD app ## Run query @@ -96,7 +96,7 @@ results = jsonResponse["Results"] ``` - schema contains the schema of the results of your query -- results contains the results of your query +- results contain the results of your query ### Complex queries diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index 1219b9aa21..ac66c55986 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index a40530476f..21efcfa495 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -30,7 +30,7 @@ ms.topic: article - Windows Server 2016 - Windows Server, version 1803 - Windows Server, 2019 -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) Run the following PowerShell script on a newly onboarded device to verify that it is properly reporting to the Microsoft Defender ATP service. diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md index edeeea026b..e0d37c9adc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/score.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md index 608a4bedcf..c564eb22ec 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md @@ -23,7 +23,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md index b9325d8184..1373591e5d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/service-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/service-status.md @@ -23,13 +23,13 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-servicestatus-abovefoldlink) -The **Service health** provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. +**Service health** provides information on the current status of the Microsoft Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see information such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status. @@ -51,7 +51,7 @@ The **Current status** tab shows the current state of the Microsoft Defender ATP - Next steps - Expected resolution time -Updates on the progress of an issue is reflected on the page as the issue gets resolved. You'll see updates on information such as an updated estimate resolution time or next steps. +Updates on the progress of an issue are reflected on the page as the issue gets resolved. You'll see updates on information such as an updated estimate resolution time or next steps. When an issue is resolved, it gets recorded in the **Status history** tab. diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md index 65012f7ca0..eb081b2ce2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md +++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md @@ -21,14 +21,14 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) ## API description Set the device value of a specific [Machine](machine.md).
    -See [threat and vulnerability management scenarios](threat-and-vuln-mgt-scenarios.md) for more information. +See [assign device values](tvm-assign-device-value.md) for more information. ## Limitations diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md index 514baa2899..bdd977b76d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/software.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index 60c046ee70..1d98b043e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md index 2fa6615e6a..0ad991db3c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md @@ -1,6 +1,6 @@ --- title: Supported Microsoft Defender Advanced Threat Protection response APIs -description: Learn about the specific response related Microsoft Defender Advanced Threat Protection API calls. +description: Learn about the specific response-related Microsoft Defender Advanced Threat Protection API calls. keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -23,29 +23,29 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!TIP] > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) -Learn about the supported response related API calls you can run and details such as the required request headers, and expected response from the calls. +Learn about the supported response-related API calls you can run and details such as the required request headers, and expected response from the calls. ## In this section Topic | Description :---|:--- -Collect investigation package | Run this to collect an investigation package from a device. -Isolate device | Run this to isolate a device from the network. +Collect investigation package | Run this API to collect an investigation package from a device. +Isolate device | Run this API to isolate a device from the network. Unisolate device | Remove a device from isolation. -Restrict code execution | Run this to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. +Restrict code execution | Run this API to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated. Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device. Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys. Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage. -Block file | Run this to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. +Block file | Run this API to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus. -Get package SAS URI | Run this to get a URI that allows downloading an investigation package. -Get MachineAction object | Run this to get MachineAction object. +Get package SAS URI | Run this API to get a URI that allows downloading an investigation package. +Get MachineAction object | Run this API to get MachineAction object. Get MachineActions collection | Run this to get MachineAction collection. -Get FileActions collection | Run this to get FileActions collection. -Get FileMachineAction object | Run this to get FileMachineAction object. -Get FileMachineActions collection | Run this to get FileMachineAction collection. +Get FileActions collection | Run this API to get FileActions collection. +Get FileMachineAction object | Run this API to get FileMachineAction object. +Get FileMachineActions collection | Run this API to get FileMachineAction collection. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index bdb20dff52..7736f20b59 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -25,7 +25,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly: diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md index 86dbfb50a0..0e1e460db8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md @@ -24,41 +24,36 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization through new vulnerabilities or exploits. You can view events that may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploit that was added to an exploit kit, and more. -Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) so you can determine the cause of large changes. Reduce you exposure score by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md). +Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) and [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) so you can determine the cause of large changes. Events can impact your devices or your score for devices. Reduce you exposure by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md). ## Navigate to the Event timeline page -You can access Event timeline mainly through three ways: +There are also three entry points from the [threat and vulnerability management dashboard](tvm-dashboard-insights.md): -- In the threat and vulnerability management navigation menu in the Microsoft Defender Security Center -- Top events card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). The highest impact events (for example, affect the most devices or critical vulnerabilities) -- Hovering over the Exposure Score graph in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) +- **Organization exposure score card**: Hover over the event dots in the "Exposure Score over time" graph and select "See all events from this day." The events represent software vulnerabilities. +- **Microsoft Secure Score for Devices**: Hover over the event dots in the "Your score for devices over time" graph and select "See all events from this day." The events represent new configuration assessments. +- **Top events card**: Select "Show more" at the bottom of the top events table. The card displays the three most impactful events in the last 7 days. Impactful events can include if the event affects a large number of devices, or if it is a critical vulnerability. -### Navigation menu +### Exposure score and Microsoft Secure Score for Devices graphs -Go to the threat and vulnerability management navigation menu and select **Event timeline** to view impactful events. +In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top software vulnerability events from that day that impacted your devices. Hover over the Microsoft Secure Score for Devices graph to view new security configuration assessments that affect your score. -### Top events card +If there are no events that affect your devices or your score for devices, then none will be shown. -In the threat and vulnerability management dashboard, the "Top events" card displays the three most impactful events in the last 7 days. Select **Show more** to go to the Event timeline page. +![Exposure score hover](images/tvm-event-timeline-exposure-score350.png) +![Microsoft Secure Score for Devices hover](images/tvm-event-timeline-device-hover360.png) -![Event timeline page](images/tvm-top-events-card.png) - -### Exposure score graph - -In the threat and vulnerability management dashboard, hover over the Exposure score graph to view top events from that day that impacted your devices. If there are no events, then none will be shown. - -![Event timeline page](images/tvm-event-timeline-exposure-score400.png) +### Drill down to events from that day Selecting **Show all events from this day** takes you to the Event timeline page with a custom date range for that day. -![Event timeline page](images/tvm-event-timeline-drilldown.png) +![Event timeline selected custom date range](images/tvm-event-timeline-drilldown.png) Select **Custom range** to change the date range to another custom one, or a pre-set time range. @@ -78,9 +73,6 @@ The two large numbers at the top of the page show the number of new vulnerabilit ![Event timeline page](images/tvm-event-timeline-overview-mixed-type.png) ->[!NOTE] ->Event type called "New configuration assessment" coming soon. - ### Columns - **Date**: month, day, year @@ -93,6 +85,7 @@ The two large numbers at the top of the page show the number of new vulnerabilit - Exploit was verified - New public exploit - New vulnerability + - New configuration assessment - **Score trend**: exposure score trend ### Icons @@ -102,7 +95,7 @@ The following icons show up next to events: - ![bug icon](images/tvm-black-bug-icon.png) New public exploit - ![report warning icon](images/report-warning-icon.png) New vulnerability was published - ![exploit kit](images/bug-lightning-icon2.png) Exploit found in exploit kit -- ![bug icon](images/bug-caution-icon2.png) Exploit verified +- ![bug icon with warning icon](images/bug-caution-icon2.png) Exploit verified ### Drill down to a specific event @@ -112,7 +105,7 @@ The arrow below "score trend" helps you determine whether this event potentially ![Event timeline flyout](images/tvm-event-timeline-flyout500.png) -From there, select **Go to related security recommendation** view the recommendation that addresses the new software vulnerability in the [security recommendations page](tvm-security-recommendation.md). After reading the description and vulnerability details in the security recommendation, you can [submit a remediation request](tvm-security-recommendation.md#request-remediation), and track the request in the [remediation page](tvm-remediation.md). +From there, select **Go to related security recommendation** view the recommendation that addresses the new software vulnerability in the [security recommendations page](tvm-security-recommendation.md). After reading the description and vulnerability details in the security recommendation, you can submit a remediation request, and track the request in the [remediation page](tvm-remediation.md). ## View Event timelines in software pages @@ -129,17 +122,9 @@ Navigate to the event timeline tab to view all the events related to that softwa ## Related topics - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) +- [Dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) +- [Remediate vulnerabilities](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) -- [Advanced hunting overview](overview-hunting.md) -- [All advanced hunting tables](advanced-hunting-reference.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md index a4691bc3cc..a7fc785038 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md @@ -23,7 +23,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md index a8d1540ac2..937906e7a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md @@ -25,7 +25,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Integrate with other Microsoft solutions diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md index 3fff8e808b..6690a9a308 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) The threat protection report provides high-level information about alerts generated in your organization. The report includes trending information showing the detection sources, categories, severities, statuses, classifications, and determinations of alerts across time. diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md index 039703000c..a527797436 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md index c2362f07ac..173c407eda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index ba95b235f8..5869c9d23d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -24,7 +24,7 @@ ms.custom: asr **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as: diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md index eecaf63643..30017b4ca8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md @@ -21,7 +21,7 @@ ms.topic: troubleshooting **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) When contacting support, you may be asked to provide the output package of the Microsoft Defender ATP Client Analyzer tool. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md index 2773899fc2..aff164b095 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md index db3f3bee81..01ddeadebe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md @@ -17,14 +17,14 @@ ms.collection: M365-security-compliance ms.topic: troubleshooting --- -# Troubleshoot Microsoft Defender Advanced Threat Protection live response issues +# Troubleshoot Microsoft Defender for Endpoint live response issues [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) This page provides detailed steps to troubleshoot live response issues. @@ -56,12 +56,12 @@ If while trying to take an action during a live response session, you encounter 5. Run the action you wanted to take on the copied file. ## Slow live response sessions or delays during initial connections -Live response leverages Microsoft Defender ATP sensor registration with WNS service in Windows. -If you are having connectivity issues with live response, please confirm the following: -1. `notify.windows.com` is not blocked in your environment. For more information see, [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). +Live response leverages Defender for Endpoint sensor registration with WNS service in Windows. +If you are having connectivity issues with live response, confirm the following details: +1. `notify.windows.com` is not blocked in your environment. For more information, see, [Configure device proxy and Internet connectivity settings](configure-proxy-internet.md#enable-access-to-microsoft-defender-for-endpoint-service-urls-in-the-proxy-server). 2. WpnService (Windows Push Notifications System Service) is not disabled. -Please refer to the articles below to fully understand the WpnService service behavior and requirements: +Refer to the articles below to fully understand the WpnService service behavior and requirements: - [Windows Push Notification Services (WNS) overview](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview) - [Enterprise Firewall and Proxy Configurations to Support WNS Traffic](https://docs.microsoft.com/windows/uwp/design/shell/tiles-and-notifications/firewall-allowlist-config) - [Microsoft Push Notifications Service (MPNS) Public IP ranges](https://www.microsoft.com/en-us/download/details.aspx?id=44535) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index f925f8ec6f..bea92c57cf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -23,7 +23,7 @@ manager: dansimp **Applies to:** -* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) * IT administrators diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md index 42a3ad5d0b..73945ccbcd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md @@ -24,7 +24,7 @@ ms.topic: troubleshooting **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) @@ -36,15 +36,15 @@ If you receive an error message, Microsoft Defender Security Center will provide ## No subscriptions found -If while accessing Microsoft Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Microsoft Defender ATP license. +If while accessing Microsoft Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (Azure AD) used to log in the user to the portal, does not have a Microsoft Defender ATP license. Potential reasons: - The Windows E5 and Office E5 licenses are separate licenses. -- The license was purchased but not provisioned to this AAD instance. +- The license was purchased but not provisioned to this Azure AD instance. - It could be a license provisioning issue. - - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service. + - It could be you inadvertently provisioned the license to a different Microsoft Azure AD than the one used for authentication into the service. -For both cases you should contact Microsoft support at [General Microsoft Defender ATP Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or +For both cases, you should contact Microsoft support at [General Microsoft Defender ATP Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or [Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx). ![Image of no subscriptions found](images/atp-no-subscriptions-found.png) @@ -63,16 +63,16 @@ You can choose to renew or extend the license at any point in time. When accessi ## You are not authorized to access the portal If you receive a **You are not authorized to access the portal**, be aware that Microsoft Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. -For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection). +For more information, see, [**Assign user access to the portal**](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection). ![Image of not authorized to access portal](images/atp-not-authorized-to-access-portal.png) ## Data currently isn't available on some sections of the portal -If the portal dashboard, and other sections show an error message such as "Data currently isn't available": +If the portal dashboard and other sections show an error message such as "Data currently isn't available": ![Image of data currently isn't available](images/atp-data-not-available.png) -You'll need to allow the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`. +You'll need to allow the `securitycenter.windows.com` and all subdomains under it. For example, `*.securitycenter.windows.com`. ## Portal communication issues diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index d55165aaae..673f3f624c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -24,7 +24,7 @@ ms.topic: troubleshooting **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Windows Server 2012 R2 - Windows Server 2016 diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md index 0ac32a5707..765a21fe20 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md @@ -23,7 +23,7 @@ ms.topic: troubleshooting **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md new file mode 100644 index 0000000000..8dfec3f344 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md @@ -0,0 +1,76 @@ +--- +title: Assign device value - threat and vulnerability management +description: Learn how to assign a low, normal, or high value to a device to help you differentiate between asset priorities. +keywords: microsoft defender atp device value, threat and vulnerability management device value, high value devices, device value exposure score +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: article +--- + +# Assign device value - threat and vulnerability management + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +[!include[Prerelease information](../../includes/prerelease.md)] + +Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices assigned as “high value” will receive more weight. + +You can also use the [set device value API](set-device-value.md). + +Device value options: + +- Low +- Normal (Default) +- High + +Examples of devices that should be assigned a high value: + +- Domain controllers, Active Directory +- Internet facing devices +- VIP devices +- Devices hosting internal/external production services + +## Choose device value + +1. Navigate to any device page, the easiest place is from the device inventory. + +2. Select **Device value** from three dots next to the actions bar at the top of the page. + + ![Example of the device value dropdown.](images/tvm-device-value-dropdown.png) + +3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device. +![Example of the device value flyout.](images/tvm-device-value-flyout.png) + +## How device value impacts your exposure score + +The exposure score is a weighted average across all devices. If you have device groups, you can also filter the score by device group. + +- Normal devices have a weight of 1 +- Low value devices have a weight of 0.75 +- High value devices have a weight of NumberOfAssets / 10. + - If you have 100 devices, each high value device will have a weight of 10 (100/10) + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Exposure Score](tvm-exposure-score.md) +- [APIs](next-gen-threat-and-vuln-mgt.md#apis) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index eca2eff41e..004ad94602 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,5 +1,5 @@ --- -title: Threat and vulnerability management dashboard insights +title: Dashboard insights - threat and vulnerability management description: The threat and vulnerability management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, threat and vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score search.appverid: met150 @@ -18,14 +18,14 @@ ms.collection: - m365initiative-defender-endpoint ms.topic: conceptual --- -# Threat and vulnerability management dashboard insights +# Dashboard insights - threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) @@ -49,24 +49,10 @@ Watch this video for a quick overview of what is in the threat and vulnerability >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4r1nv] -## Threat and vulnerability management in Microsoft Defender Security Center +## Threat and vulnerability management dashboard ![Microsoft Defender Advanced Threat Protection portal](images/tvm-dashboard-devices.png) -You can navigate through the portal using the menu options available in all sections. Refer to the following tables for a description of each section. - -## Threat and vulnerability management navigation pane - -Area | Description -:---|:--- -**Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data. -[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP. -[**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. -[**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs (security updates). -[**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details. - -## Threat and vulnerability management dashboard - Area | Description :---|:--- **Selected device groups (#/#)** | Filter the threat and vulnerability management data you want to see in the dashboard and cards by device groups. What you select in the filter applies throughout the threat and vulnerability management pages. @@ -83,14 +69,9 @@ For more information on the icons used throughout the portal, see [Microsoft Def ## Related topics - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md new file mode 100644 index 0000000000..7d2f8da30c --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md @@ -0,0 +1,69 @@ +--- +title: Plan for end-of-support software and software versions +description: Discover and plan for software and software versions that are no longer supported and won't receive security updates. +keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +--- +# Plan for end-of-support software and software versions with threat and vulnerability management + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +End-of-support (EOS), otherwise known as end-of-life (EOL), for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks. + +It's crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end-of-support and update versions that are no longer supported. It's best to create and implement a plan **before** the end of support dates. + +## Find software or software versions that are no longer supported + +1. From the threat and vulnerability management menu, navigate to [**Security recommendations**](tvm-security-recommendation.md). +2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**. + + ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions.](images/tvm-eos-tag.png) + +3. You'll see a list of recommendations related to software with ended support, software versions that are end of support, or versions with upcoming end of support. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. + + ![Recommendations with EOS tag.](images/tvm-eos-tags-column.png) + +## List of versions and dates + +To view a list of versions that have reached end of support, or end or support soon, and those dates, follow the below steps: + +1. A message will appear in the security recommendation flyout for software with versions that have reached end of support, or will reach end of support soon. + + ![Screenshot of version distribution link.](images/eos-upcoming-eos.png) + +2. Select the **version distribution** link to go to the software drill-down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. + + ![Screenshot of software drilldown page with end of support software.](images/software-drilldown-eos.png) + +3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date. + + ![Screenshot of end of support date.](images/version-eos-date.png) + +Once you identify which software and software versions are vulnerable due to their end-of-support status, you must decide whether to update or remove them from your organization. Doing so will lower your organizations exposure to vulnerabilities and advanced persistent threats. + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Software inventory](tvm-software-inventory.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md new file mode 100644 index 0000000000..f8f6565174 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md @@ -0,0 +1,98 @@ +--- +title: Create and view exceptions for security recommendations - threat and vulnerability management +description: Create and monitor exceptions for security recommendations in threat and vulnerability management. +keywords: microsoft defender atp tvm remediation, mdatp tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +--- +# Create and view exceptions for security recommendations - threat and vulnerability management + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +Sometimes, you may not be able to take the remediation steps suggested by a security recommendation. If that is the case, threat and vulnerability management gives you an avenue to create an exception. + +When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and no longer shows up in the security recommendations list. + +## Create an exception + +1. Go to the threat and vulnerability management navigation menu in the Microsoft Defender Security Center, and select [**Security recommendations**](tvm-security-recommendation.md). + +2. Select a security recommendation you would like to create an exception for, and then **Exception options**. +![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-option.png) + +3. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. + + The following list details the justifications behind the exception options: + + - **Third party control** - A third party product or software already addresses this recommendation + - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced + - **Alternate mitigation** - An internal tool already addresses this recommendation + - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced + - **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive + - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization + +4. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created. + +## View your exceptions + +When you file for an exception from the security recommendations page, you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). + +The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status. + +![Example of the exception page and filter options.](images/tvm-exception-filters.png) + +### Exception actions and statuses + +Once an exception exists, you can cancel it at any time by going to the exception in the **Remediation** page and selecting **Cancel exception**. + +The following statuses will be a part of an exception: + +- **Canceled** - The exception has been canceled and is no longer in effect +- **Expired** - The exception that you've filed is no longer in effect +- **In effect** - The exception that you've filed is in progress + +### Exception impact on scores + +Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Microsoft Secure Score for Devices of your organization in the following manner: + +- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores. +- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control. +- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Microsoft Secure Score for Devices results out of the exception option that you made. + +The exception impact shows on both the Security recommendations page column and in the flyout pane. + +![Screenshot identifying the impact sections which list score impacts in the full page security recommendations table, and the flyout.](images/tvm-exception-impact.png) + +### View exceptions in other places + +Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. It will open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status. + +![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard.](images/tvm-exception-dashboard.png) + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Remediate vulnerabilities](tvm-remediation.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Exposure score](tvm-exposure-score.md) +- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 1773f17654..d23e973e81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -22,10 +22,10 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) @@ -41,15 +41,6 @@ The card gives you a high-level view of your exposure score trend over time. Any ## How it works -Threat and vulnerability management introduces a new exposure score metric, which visually represents how exposed your devices are to imminent threats. - -The exposure score is continuously calculated on each device in the organization. It is influenced by the following factors: - -- Weaknesses, such as vulnerabilities discovered on the device -- External and internal threats such as public exploit code and security alerts -- Likelihood of the device to get breached given its current security posture -- Value of the device to the organization given its role and content - The exposure score is broken down into the following levels: - 0–29: low exposure score @@ -58,6 +49,46 @@ The exposure score is broken down into the following levels: You can remediate the issues based on prioritized [security recommendations](tvm-security-recommendation.md) to reduce the exposure score. Each software has weaknesses that are transformed into recommendations and prioritized based on risk to the organization. +## How the score is calculated + +The exposure score is continuously calculated on each device in the organization. It is scored & evaluated based on the following categories: + +- **Threats** - external and internal threats such as public exploit code and security alerts +- **Likelihood** - likelihood of the device to get breached given its current security posture +- **Value** - value of the device to the organization given its role and content + +**Device exposure score** = (Threats + Likelihood) x Value + +**Organization exposure score** = Avg (All device exposure scores) taking into account organization value multipliers + +### Threats + +Points are added based on whether the device has any vulnerabilities or misconfigurations, determined by the Common Vulnerability Scoring System (CVSS) base score. + +Further points are added based on: + +- Exploits availability and whether the exploit is verified or ranked +- A threat campaign is linked to the vulnerability or misconfiguration + +### Likelihood + +Points are added based on whether any of the following factors are true: + +- The device is internet facing +- Specific compensating controls are misconfigured +- An exploit attempt is linked directly to a threat spotted in the organization + +### Value + +Points are added based on whether any of the following factors are true for a device: + +- Contains high business impact (HBI) data +- Marked as a High Value Asset (HVA) or serves as an important server role (e.g. AD, DNS) +- Runs a business critical app (BCA) +- Used by a marked high value user (HVU) (e.g. domain admin, CEO) + +If a device is valuable to your organization, it should increase the total organization exposure score. + ## Reduce your threat and vulnerability exposure Lower your threat and vulnerability exposure by remediating [security recommendations](tvm-security-recommendation.md). Make the most impact to your exposure score by remediating the top security recommendations, which can be viewed in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md). @@ -65,14 +96,6 @@ Lower your threat and vulnerability exposure by remediating [security recommenda ## Related topics - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md similarity index 55% rename from windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md rename to windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md index 77b4642f92..d530052017 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md @@ -1,5 +1,5 @@ --- -title: Scenarios - threat and vulnerability management +title: Hunt for exposed devices description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate. keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls search.product: eADQiWindows 10XVcnh @@ -19,20 +19,32 @@ ms.collection: ms.topic: article --- -# Scenarios - threat and vulnerability management +# Hunt for exposed devices - threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -[!include[Prerelease information](../../includes/prerelease.md)] +## Use advanced hunting to find devices with vulnerabilities -## Use advanced hunting query to search for devices with High active alerts or critical CVE public exploit +Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. [Learn more about advanced hunting](advanced-hunting-overview.md) + +### Schema tables + +- [DeviceTvmSoftwareInventoryVulnerabilities](advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md) - Inventory of software on devices as well as any known vulnerabilities in these software products + +- [DeviceTvmSoftwareVulnerabilitiesKB](advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md) - Knowledge base of publicly disclosed vulnerabilities, including whether exploit code is publicly available + +- [DeviceTvmSecureConfigurationAssessment](advanced-hunting-devicetvmsecureconfigurationassessment-table.md) - Threat & Vulnerability Management assessment events, indicating the status of various security configurations on devices + +- [DeviceTvmSecureConfigurationAssessmentKB](advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md) - Knowledge base of various security configurations used by Threat & Vulnerability Management to assess devices; includes mappings to various standards and benchmarks + +## Check which devices are involved in high severity alerts 1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center. @@ -55,50 +67,10 @@ DeviceName=any(DeviceName) by DeviceId, AlertId ``` -## Define a device's value to the organization - -Defining a device’s value helps you differentiate between asset priorities. The device value is used to incorporate the risk appetite of an individual asset into the threat and vulnerability management exposure score calculation. Devices marked as “high value” will receive more weight. - -You can also use the [set device value API](set-device-value.md). - -Device value options: - -- Low -- Normal (Default) -- High - -Examples of devices that should be marked as high value: - -- Domain controllers, Active Directory -- Internet facing devices -- VIP devices -- Devices hosting internal/external production services - -### Set device value - -1. Navigate to any device page, the easiest place is from the device inventory. - -2. Select **Device Value** from three dots next to the actions bar at the top of the page. - ![Example of the device value dropdown.](images/tvm-device-value-dropdown.png) - -

    - -3. A flyout will appear with the current device value and what it means. Review the value of the device and choose the one that best fits your device. -![Example of the device value flyout.](images/tvm-device-value-flyout.png) - - ## Related topics - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Event timeline](threat-and-vuln-mgt-event-timeline.md) - [APIs](next-gen-threat-and-vuln-mgt.md#apis) - [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) - [Advanced hunting overview](overview-hunting.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md index 59c5598a86..ea67db383d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md @@ -1,5 +1,5 @@ --- -title: Overview of Microsoft Secure Score for Devices in Microsoft Defender Security Center +title: Microsoft Secure Score for Devices description: Your score for devices shows the collective security configuration state of your devices across application, operating system, network, accounts, and security controls. keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline search.product: eADQiWindows 10XVcnh @@ -22,10 +22,10 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >[!NOTE] > Configuration score is now part of threat and vulnerability management as Microsoft Secure Score for Devices. @@ -100,13 +100,6 @@ Improve your security configuration by remediating issues from the security reco ## Related topics - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) +- [Dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md new file mode 100644 index 0000000000..9aba0d42d1 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md @@ -0,0 +1,74 @@ +--- +title: Prerequisites & permissions - threat and vulnerability management +description: Before you begin using threat and vulnerability management, make sure you have the relevant configurations and permissions. +keywords: threat & vulnerability management permissions prerequisites, threat and vulnerability management permissions prerequisites, MDATP TVM permissions prerequisites, vulnerability management +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +--- + +# Prerequisites & permissions - threat and vulnerability management + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +Ensure that your devices: + +- Are onboarded to Microsoft Defender Advanced Threat Protection +- Run [supported operating systems and platforms](tvm-supported-os.md) +- Have the following mandatory updates installed and deployed in your network to boost your vulnerability assessment detection rates: + +> Release | Security update KB number and link +> :---|:--- +> Windows 10 Version 1709 | [KB4493441](https://support.microsoft.com/help/4493441/windows-10-update-kb4493441) and [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) +> Windows 10 Version 1803 | [KB4493464](https://support.microsoft.com/help/4493464) and [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) +> Windows 10 Version 1809 | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) +> Windows 10 Version 1903 | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) + +- Are onboarded to [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) and [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure). If you're using Configuration Manager, update your console to the latest version. +- Have at least one security recommendation that can be viewed in the device page +- Are tagged or marked as co-managed + +## Relevant permission options + +1. Log in to Microsoft Defender Security Center using account with a Security administrator or Global administrator role assigned. +2. In the navigation pane, select **Settings > Roles**. + +For more information, see [Create and manage roles for role-based access control](user-roles.md) + +### View data + +- **Security operations** - View all security operations data in the portal +- **Threat and vulnerability management** - View threat and vulnerability management data in the portal + +### Active remediation actions + +- **Security operations** - Take response actions, approve or dismiss pending remediation actions, manage allowed/blocked lists for automation and indicators +- **Threat and vulnerability management - Exception handling** - Create new exceptions and manage active exceptions +- **Threat and vulnerability management - Remediation handling** - Submit new remediation requests, create tickets, and manage existing remediation activities + +For more information, see [RBAC permission options](user-roles.md#permission-options) + +## Related articles + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Supported operating systems and platforms](tvm-supported-os.md) +- [Assign device value](tvm-assign-device-value.md) +- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 96e22571c0..83f4fa34f0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -1,5 +1,5 @@ --- -title: Remediation activities and exceptions - threat and vulnerability management +title: Remediate vulnerabilities with threat and vulnerability management description: Remediate security weaknesses discovered through security recommendations, and create exceptions if needed, in threat and vulnerability management. keywords: microsoft defender atp tvm remediation, mdatp tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm search.product: eADQiWindows 10XVcnh @@ -18,33 +18,56 @@ ms.collection: - m365initiative-defender-endpoint ms.topic: conceptual --- -# Remediation activities and exceptions - threat and vulnerability management +# Remediate vulnerabilities with threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) +## Request remediation + +The threat and vulnerability management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. + +### Enable Microsoft Intune connection + +To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**. + +See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. + +### Remediation request steps + +1. Go to the threat and vulnerability management navigation menu in the Microsoft Defender Security Center, and select [**Security recommendations**](tvm-security-recommendation.md). + +2. Select a security recommendation you would like to request remediation for, and then select **Remediation options**. + +3. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices. + +4. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. + +5. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. + +If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. + >[!NOTE] ->To use this capability, enable your Microsoft Intune connections. Navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle on. +>If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune. After your organization's cybersecurity weaknesses are identified and mapped to actionable [security recommendations](tvm-security-recommendation.md), start creating security tasks. You can create tasks through the integration with Microsoft Intune where remediation tickets are created. Lower your organization's exposure from vulnerabilities and increase your security configuration by remediating the security recommendations. -## Navigate to the Remediation page +## View your remediation activities -You can access the Remediation page a few different ways: +When you submit a remediation request from the Security recommendations page, it kicks-off a remediation activity. A security task is created that can be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune. -- Threat and vulnerability management navigation menu in the [Microsoft Defender Security Center](portal-overview.md) -- Top remediation activities card in the [threat and vulnerability management dashboard](tvm-dashboard-insights.md) +Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. +![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation progress.](images/remediation_flyouteolsw.png) -### Navigation menu - -Go to the threat and vulnerability management navigation menu and select **Remediation**. It will open the list of remediation activities and exceptions found in your organization. +>[!NOTE] +> There is a 180 day retention period for completed remediation activities. To keep the Remediation page performing optimally, the remediation activity will be removed 6 months after its completion. ### Top remediation activities in the dashboard @@ -52,63 +75,8 @@ View **Top remediation activities** in the [threat and vulnerability management ![Example of Top remediation activities card with a table that lists top activities that were generated from security recommendations.](images/tvm-remediation-activities-card.png) -## Remediation activities - -When you [submit a remediation request](tvm-security-recommendation.md#request-remediation) from the [Security recommendations page](tvm-security-recommendation.md), it kicks-off a remediation activity. A security task is created that can be tracked in the threat and vulnerability management **Remediation** page, and a remediation ticket is created in Microsoft Intune. - -Once you are in the Remediation page, select the remediation activity that you want to view. You can follow the remediation steps, track progress, view the related recommendation, export to CSV, or mark as complete. -![Example of the Remediation page, with a selected remediation activity, and that activity's flyout listing the description, IT service and device management tools, and device remediation progress.](images/remediation_flyouteolsw.png) - -## Exceptions - -When you [file for an exception](tvm-security-recommendation.md#file-for-exception) from the [Security recommendations page](tvm-security-recommendation.md), you create an exception for that security recommendation. You can file exceptions to exclude certain recommendation from showing up in reports and affecting your [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md). - -The exceptions you've filed will show up in the **Remediation** page, in the **Exceptions** tab. You can filter your view based on exception justification, type, and status. - -![Example of the exception page and filter options.](images/tvm-exception-filters.png) - -### Exception actions and statuses - -You can take the following actions on an exception: - -- Cancel - You can cancel the exceptions you've filed anytime -- Resurface - Your exception automatically becomes void and resurfaces in the security recommendation list when dynamic environmental factors change. It adversely affects the exposure impact associated with a recommendation that had previously been excluded. - -The following statuses will be a part of an exception: - -- **Canceled** - The exception has been canceled and is no longer in effect -- **Expired** - The exception that you've filed is no longer in effect -- **In effect** - The exception that you've filed is in progress - -### Exception impact on scores - -Creating an exception can potentially affect the Exposure Score (for both types of weaknesses) and Microsoft Secure Score for Devices of your organization in the following manner: - -- **No impact** - Removes the recommendation from the lists (which can be reverse through filters), but will not affect the scores. -- **Mitigation-like impact** - As if the recommendation was mitigated (and scores will be adjusted accordingly) when you select it as a compensating control. -- **Hybrid** - Provides visibility on both No impact and Mitigation-like impact. It shows both the Exposure Score and Microsoft Secure Score for Devices results out of the exception option that you made. - -The exception impact shows on both the Security recommendations page column and in the flyout pane. - -![Screenshot identifying the impact sections which list score impacts in the full page security recommendations table, and the flyout.](images/tvm-exception-impact.png) - -### View exceptions in other places - -Select **Show exceptions** at the bottom of the **Top security recommendations** card in the dashboard. It will open a filtered view in the **Security recommendations** page of recommendations with an "Exception" status. - -![Screenshot of Show exceptions link in the Top security recommendations card in the dashboard.](images/tvm-exception-dashboard.png) - -## Related topics +## Related articles - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) -- [Security recommendations](tvm-security-recommendation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Dashboard](tvm-dashboard-insights.md) +- [Security recommendations](tvm-security-recommendation.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 723a90bded..b4ffcd5ce4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -22,15 +22,13 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -[!include[Prerelease information](../../includes/prerelease.md)] - Cybersecurity weaknesses identified in your organization are mapped to actionable security recommendations and prioritized by their impact. Prioritized recommendations help shorten the time to mitigate or remediate vulnerabilities and drive compliance. Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. @@ -75,11 +73,14 @@ View recommendations, the number of weaknesses found, related components, threat The color of the **Exposed devices** graph changes as the trend changes. If the number of exposed devices is on the rise, the color changes into red. If there's a decrease in the number of exposed devices, the color of the graph will change into green. +>[!NOTE] +>Threat and vulnerability management shows devices that were in use up to **30 days** ago. This is different from the rest of Microsoft Defender for Endpoint, where if a device has not been in use for more than 7 days it has in an ‘Inactive’ status. + ![Example of the landing page for security recommendations.](images/tvmsecrec-updated.png) ### Icons -Useful icons also quickly call your attention to: +Useful icons also quickly call your attention to: - ![arrow hitting a target](images/tvm_alert_icon.png) possible active alerts - ![red bug](images/tvm_bug_icon.png) associated public exploits - ![light bulb](images/tvm_insight_icon.png) recommendation insights @@ -94,71 +95,20 @@ From the flyout, you can choose any of the following options: - **Open software page** - Open the software page to get more context on the software and how it's distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution. -- [**Remediation options**](tvm-security-recommendation.md#request-remediation) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. +- [**Remediation options**](tvm-remediation.md) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address. -- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet. +- [**Exception options**](tvm-exception.md) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet. >[!NOTE] >When a change is made on a device, it typically takes two hours for the data to be reflected in the Microsoft Defender Security Center. However, it may sometimes take longer. -### Investigate changes in machine exposure or impact +### Investigate changes in device exposure or impact -If there is a large jump in the number of exposed machines, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating. +If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Microsoft Secure Score for Devices, then that security recommendation is worth investigating. 1. Select the recommendation and **Open software page** 2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md) -3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request - -## Request remediation - -The threat and vulnerability management capability in Microsoft Defender ATP bridges the gap between Security and IT administrators through the remediation request workflow. Security admins like you can request for the IT Administrator to remediate a vulnerability from the **Security recommendation** pages to Intune. - -### Enable Microsoft Intune connection - -To use this capability, enable your Microsoft Intune connections. In the Microsoft Defender Security Center, navigate to **Settings** > **General** > **Advanced features**. Scroll down and look for **Microsoft Intune connection**. By default, the toggle is turned off. Turn your **Microsoft Intune connection** toggle **On**. - -See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. - -### Remediation request steps - -1. Select a security recommendation you would like to request remediation for, and then select **Remediation options**. - -2. Fill out the form, including what you are requesting remediation for, priority, due date, and optional notes. Select **Submit request**. Submitting a remediation request creates a remediation activity item within threat and vulnerability management, which can be used for monitoring the remediation progress for this recommendation. This will not trigger a remediation or apply any changes to devices. - -3. Notify your IT Administrator about the new request and have them log into Intune to approve or reject the request and start a package deployment. - -4. Go to the [**Remediation**](tvm-remediation.md) page to view the status of your remediation request. - -If you want to check how the ticket shows up in Intune, see [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. - ->[!NOTE] ->If your request involves remediating more than 10,000 devices, we can only send 10,000 devices for remediation to Intune. - -## File for exception - -As an alternative to a remediation request, you can create exceptions for recommendations. - -There are many reasons why organizations create exceptions for a recommendation. For example, if there's a business justification that prevents the company from applying the recommendation, the existence of a compensating or alternative control that provides as much protection than the recommendation would, a false positive, among other reasons. - -When an exception is created for a recommendation, the recommendation is no longer active. The recommendation state changes to **Exception**, and it no longer shows up in the security recommendations list. - -1. Select a security recommendation you would like to create an exception for, and then **Exception options**. -![Showing where the button for "exception options" is location in a security recommendation flyout.](images/tvm-exception-option.png) - -2. Select your justification for the exception you need to file instead of remediating the security recommendation in question. Fill out the justification context, then set the exception duration. - - The following list details the justifications behind the exception options: - - - **Third party control** - A third party product or software already addresses this recommendation - - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced - - **Alternate mitigation** - An internal tool already addresses this recommendation - - Choosing this justification type will lower your exposure score and increase you secure score because your risk is reduced - - **Risk accepted** - Poses low risk and/or implementing the recommendation is too expensive - - **Planned remediation (grace)** - Already planned but is awaiting execution or authorization - -3. Select **Submit**. A confirmation message at the top of the page indicates that the exception has been created. - -4. Navigate to the [**Remediation**](tvm-remediation.md) page under the **Threat and vulnerability management** menu and select the **Exceptions** tab to view all your exceptions (current and past). +3. Decide how to address the increase or your organization's exposure, such as submitting a remediation request. ## Report inaccuracy @@ -174,52 +124,12 @@ You can report a false positive when you see any vague, inaccurate, incomplete, 4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. -## Find and remediate software or software versions which have reached end-of-support (EOS) - -End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions with ended support, you're exposing your organization to security vulnerabilities, legal, and financial risks. - -It's crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end-of-support and update versions that are no longer supported. It's best to create and implement a plan **before** the end of support dates. - -To find software or software versions that are no longer supported: - -1. From the threat and vulnerability management menu, navigate to **Security recommendations**. -2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**. - - ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png) - -3. You'll see a list of recommendations related to software with ended support, software versions that are end of support, or versions with upcoming end of support. These tags are also visible in the [software inventory](tvm-software-inventory.md) page. - - ![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png) - -### List of versions and dates - -To view a list of versions that have reached end of support, or end or support soon, and those dates, follow the below steps: - -1. A message will appear in the security recommendation flyout for software with versions that have reached end of support, or will reach end of support soon. - - ![Screenshot of version distribution link](images/eos-upcoming-eos.png) - -2. Select the **version distribution** link to go to the software drill-down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support. - - ![Screenshot of version distribution link](images/software-drilldown-eos.png) - -3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date. - - ![Screenshot of version distribution link](images/version-eos-date.png) - -Once you identify which software and software versions are vulnerable due to their end-of-support status, you must decide whether to update or remove them from your organization. Doing so will lower your organizations exposure to vulnerabilities and advanced persistent threats. - -## Related topics +## Related articles - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) +- [Dashboard](tvm-dashboard-insights.md) - [Exposure score](tvm-exposure-score.md) - [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) -- [Remediation and exception](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) +- [Remediate vulnerabilities](tvm-remediation.md) +- [Create and view exceptions for security recommendations](tvm-exception.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index 13d0634456..bff224c503 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -22,13 +22,13 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) -The software inventory in threat and vulnerability management is a list of all the software in your organization with known vulnerabilities. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices. +The software inventory in threat and vulnerability management is a list of known software in your organization with official [Common Platform Enumerations (CPE)](https://nvd.nist.gov/products/cpe). Software products without an official CPE don’t have vulnerabilities published. It also includes details such as the name of the vendor, number of weaknesses, threats, and number of exposed devices. ## How it works @@ -42,14 +42,48 @@ Access the Software inventory page by selecting **Software inventory** from the View software on specific devices in the individual devices pages from the [devices list](machines-view-overview.md). +>[!NOTE] +>If you search for software using the Microsoft Defender ATP global search, make sure to put an underscore instead of a space. For example, for the best search results you'd write "windows_10" instead of "Windows 10". + ## Software inventory overview -The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. You can filter the list view based on weaknesses found in the software, threats associated with them, and whether the software or software versions have reached end-of-support. -![Example of the landing page for software inventory.](images/software_inventory_filter.png) +The **Software inventory** page opens with a list of software installed in your network, including the vendor name, weaknesses found, threats associated with them, exposed devices, impact to exposure score, and tags. + +You can filter the list view based on weaknesses found in the software, threats associated with them, and tags like whether the software has reached end-of-support. + +![Example of the landing page for software inventory.](images/tvm-software-inventory.png) Select the software that you want to investigate. A flyout panel will open with a more compact view of the information on the page. You can either dive deeper into the investigation and select **Open software page**, or flag any technical inconsistencies by selecting **Report inaccuracy**. -![Flyout example page of "Visual Studio 2017" from the software inventory page.](images/tvm-software-inventory-flyout500.png) +### Software that isn't supported + +Software that isn't currently supported by threat & vulnerability management is still present in the Software inventory page. Because it is not supported, only limited data will be available. Filter by unsupported software with the "Not available" option in the "Weakness" section. + +![Unsupported software filter.](images/tvm-unsupported-software-filter.png) + +The following indicates that a software is not supported: + +- Weaknesses field shows "Not available" +- Exposed devices field shows a dash +- Informational text added in side panel and in software page + +Currently, products without a CPE are not shown in the software inventory page, only in the device level software inventory. + +## Software inventory on devices + +From the Microsoft Defender Security Center navigation panel, go to the **[Devices list](machines-view-overview.md)**. Select the name of a device to open the device page (like Computer1), then select the **Software inventory** tab to see a list of all the known software present on the device. Select a specific software entry to open the flyout with more information. + +Software may be visible at the device level even if it is currently not supported by threat and vulnerability management. However, only limited data will be available. You'll know if software is unsupported because it will say "Not available" in the "Weakness" column. + +Software with no CPE can also show up under this device specific software inventory. + +### Software evidence + +See evidence of where we detected a specific software on a device from the registry, disk, or both.You can find it on any device in the device software inventory. + +Select a software name to open the flyout, and look for the section called "Software Evidence." + +![Software evidence example of Windows 10 from the devices list, showing software evidence registry path.](images/tvm-software-evidence.png) ## Software pages @@ -67,15 +101,6 @@ You can view software pages a few different ways: ![Software example page for Visual Studio 2017 with the software details, weaknesses, exposed devices, and more.](images/tvm-software-page-example.png) -## Software evidence - -We now show evidence of where we detected a specific software on a device from the registry, disk or both. -You can find it on any devices found in the [devices list](machines-view-overview.md) in a section called "Software Evidence." - -From the Microsoft Defender Security Center navigation panel, go to the **Devices list**. Select the name of a device to open the device page (like Computer1) > select the **Software inventory** tab > select the software name to open the flyout and view software evidence. - -![Software evidence example of Windows 10 from the devices list, showing software evidence registry path.](images/tvm-software-evidence.png) - ## Report inaccuracy Report a false positive when you see any vague, inaccurate, or incomplete information. You can also report on security recommendations that have already been remediated. @@ -85,17 +110,9 @@ Report a false positive when you see any vague, inaccurate, or incomplete inform 3. From the flyout pane, select the inaccuracy category from the drop-down menu, fill in your email address, and details about the inaccuracy. 4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. -## Related topics +## Related articles - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) -- [Weaknesses](tvm-weaknesses.md) - [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [View and organize the Microsoft Defender ATP Devices list](machines-view-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index 4de1a79a1e..6e3367187d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -1,7 +1,7 @@ --- title: Supported operating systems and platforms for threat and vulnerability management -description: Before you begin, ensure that you meet the operating system or platform requisites for threat and vulnerability management so the activities in your all devices are properly accounted for. -keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score +description: Ensure that you meet the operating system or platform requisites for threat and vulnerability management, so the activities in your all devices are properly accounted for. +keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, search.appverid: met150 search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -22,10 +22,10 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) @@ -47,17 +47,7 @@ Windows Server 2019 | Operating System (OS) vulnerabilities
    Software product macOS 10.13 "High Sierra" and above | Operating System (OS) vulnerabilities
    Software product vulnerabilities Linux | Not supported (planned) -## Related topics +## Related articles - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) -- [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) -- [Software inventory](tvm-software-inventory.md) -- [Weaknesses](tvm-weaknesses.md) -- [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Prerequisites & permissions](tvm-prerequisites.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md new file mode 100644 index 0000000000..21ba19666d --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md @@ -0,0 +1,84 @@ +--- +title: Vulnerable devices report - threat and vulnerability management +description: A report showing vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure. +keywords: mdatp-tvm vulnerable devices, mdatp, tvm, reduce threat & vulnerability exposure, reduce threat and vulnerability, monitor security configuration +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: article +--- + +# Vulnerable devices report - threat and vulnerability management + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +> [!IMPORTANT] +> **Vulnerable devices report is currently in public preview**
    +> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. +> For more information, see [Microsoft Defender ATP preview features](preview.md). + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +The report shows graphs and bar charts with vulnerable device trends and current statistics. The goal is for you to understand the breath and scope of your device exposure. + +Access the report in the Microsoft Defender Security Center by going to **Reports > Vulnerable devices** + +There are two columns: + +- Trends (over time). Can show the past 30 days, 3 months, 6 months, or a custom date range. +- Today (current information) + +**Filter**: You can filter the data by vulnerability severity levels, exploit availability, vulnerability age, operating system platform, Windows 10 version, or device group. + +**Drill down**: If there is an insight you want to explore further, select the relevant bar chart to view a filtered list of devices in the Device inventory page. From there, you can export the list. + +## Severity level graphs + +Each device is counted only once according to the most severe vulnerability found on that device. + +![One graph of current device vulnerability severity levels, and one graph showing levels over time.](images/tvm-report-severity.png) + +## Exploit availability graphs + +Each device is counted only once based on the highest level of known exploit. + +![One graph of current device exploit availability, and one graph showing availability over time.](images/tvm-report-exploit-availability.png) + +## Vulnerability age graphs + +Each device is counted only once under the oldest vulnerability publication date. Older vulnerabilities have a higher chance of being exploited. + +![One graph of current device vulnerability age, and one graph showing age over time.](images/tvm-report-age.png) + +## Vulnerable devices by operating system platform graphs + +The number of devices on each operating system that are exposed due to software vulnerabilities. + +![One graph of current vulnerable devices by operating system platform, and one graph showing vulnerable devices by OS platforms over time.](images/tvm-report-os.png) + +## Vulnerable devices by Windows 10 version graphs + +The number of devices on each Windows 10 version that are exposed due to vulnerable applications or OS. + +![One graph of current vulnerable devices by Windows 10 version, and one graph showing vulnerable devices by Windows 10 version over time.](images/tvm-report-version.png) + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Security recommendations](tvm-security-recommendation.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index 523a9d850b..7d007181d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -1,5 +1,5 @@ --- -title: Weaknesses found by threat and vulnerability management +title: Vulnerabilities in my organization - threat and vulnerability management description: Lists the common vulnerabilities and exposures (CVE) ID of weaknesses found in the software running in your organization. Discovered by the Microsoft Defender ATP threat and vulnerability management capability. keywords: mdatp threat & vulnerability management, threat and vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm search.product: eADQiWindows 10XVcnh @@ -18,19 +18,19 @@ ms.collection: - m365initiative-defender-endpoint ms.topic: conceptual --- -# Weaknesses found by threat and vulnerability management +# Vulnerabilities in my organization - threat and vulnerability management [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) Threat and vulnerability management uses the same signals in Microsoft Defender ATP's endpoint protection to scan and detect vulnerabilities. -The **Weaknesses** page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more. +The **Weaknesses** page lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more. >[!NOTE] >If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management. @@ -70,7 +70,7 @@ Remediate the vulnerabilities in exposed devices to reduce the risk to your asse ### Breach and threat insights -View related breach and threat insights in the **Threat** column when the icons are colored red. +View any related breach and threat insights in the **Threat** column when the icons are colored red. >[!NOTE] > Always prioritize recommendations that are associated with ongoing threats. These recommendations are marked with the threat insight icon ![Simple drawing of a red bug.](images/tvm_bug_icon.png) and breach insight icon ![Simple drawing of an arrow hitting a target.](images/tvm_alert_icon.png). @@ -78,18 +78,27 @@ View related breach and threat insights in the **Threat** column when the icons The breach insights icon is highlighted if there's a vulnerability found in your organization. ![Example of a breach insights text that could show up when hovering over icon. This one says "possible active alert is associated with this recommendation.](images/tvm-breach-insights.png) -The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there is a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories. +The threat insights icon is highlighted if there are associated exploits in the vulnerability found in your organization. Hovering over the icon shows whether the threat is a part of an exploit kit, or connected to specific advanced persistent campaigns or activity groups. When available, there's a link to a Threat Analytics report with zero-day exploitation news, disclosures, or related security advisories. ![Threat insights text that that could show up when hovering over icon. This one has multiple bullet points and linked text.](images/tvm-threat-insights.png) ### Gain vulnerability insights -If you select a CVE, a flyout panel will open with more information, including the vulnerability description, details, threat insights, and exposed devices. +If you select a CVE, a flyout panel will open with more information such as the vulnerability description, details, threat insights, and exposed devices. -The "OS Feature" category is shown in relevant scenarios. +- The "OS Feature" category is shown in relevant scenarios +- You can go to the related security recommendation for every CVE with exposed device ![Weakness flyout example.](images/tvm-weakness-flyout400.png) +### Software that isn't supported + +CVEs for software that isn't currently supported by threat & vulnerability management is still present in the Weaknesses page. Because the software is not supported, only limited data will be available. + +Exposed device information will not be available for CVEs with unsupported software. Filter by unsupported software by selecting the "Not available" option in the "Exposed devices" section. + + ![Exposed devices filter.](images/tvm-exposed-devices-filter.png) + ## View Common Vulnerabilities and Exposures (CVE) entries in other places ### Top vulnerable software in the dashboard @@ -111,12 +120,12 @@ View related weaknesses information in the device page. 1. Go to the Microsoft Defender Security Center navigation menu bar, then select the device icon. The **Devices list** page opens. 2. In the **Devices list** page, select the device name that you want to investigate. - ![Screenshot of device list with selected device to investigate](images/tvm_machinetoinvestigate.png) + ![Device list with selected device to investigate.](images/tvm_machinetoinvestigate.png) 3. The device page will open with details and response options for the device you want to investigate. 4. Select **Discovered vulnerabilities**. - ![Screenshot of the device page with details and response options](images/tvm-discovered-vulnerabilities.png) + ![Device page with details and response options.](images/tvm-discovered-vulnerabilities.png) 5. Select the vulnerability that you want to investigate to open up a flyout panel with the CVE details, such as: vulnerability description, threat insights, and detection logic. @@ -137,17 +146,10 @@ Report a false positive when you see any vague, inaccurate, or incomplete inform 3. Select the inaccuracy category from the drop-down menu and fill in your email address and inaccuracy details. 4. Select **Submit**. Your feedback is immediately sent to the threat and vulnerability management experts. -## Related topics +## Related articles - [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) -- [Supported operating systems and platforms](tvm-supported-os.md) -- [Threat and vulnerability management dashboard](tvm-dashboard-insights.md) -- [Exposure score](tvm-exposure-score.md) -- [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) - [Security recommendations](tvm-security-recommendation.md) -- [Remediation and exception](tvm-remediation.md) - [Software inventory](tvm-software-inventory.md) -- [Event timeline](threat-and-vuln-mgt-event-timeline.md) -- [Scenarios](threat-and-vuln-mgt-scenarios.md) -- [APIs](next-gen-threat-and-vuln-mgt.md#apis) -- [Configure data access for threat and vulnerability management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group) +- [Dashboard insights](tvm-dashboard-insights.md) +- [View and organize the Microsoft Defender ATP Devices list](machines-view-overview.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md new file mode 100644 index 0000000000..62b6465eab --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md @@ -0,0 +1,103 @@ +--- +title: Mitigate zero-day vulnerabilities - threat and vulnerability management +description: Learn how to find and mitigate zero-day vulnerabilities in your environment through threat and vulnerability management. +keywords: mdatp tvm zero day vulnerabilities, tvm, threat & vulnerability management, zero day, 0-day, mitigate 0 day vulnerabilities, vulnerable CVE +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: article +--- + +# Mitigate zero-day vulnerabilities - threat and vulnerability management + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) + +>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-portaloverview-abovefoldlink) + +A zero-day vulnerability is a publicly disclosed vulnerability for which no official patches or security updates have been released. Zero-day vulnerabilities often have high severity levels and are actively exploited. + +Threat and vulnerability management will only display zero-day vulnerabilities it has information about. + +## Find information about zero-day vulnerabilities + +Once a zero-day vulnerability has been found, information about it will be conveyed through the following experiences in the Microsoft Defender Security Center. + +### Threat and vulnerability management dashboard + +Look for recommendations with a zero-day tag in the “Top security recommendations” card. + +![Top recommendations with a zero-day tag.](images/tvm-zero-day-top-security-recommendations.png) + +Find top software with the zero-day tag in the "Top vulnerable software" card. + +![Top vulnerable software with a zero-day tag.](images/tvm-zero-day-top-software.png) + +### Weaknesses page + +Look for the named zero-day vulnerability along with a description and details. + +- If this vulnerability has a CVE-ID assigned, you’ll see the zero-day label next to the CVE name. + +- If this vulnerability has no CVE-ID assigned, you will find it under an internal, temporary name that looks like “TVM-XXXX-XXXX”. The name will be updated once an official CVE-ID has been assigned, but the previous internal name will still be searchable and found in the side-panel. + +![Zero day example for CVE-2020-17087 in weaknesses page.](images/tvm-zero-day-weakness-name.png) + +### Software inventory page + +Look for software with the zero-day tag. Filter by the "zero day" tag to only see software with zero-day vulnerabilities. + +![Zero day example of Windows Server 2016 in the software inventory page.](images/tvm-zero-day-software-inventory.png) + +### Software page + +Look for a zero-day tag for each software that has been affected by the zero–day vulnerability. + +![Zero day example for Windows Server 2016 software page.](images/tvm-zero-day-software-page.png) + +### Security recommendations page + +View clear suggestions regarding remediation and mitigation options, including workarounds if they exist. Filter by the "zero day" tag to only see security recommendations addressing zero-day vulnerabilities. + +If there is software with a zero-day vulnerability and additional vulnerabilities to address, you will get one recommendation regarding all vulnerabilities. + +![Zero day example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-security-recommendation.png) + +## Addressing zero-day vulnerabilities + +Go to the security recommendation page and select a recommendation with a zero-day. A flyout will open with information about the zero-day and other vulnerabilities for that software. + +There will be a link to mitigation options and workarounds if they are available. Workarounds may help reduce the risk posed by this zero-day vulnerability until a patch or security update can be deployed. + +Open remediation options and choose the attention type. An "attention required" remediation option is recommended for the zero-day vulnerabilities, since an update hasn't been released yet. If there are older vulnerabilities for this software you wish to remediation, you can override the "attention required" remediation option and choose “update.” + +![Zero day flyout example of Windows Server 2016 in the security recommendations page.](images/tvm-zero-day-software-flyout-400.png) + +## Patching zero-day vulnerabilities + +When a patch is released for the zero-day, the recommendation will be changed to “Update” and a blue label next to it that says “New security update for zero day.” It will no longer consider as a zero-day, the zero-day tag will be removed from all pages. + +![Recommendation for "Update Microsoft Windows 10" with new patch label.](images/tvm-zero-day-patch.jpg) + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Dashboard](tvm-dashboard-insights.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Software inventory](tvm-software-inventory.md) +- [Vulnerabilities in my organization](tvm-weaknesses.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index c518418a7f..1833077b2c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -22,7 +22,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index 50319acfe5..f05f9a4644 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index 9c9268711b..8d2e4f9a6a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index da8874d9ba..a2838a56d7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -24,7 +24,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index 3e7673cab5..4c08836f95 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -23,7 +23,7 @@ ms.topic: article **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-roles-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/user.md b/windows/security/threat-protection/microsoft-defender-atp/user.md index e94dd0bb1d..3a38c1edfc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md index a1fa8c6d8a..9742f5aa9e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md @@ -23,7 +23,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) The **Incidents queue** shows a collection of incidents that were flagged from devices in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md index 121df4f64b..d91dfe2c07 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md @@ -21,7 +21,7 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md index bcceac7999..071d86602f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md @@ -21,16 +21,15 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) Web protection lets you monitor your organization’s web browsing security through reports under **Reports > Web protection** in the Microsoft Defender Security Center. The report contains cards that provide web threat detection statistics. -- **Web threat protection detections over time** — this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months) +- **Web threat protection detections over time** - this trending card displays the number of web threats detected by type during the selected time period (Last 30 days, Last 3 months, Last 6 months) ![Image of the card showing web threats protection detections over time](images/wtp-blocks-over-time.png) -- **Web threat protection summary** — this card displays the total web threat detections in the past 30 days, showing distribution across the different types of web threats. Selecting a slice opens the list of the domains that were found with malicious or unwanted websites. +- **Web threat protection summary** - this card displays the total web threat detections in the past 30 days, showing distribution across the different types of web threats. Selecting a slice opens the list of the domains that were found with malicious or unwanted websites. ![Image of the card showing web threats protection summary](images/wtp-summary.png) @@ -38,23 +37,27 @@ Web protection lets you monitor your organization’s web browsing security thro >It can take up to 12 hours before a block is reflected in the cards or the domain list. ## Types of web threats + Web protection categorizes malicious and unwanted websites as: -- **Phishing** — websites that contain spoofed web forms and other phishing mechanisms designed to trick users into divulging credentials and other sensitive information -- **Malicious** — websites that host malware and exploit code -- **Custom indicator** — websites whose URLs or domains you've added to your [custom indicator list](manage-indicators.md) for blocking + +- **Phishing** - websites that contain spoofed web forms and other phishing mechanisms designed to trick users into divulging credentials and other sensitive information +- **Malicious** - websites that host malware and exploit code +- **Custom indicator** - websites whose URLs or domains you've added to your [custom indicator list](manage-indicators.md) for blocking ## View the domain list -Select a specific web threat category in the **Web threat protection summary** card to open the **Domains** page and display the list of the domains under that threat category. The page provides the following information for each domain: -- **Access count** — number of requests for URLs in the domain -- **Blocks** — number of times requests were blocked -- **Access trend** — change in number of access attempts -- **Threat category** — type of web threat -- **Devices** — number of devices with access attempts +Select a specific web threat category in the **Web threat protection summary** card to open the **Domains** page. This page displays the list of the domains under that threat category. The page provides the following information for each domain: -Select a domain to view the list of devices that have attempted to access URLs in that domain as well as the list of URLs. +- **Access count** - number of requests for URLs in the domain +- **Blocks** - number of times requests were blocked +- **Access trend** - change in number of access attempts +- **Threat category** - type of web threat +- **Devices** - number of devices with access attempts + +Select a domain to view the list of devices that have attempted to access URLs in that domain and the list of URLs. ## Related topics + - [Web protection overview](web-protection-overview.md) - [Web content filtering](web-content-filtering.md) - [Web threat protection](web-threat-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md index d9d063c82f..f6b119e508 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md @@ -22,9 +22,9 @@ ms.topic: article [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] ->Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) +>Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-main-abovefoldlink&rtc=1) -Web threat protection is part of [Web protection](web-protection-overview.md) in Microsoft Defender ATP. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md). +Web threat protection is part of [Web protection](web-protection-overview.md) in Defender for Endpoint. It uses [network protection](network-protection.md) to secure your devices against web threats. By integrating with Microsoft Edge and popular third-party browsers like Chrome and Firefox, web threat protection stops web threats without a web proxy and can protect devices while they are away or on premises. Web threat protection stops access to phishing sites, malware vectors, exploit sites, untrusted or low-reputation sites, as well as sites that you have blocked in your [custom indicator list](manage-indicators.md). >[!Note] >It can take up to an hour for devices to receive new customer indicators. @@ -33,7 +33,7 @@ Web threat protection is part of [Web protection](web-protection-overview.md) in Web protection uses network protection to provide web browsing security on Microsoft Edge and third-party web browsers. To turn on network protection on your devices: -- Edit the Microsoft Defender ATP security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-atp-security-baseline) +- Edit the Defender for Endpoint security baseline under **Web & Network Protection** to enable network protection before deploying or redeploying it. [Learn about reviewing and assigning the Defender for Endpoint security baseline](configure-machines-security-baseline.md#review-and-assign-the-microsoft-defender-for-endpoint-security-baseline) - Turn network protection on using Intune device configuration, SCCM, Group Policy, or your MDM solution. [Read more about enabling network protection](enable-network-protection.md) >[!Note] diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 38c6bd4b37..7e173b6a93 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -26,7 +26,7 @@ ms.topic: conceptual **Applies to:** -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2146631) The following features are generally available (GA) in the latest release of Microsoft Defender ATP as well as security features in Windows 10 and Windows Server. diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 263e076dda..9b9d8baad8 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -42,7 +42,7 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control Windows 10, version 1703 -This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

    This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.

    Important: Using a trustworthy browser helps ensure that these protections work as expected.

    +This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

    This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.

    Important: Using a trustworthy browser helps ensure that these protections work as expected.

    Windows 10, version 2004:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

    Windows 10, version 1703:
    Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen

    Windows 10, Version 1607 and earlier:
    Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen @@ -160,7 +160,7 @@ For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser] ## Recommended Group Policy and MDM settings for your organization -By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning. +By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this feature can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning. To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings. diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index b39153d62c..56d43dafc5 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -9,7 +9,7 @@ ms.pagetype: security author: mjcaparas ms.author: macapara audience: ITPro -ms.localizationpriority: medium +ms.localizationpriority: high ms.date: 11/27/2019 ms.reviewer: manager: dansimp @@ -39,15 +39,15 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and ## Benefits of Microsoft Defender SmartScreen -Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. The primary benefits are: +Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are: - **Anti-phishing and anti-malware support.** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97) - **Reputation-based URL and app protection.** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user. -- **Operating system integration.** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system, meaning that it checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. +- **Operating system integration.** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) attempts to download and run. -- **Improved heuristics and diagnostic data.** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up-to-date, so it can help to protect you against potentially malicious sites and files. +- **Improved heuristics and diagnostic data.** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files. - **Management through Group Policy and Microsoft Intune.** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md). @@ -60,7 +60,7 @@ Microsoft Defender SmartScreen provide an early warning system against websites If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more info, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). -When submitting Microsoft Defender Smartscreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu. +When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu. ![Windows Security, Microsoft Defender SmartScreen controls](images/Microsoft-defender-smartscreen-submission.png) @@ -72,7 +72,7 @@ When submitting Microsoft Defender Smartscreen products, make sure to select **M When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). ## Viewing Windows event logs for Microsoft Defender SmartScreen -Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log in Event Viewer. +Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug login Event Viewer. Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it: diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index 4941242b47..e8dd6ab29f 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -27,6 +27,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group The Security Compliance Toolkit consists of: - Windows 10 security baselines + - Windows 10 Version 20H2 (October 2020 Update) - Windows 10 Version 2004 (May 2020 Update) - Windows 10 Version 1909 (November 2019 Update) - Windows 10 Version 1903 (May 2019 Update) diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md index 60fe8eaa5f..073cfbd4cb 100644 --- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md +++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md @@ -1,6 +1,6 @@ --- title: Access Credential Manager as a trusted caller (Windows 10) -description: Describes best practices, security considerations and more for the security policy setting, Access Credential Manager as a trusted caller. +description: Describes best practices, security considerations, and more for the security policy setting, Access Credential Manager as a trusted caller. ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88 ms.reviewer: ms.author: dansimp @@ -22,11 +22,11 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management, and security considerations for the **Access Credential Manager as a trusted caller** security policy setting. +This article describes the recommended practices, location, values, policy management, and security considerations for the **Access Credential Manager as a trusted caller** security policy setting. ## Reference -The **Access Credential Manager as a trusted caller** policy setting is used by Credential Manager during backup and restore. No accounts should have this privilege because it is assigned only to the Winlogon service. Saved credentials of users may be compromised if this privilege is given to other entities. +The **Access Credential Manager as a trusted caller** policy setting is used by Credential Manager during backup and restore. No accounts should have this privilege because it's assigned only to the Winlogon service. Saved credentials of users may be compromised if this privilege is given to other entities. Constant: SeTrustedCredManAccessPrivilege @@ -37,7 +37,7 @@ Constant: SeTrustedCredManAccessPrivilege ### Best practices -- Do not modify this policy setting from the default. +- Don't modify this policy setting from the default. ### Location @@ -45,6 +45,8 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use ### Default values +The following table shows the default value for the server type or Group Policy Object (GPO). + | Server type or GPO | Default value | | - | - | | Default domain policy | Not defined | @@ -58,7 +60,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -82,7 +84,7 @@ If an account is given this user right, the user of the account may create an ap ### Countermeasure -Do not define the **Access Credential Manager as a trusted caller** policy setting for any accounts besides Credential Manager. +Don't define the **Access Credential Manager as a trusted caller** policy setting for any accounts besides Credential Manager. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index ab09ef2ca5..d9c2770ad4 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -39,7 +39,7 @@ It is possible to configure the following values for the **Account lockout thres - A user-defined number from 0 through 999 - Not defined -Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this topic. +Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this article. ### Best practices @@ -47,7 +47,7 @@ The threshold that you select is a balance between operational efficiency and se As with other account lockout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). -Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this topic. +Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this article. ### Location @@ -76,13 +76,13 @@ None. Changes to this policy setting become effective without a computer restart ### Implementation considerations -Implementation of this policy setting is dependent on your operational environment. You should consider threat vectors, deployed operating systems, and deployed apps, for example: +Implementation of this policy setting depends on your operational environment. Consider threat vectors, deployed operating systems, and deployed apps. For example: -- The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. You should set the account lockout threshold in consideration of the known and perceived risk of those threats. +- The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. Set the account lockout threshold in consideration of the known and perceived risk of those threats. - When negotiating encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases. -- Not all apps that are used in your environment effectively manage how many times a user can attempt to sign-in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold. +- Not all apps that are used in your environment effectively manage how many times a user can attempt to sign in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold. For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). @@ -108,8 +108,8 @@ Because vulnerabilities can exist when this value is configured and when it is n - Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts will not be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users cannot accidentally lock themselves out of their accounts. Because it does not prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met: - - The password policy setting requires all users to have complex passwords of 8 or more characters. - - A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occur in the environment. + - The password policy setting requires all users to have complex passwords of eight or more characters. + - A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occurs in the environment. - Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account. @@ -121,9 +121,9 @@ Because vulnerabilities can exist when this value is configured and when it is n If this policy setting is enabled, a locked account is not usable until it is reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate a number of additional Help Desk calls. -If you configure the **Account lockout threshold** policy setting to 0, there is a possibility that an malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place. +If you configure the **Account lockout threshold** policy setting to 0, there is a possibility that a malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place. -If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts. +If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This situation is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts. ## Related topics [Account Lockout Policy](account-lockout-policy.md) diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md index 9a078921e7..4c8003e0f3 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -1,6 +1,6 @@ --- -title: Audit Audit the use of Backup and Restore privilege (Windows 10) -description: Describes the best practices, location, values, and security considerations for the Audit Audit the use of Backup and Restore privilege security policy setting. +title: "Audit: Audit the use of Backup and Restore privilege (Windows 10)" +description: "Describes the best practices, location, values, and security considerations for the 'Audit: Audit the use of Backup and Restore privilege' security policy setting." ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5 ms.reviewer: ms.author: dansimp @@ -65,9 +65,9 @@ None. Changes to this policy become effective without a computer restart when th ### Auditing -Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users use backup or restore user rights, those events will not be audited. +Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users back up or restore user rights, those events will not be audited. -Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner. +Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This setup can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner. Alternately, you can use the advanced audit policy, [Audit Sensitive Privilege Use](../auditing/audit-sensitive-privilege-use.md), which can help you manage the number of events generated. diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md index 550e21d847..a431f30baf 100644 --- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md @@ -1,6 +1,6 @@ --- title: Back up files and directories - security policy setting (Windows 10) -description: Describes the best practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. +description: Describes the recommended practices, location, values, policy management, and security considerations for the Back up files and directories security policy setting. ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae ms.reviewer: ms.author: dansimp @@ -22,13 +22,13 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management, and security considerations for the **Back up files and directories** security policy setting. +This article describes the recommended practices, location, values, policy management, and security considerations for the **Back up files and directories** security policy setting. ## Reference -This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API) through a backup tool such as NTBACKUP.EXE. Otherwise, standard file and directory permissions apply. +This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This user right is effective only when an application attempts access through the NTFS backup application programming interface (API) through a tool such as NTBACKUP.EXE. Otherwise, standard file and directory permissions apply. -This user right is similar to granting the following permissions to the user or group you have selected on all files and folders on the system: +This user right is similar to granting the following permissions to the user or group you selected on all files and folders on the system: - Traverse Folder/Execute File - List Folder/Read Data @@ -56,8 +56,8 @@ Constant: SeBackupPrivilege ### Best practices -1. Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. Because there is no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users. -2. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right. +1. Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. Because there's no way to be sure that a user is backing up data, stealing data, or copying data to be distributed, only assign this user right to trusted users. +2. If your backup software runs under specific service accounts, only these accounts (and not the IT staff) should have the user right to back up files and directories. ### Location @@ -67,7 +67,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use By default, this right is granted to Administrators and Backup Operators on workstations and servers. On domain controllers, Administrators, Backup Operators, and Server Operators have this right. -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default policy values for the server type or Group Policy Object (GPO). Default values are also listed on the policy’s property page. | Server type or GPO | Default value | | - | - | @@ -80,13 +80,13 @@ The following table lists the actual and effective default policy values. Defaul ## Policy management -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. ### Group Policy -Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: +Settings are applied in the following order through a GPO, which will overwrite settings on the local computer at the next Group Policy update: 1. Local policy settings 2. Site policy settings @@ -101,15 +101,15 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Users who can back up data from a device could take the backup media to a non-domain computer on which they have administrative privileges, and then restore the data. They could take ownership of the files and view any unencrypted data that is contained within the backup set. +Users who can back up data from a device to separate media could take the media to a non-domain computer on which they have administrative privileges, and then restore the data. They could take ownership of the files and view any unencrypted data that is contained within the data set. ### Countermeasure -Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. If you are using backup software that runs under specific service accounts, only these accounts (and not the IT staff) should have the **Back up files and directories** user right. +Restrict the **Back up files and directories** user right to members of the IT team who must back up organizational data as part of their daily job responsibilities. If you use software that backs up data under specific service accounts, only these accounts (and not the IT staff) should have the right to back up files and directories. ### Potential impact -Changes in the membership of the groups that have the **Back up files and directories** user right could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that authorized backup administrators can still perform backup operations. +Changes in the membership of the groups that have the user right to back up files and directories could limit the abilities of users who are assigned to specific administrative roles in your environment. Confirm that authorized administrators can still back up files and directories. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md index 869edc69a5..55281194fb 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md @@ -26,7 +26,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It is used to supplement the computer’s Random Access Memory (RAM) to improve performance for programs and data that are used frequently. Although the file is hidden from browsing, you can manage it using the system settings. +Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It is used to supplement the computer’s Random Access Memory (RAM) to improve performance for frequently used programs and data. Although the file is hidden from browsing, you can manage it using the system settings. This policy setting determines which users can create and change the size of a page file. It determines whether users can specify a page file size for a particular drive in the **Performance Options** box located on the **Advanced** tab of the **System Properties** dialog box or through using internal application interfaces (APIs). diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md index c07cb74837..696c309ef6 100644 --- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md +++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md @@ -28,7 +28,7 @@ Describes the best practices, location, values, policy management, and security This user right determines if users can create a symbolic link from the device they are logged on to. -A symbolic link is a file-system object that points to another file-system object. The object that is pointed to is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. +A symbolic link is a file-system object that points to another file-system object. The object that's pointed to is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. >**Warning:**   This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Constant: SeCreateSymbolicLinkPrivilege @@ -40,7 +40,7 @@ Constant: SeCreateSymbolicLinkPrivilege ### Best practices -- This user right should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that are not designed to handle them. +- Only trusted users should get this user right. Symbolic links can expose security vulnerabilities in applications that are not designed to handle them. ### Location @@ -73,16 +73,16 @@ Any change to the user rights assignment for an account becomes effective the ne Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: -1. Local policy settings -2. Site policy settings -3. Domain policy settings -4. OU policy settings +- Local policy settings +- Site policy settings +- Domain policy settings +- OU policy settings When a local setting is greyed out, it indicates that a GPO currently controls that setting. ### Command-line tools -This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type **fsutil behavior set symlinkevaluation /?** at the command prompt. +This setting can be used in conjunction with a symbolic link file system setting that can be manipulated with the command-line tool to control the kinds of symlinks that are allowed on the device. For more info, type `fsutil behavior set symlinkevaluation /?` at the command prompt. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md index cb03383fb3..8e9e1de135 100644 --- a/windows/security/threat-protection/security-policy-settings/debug-programs.md +++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md @@ -26,7 +26,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can attach to or open any process, even those they do not own. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components. +This policy setting determines which users can attach to or open any process, even a process they do not own. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides access to sensitive and critical operating-system components. Constant: SeDebugPrivilege diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md index 5e75ce5325..3705d5c84b 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md @@ -22,7 +22,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting. +This article describes the recommended practices, location, values, policy management, and security considerations for the **Deny log on as a batch job** security policy setting. ## Reference @@ -40,7 +40,7 @@ Constant: SeDenyBatchLogonRight 1. When you assign this user right, thoroughly test that the effect is what you intended. 2. Within a domain, modify this setting on the applicable Group Policy Object (GPO). -3. **Deny log on as a batch job** prevents administrators or operators from using their personal accounts to schedule tasks, which helps with business continuity when that person transitions to other positions or responsibilities. +3. **Deny log on as a batch job** prevents administrators or operators from using their personal accounts to schedule tasks. This restriction helps with business continuity when that person transitions to other positions or responsibilities. ### Location @@ -48,7 +48,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use ### Default values -The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy's property page. | Server type or GPO | Default value | | - | - | @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values for the This section describes features and tools available to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -73,7 +73,7 @@ This policy setting might conflict with and negate the **Log on as a batch job** On a domain-joined device, including the domain controller, this policy can be overwritten by a domain policy, which will prevent you from modifying the local policy setting. -For example, if you are trying to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account is not present in the **Deny log on as a batch job** +For example, to configure Task Scheduler on your domain controller, check the Settings tab of your two domain controller policy and domain policy GPOs in the Group Policy Management Console (GPMC). Verify the targeted account isn't present in the **Deny log on as a batch job** setting. User Rights Assignment and also correctly configured in the **Log on as a batch job** setting. @@ -100,7 +100,7 @@ Assign the **Deny log on as a batch job** user right to the local Guest account. ### Potential impact -If you assign the **Deny log on as a batch job** user right to other accounts, you could deny the ability to perform required job activities to users who are assigned specific administrative roles. You should confirm that delegated tasks are not affected adversely. +If you assign the **Deny log on as a batch job** user right to other accounts, you could deny the ability to perform required job activities to users who are assigned specific administrative roles. Confirm that delegated tasks aren't affected adversely. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md index 2da4ae7aa5..ae1ff7ad09 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md @@ -22,7 +22,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting. +This article describes the recommended practices, location, values, policy management, and security considerations for the **Deny log on as a service** security policy setting. ## Reference @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values for the This section describes features and tools available to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -89,11 +89,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure -services, and an attacker who has already attained that level of access could configure the service to run by using the System account. +services, and an attacker who already has that level of access could configure the service to run by using the System account. ### Countermeasure -We recommend that you not assign the **Deny log on as a service** user right to any accounts. This is the default configuration. Organizations that are extremely concerned about security might assign this user right to groups and accounts when they are certain that they will never need to log on to a service application. +We recommend that you don't assign the **Deny log on as a service** user right to any accounts. This configuration is the default. Organizations that have strong concerns about security might assign this user right to groups and accounts when they're certain that they'll never need to log on to a service application. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md index 473772b9bc..933e46f0a1 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md @@ -22,13 +22,13 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. +This article describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server signing requirements** security policy setting. ## Reference This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. -Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, this means that a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower the risk of a malicious user accomplishing this in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks extremely difficult. +Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult. This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636). @@ -44,7 +44,7 @@ If signing is required, then LDAP simple binds not using SSL are rejected (LDAP ### Best practices -- It is advisable to set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers. +- We recommend that you set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers. ### Location @@ -77,7 +77,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks extremely difficult. +Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult. ### Countermeasure @@ -85,7 +85,7 @@ Configure the **Domain controller: LDAP server signing requirements** setting to ### Potential impact -Client device that do not support LDAP signing cannot run LDAP queries against the domain controllers. +Client devices that do not support LDAP signing cannot run LDAP queries against the domain controllers. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md index d21bf2cf15..fb56241385 100644 --- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md +++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md @@ -26,7 +26,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This security setting determines which users are allowed to shut down a device from a remote location on the network. This allows members of the Administrators group or specific users to manage computers (for tasks such as a restart) from a remote location. +This security setting determines which users are allowed to shut down a device from a remote location on the network. This setting allows members of the Administrators group or specific users to manage computers (for tasks such as a restart) from a remote location. Constant: SeRemoteShutdownPrivilege @@ -37,7 +37,7 @@ Constant: SeRemoteShutdownPrivilege ### Best practices -- Explicitly restrict this user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations staff. +- Explicitly restrict this user right to members of the Administrators group or other assigned roles that require this capability, such as non-administrative operations staff. ### Location @@ -91,11 +91,11 @@ Any user who can shut down a device could cause a denial-of-service condition to ### Countermeasure -Restrict the **Force shutdown from a remote system** user right to members of the Administrators group or other specifically assigned roles that require this capability, such as non-administrative operations staff. +Restrict the **Force shutdown from a remote system** user right to members of the Administrators group or other assigned roles that require this capability, such as non-administrative operations staff. ### Potential impact -On a domain controller, if you remove the **Force shutdown from a remote system** user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected. +On a domain controller, if you remove the **Force shutdown from a remote system** user right from the Server Operator group, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Confirm that delegated activities are not adversely affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md index 00e0451b37..c9e784c755 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -46,12 +46,12 @@ This setting has these possible values: For a local logon, the user's full name is displayed. If the user signed in using a Microsoft account, the user's email address is displayed. For a domain logon, the domain\username is displayed. - This has the same effect as turning on the **Privacy** setting. + This setting has the same effect as turning on the **Privacy** setting. - **User display name only** The full name of the user who locked the session is displayed. - This has the same effect as turning off the **Privacy** setting. + This setting has the same effect as turning off the **Privacy** setting. - **Do not display user information** @@ -69,7 +69,7 @@ This setting has these possible values: - **Blank** Default setting. - This translates to “Not defined,” but it will display the user’s full name in the same manner as the option **User display name only**. + This setting translates to “Not defined,” but it will display the user's full name in the same manner as the option **User display name only**. When an option is set, you cannot reset this policy to blank, or not defined. ### Hotfix for Windows 10 version 1607 @@ -149,7 +149,7 @@ When a computer displays the Secure Desktop in an unsecured area, certain user i Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the logon tiles are displayed for each logged on user. -You might also want to enable the [Interactive logon: Do not display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to logon. +You might also want to enable the [Interactive logon: Do not display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to log on. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index 92ffe6cd6c..47257f0e50 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -43,7 +43,7 @@ A malicious user might install malware that looks like the standard logon dialog ### Best practices -- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**. +- We recommend that you set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**. ### Location diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index 93b8bde24d..ebfbd65b83 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -22,7 +22,7 @@ ms.date: 08/27/2018 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. +Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. ## Reference @@ -36,7 +36,7 @@ If a domain controller is unavailable and a user's logon information is not cach The system cannot log you on now because the domain *DOMAIN NAME* is not available. -The value of this policy setting indicates the number of users whose logon information the server caches locally. If the value is 10, the server caches logon information for 10 users. When an eleventh user logs on to the device, the server overwrites the oldest cached logon session. +The value of this policy setting indicates the number of users whose logon information the server caches locally. If the value is 10, the server caches logon information for 10 users. When an 11th user logs on to the device, the server overwrites the oldest cached logon session. Users who access the server console will have their logon credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations. @@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The number that is assigned to this policy setting indicates the number of users whose logon information is cache locally by the servers. If the number is set to 10, the server caches logon information for 10 users. When an eleventh user logs on to the device, the server overwrites the oldest cached logon session. +The number that is assigned to this policy setting indicates the number of users whose logon information is cache locally by the servers. If the number is set to 10, the server caches logon information for 10 users. When an 11th user logs on to the device, the server overwrites the oldest cached logon session. Users who access the server console have their logon credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md index d58e9bcde6..33b628cb5e 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md @@ -1,6 +1,6 @@ --- title: Interactive logon Require smart card - security policy setting (Windows 10) -description: Describes the best practices, location, values, policy management and security considerations for the Interactive logon Require smart card security policy setting. +description: Describes the best practices, location, values, policy management, and security considerations for the Interactive logon Require smart card security policy setting. ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c ms.reviewer: ms.author: dansimp @@ -31,7 +31,7 @@ Describes the best practices, location, values, policy management, and security The **Interactive logon: Require smart card** policy setting requires users to log on to a device by using a smart card. -Requiring users to use long, complex passwords for authentication enhances network security, especially if the users must change their passwords regularly. This reduces the chance that a malicious user will be able to guess a user's password through a brute-force attack. Using smart cards rather than passwords for authentication dramatically increases security because, with today's technology, it is nearly impossible for a malicious user to impersonate another user. Smart cards that require personal identification numbers (PINs) provide two-factor authentication: the user who attempts to log on must possess the smart card and know its PIN. A malicious user who captures the authentication traffic between the user's device and the domain controller will find it extremely difficult to decrypt the traffic: even if they do, the next time the user logs on to the network, a new session key will be generated for encrypting traffic between the user and the domain controller. +Requiring users to use long, complex passwords for authentication enhances network security, especially if the users must change their passwords regularly. This requirement reduces the chance that a malicious user will be able to guess a user's password through a brute-force attack. Using smart cards rather than passwords for authentication dramatically increases security because, with today's technology, it is nearly impossible for a malicious user to impersonate another user. Smart cards that require personal identification numbers (PINs) provide two-factor authentication: the user who attempts to log on must possess the smart card and know its PIN. A malicious user who captures the authentication traffic between the user's device and the domain controller will find it difficult to decrypt the traffic: even if they do, the next time the user logs on to the network, a new session key will be generated for encrypting traffic between the user and the domain controller. ### Possible values @@ -41,7 +41,7 @@ Requiring users to use long, complex passwords for authentication enhances netwo ### Best practices -- Set **Interactive logon: Require smart card** to Enabled. All users will have to use smart cards to log on to the network. This means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users. +- Set **Interactive logon: Require smart card** to Enabled. All users will have to use smart cards to log on to the network. This requirement means that the organization must have a reliable public key infrastructure (PKI) in place, and provide smart cards and smart card readers for all users. ### Location @@ -49,7 +49,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default values for this policy, by server type or Group Policy Object (GPO). Default values are also listed on the policy's property page. | Server type or GPO | Default value | | - | - | @@ -74,7 +74,7 @@ None. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through GPOs. If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -90,7 +90,7 @@ For users with access to computers that contain sensitive data, issue smart card ### Potential impact -All users of a device with this setting enabled must use smart cards to log on locally. This means that the organization must have a reliable public key infrastructure (PKI) as well as smart cards and smart card readers for these users. These requirements are significant challenges because +All users of a device with this setting enabled must use smart cards to log on locally. So the organization must have a reliable public key infrastructure (PKI) as well as smart cards and smart card readers for these users. These requirements are significant challenges because expertise and resources are required to plan for and deploy these technologies. Active Directory Certificate Services (AD CS) can be used to implement and manage certificates. You can use automatic user and device enrollment and renewal on the client. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md index a20693d19b..3c4204523c 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md @@ -1,6 +1,6 @@ --- title: Interactive logon Smart card removal behavior (Windows 10) -description: Best practices, location, values, policy management and security considerations for the security policy setting, Interactive logon Smart card removal behavior. +description: Best practices, location, values, policy management, and security considerations for the security policy setting, Interactive logon Smart card removal behavior. ms.assetid: 61487820-9d49-4979-b15d-c7e735999460 ms.reviewer: ms.author: dansimp @@ -22,13 +22,13 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting. +Describes the recommended practices, location, values, policy management, and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting. ## Reference This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. -If smart cards are used for authentication, the device should automatically lock itself when the card is removed—that way, if users forget to manually lock their devices when they are away from them, malicious users cannot gain access. +If smart cards are used for authentication, the device should automatically lock itself when the card is removed. So if users forget to manually lock their devices when they leave, malicious users cannot gain access. If you select **Force Logoff** in the property sheet for this policy setting, the user is automatically logged off when the smart card is removed. Users will have to reinsert their smart cards and reenter their PINs when they return to their workstations. @@ -40,21 +40,21 @@ If you select **Force Logoff** in the property sheet for this policy setting, th - No Action - Lock Workstation - If you select this, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. + If you use this setting, the workstation is locked when the smart card is removed. So users can leave the area, take their smart card with them, and still maintain a protected session. - Force Logoff - If you select this, the user is automatically logged off when the smart card is removed. + If you use this setting, the user is automatically logged off when the smart card is removed. - Disconnect if a remote Remote Desktop Services session - If you select this, removal of the smart card disconnects the session without logging the user off. This allows the user to insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. + If you use this setting, removal of the smart card disconnects the session without logging off the user. So the user can insert the smart card and resume the session later, or at another smart card reader-equipped computer, without having to log on again. If the session is local, this policy functions identically to Lock Workstation. - Not Defined ### Best practices -- Set **Interactive logon: Smart card removal behavior** to **Lock Workstation**. If you select **Lock Workstation** in the property sheet for this policy setting, the workstation is locked when the smart card is removed. This allows users to leave the area, take their smart card with them, and still maintain a protected session. +- Set **Interactive logon: Smart card removal behavior** to **Lock Workstation**. If you select **Lock Workstation** in the property sheet for this policy setting, the workstation is locked when the smart card is removed. So users can leave the area, take their smart card with them, and still maintain a protected session. ### Location @@ -62,7 +62,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Sec ### Default values -The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default values for this policy, by server type or Group Policy Object (GPO). Default values are also listed on the policy's property page. | Server type or GPO | Default value | | - | - | @@ -79,7 +79,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -87,7 +87,7 @@ None ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through GPOs. If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -95,7 +95,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their devices. If smart cards are used for authentication, the device should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources by using those credentials. +Users sometimes forget to lock their workstations when they're away from them, allowing the possibility for malicious users to access their devices. If smart cards are used for authentication, the device should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources by using those credentials. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md index 3b2f31c5ee..7ad5326697 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md @@ -22,7 +22,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management, and security considerations for the **Log on as a batch job** security policy setting. +This article describes the recommended practices, location, values, policy management, and security considerations for the **Log on as a batch job** security policy setting. ## Reference @@ -48,7 +48,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use By default, this setting is for Administrators, Backup Operators, and Performance Log Users on domain controllers and on stand-alone servers. -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default policy values. Default values are also listed on the policy's property page. | Server type or GPO | Default value | | - | - | @@ -63,13 +63,13 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. ### Group Policy -Task Scheduler automatically grants this right when a user schedules a task. To override this behavior use the [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) User Rights Assignment setting. +Task Scheduler automatically grants this right when a user schedules a task. To override this behavior, use the [Deny log on as a batch job](deny-log-on-as-a-batch-job.md) User Rights Assignment setting. Group Policy settings are applied in the following order, which will overwrite settings on the local computer at the next Group Policy update: @@ -80,7 +80,7 @@ Group Policy settings are applied in the following order, which will overwrite s ## Security considerations -This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. +This section describes how an attacker might exploit a feature or its configuration. It describes how to apply the countermeasure and the possible negative consequences of countermeasure. ### Vulnerability @@ -88,13 +88,13 @@ The **Log on as a batch job** user right presents a low-risk vulnerability. For ### Countermeasure -You should allow the computer to manage this user right automatically if you want to allow scheduled tasks to run for specific user accounts. If you do not want to use the Task Scheduler in this manner, configure the **Log on as a batch job** user right for only the Local Service account. +Allow the computer to manage this user right automatically if you want to allow scheduled tasks to run for specific user accounts. If you don't want to use the Task Scheduler in this manner, configure the **Log on as a batch job** user right for only the Local Service account. -For IIS servers, you should configure this policy locally instead of through domain–based Group Policy settings so that you can ensure the local IUSR\_*<ComputerName>* and IWAM\_*<ComputerName>* accounts have this user right. +For IIS servers, configure this policy locally instead of through domain–based Group Policy settings so that you can ensure the local IUSR\_*<ComputerName>* and IWAM\_*<ComputerName>* accounts have this user right. ### Potential impact -If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer cannot assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you may need to assign this user right to additional accounts that are required by those components. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*<ComputerName>*, ASPNET, and IWAM\_*<ComputerName>* accounts. If this user right is not assigned to this group and these accounts, IIS cannot run some COM objects that are necessary for proper functionality. +If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer can't assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you might need to assign this user right to additional accounts that those components require. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*<ComputerName>*, ASPNET, and IWAM\_*<ComputerName>* accounts. If this user right isn't assigned to this group and these accounts, IIS can't run some COM objects that are necessary for proper functionality. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md index 5d897aa891..7539cb89c0 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md @@ -22,7 +22,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management, and security considerations for the **Log on as a service** security policy setting. +This article describes the recommended practices, location, values, policy management, and security considerations for the **Log on as a service** security policy setting. ## Reference @@ -47,7 +47,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use By default this setting is Network Service on domain controllers and Network Service on stand-alone servers. -The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. +The following table lists the actual and effective default policy values. The policy's property page also lists default values. | Server type or GPO | Default value | | - | - | @@ -62,7 +62,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -79,21 +79,21 @@ Group Policy settings are applied in the following order, which will overwrite s ## Security considerations -This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. +This section describes how an attacker might exploit a feature or its configuration. It explains the countermeasure. And it addresses the possible negative consequences of the countermeasure. ### Vulnerability -The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced by the fact that only users with administrative privileges can install and configure services. An -attacker who has already attained that level of access could configure the service to run with the Local System account. +The **Log on as a service** user right allows accounts to start network services or services that run continuously on a computer, even when no one is logged on to the console. The risk is reduced because only users who have administrative privileges can install and configure services. An +attacker who has already reached that level of access could configure the service to run with the Local System account. ### Countermeasure -By definition, the Network Service account has the **Log on as a service** user right. This right is not granted through the Group Policy setting. You should minimize the number of other accounts that are granted this user right. +By definition, the Network Service account has the **Log on as a service** user right. This right isn't granted through the Group Policy setting. Minimize the number of other accounts that are granted this user right. ### Potential impact -On most computers, restricting the **Log on as a service** user right to the Local System, Local Service, and Network Service built-in accounts is the default configuration, and there is no negative impact. However, if you have installed optional components such as ASP.NET or IIS, you may need to -assign the **Log on as a service** user right to additional accounts that are required by those components. IIS requires that this user right be explicitly granted to the ASPNET user account. +On most computers, the **Log on as a service** user right is restricted to the Local System, Local Service, and Network Service built-in accounts by default, and there's no negative impact. But if you have optional components such as ASP.NET or IIS, you might need to +assign the user right to the additional accounts that those components require. IIS requires this user right to be explicitly granted to the ASPNET user account. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md index 930089e0dd..46cd7ecb25 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md @@ -37,7 +37,7 @@ If the value for this policy setting is too high, users might be able to access ### Best practices -- It is advisable to set **Maximum lifetime for user ticket** to 10 hours. +- We recommend that you set the **Maximum lifetime for user ticket** to 10 hours. ### Location diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index a4c892bb3b..9995735537 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -32,9 +32,9 @@ The **Minimum password age** policy setting determines the period of time (in da ### Best practices -[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend setting **Minimum password age** to 1 day. +[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend setting **Minimum password age** to one day. -Setting the number of days to 0 allows immediate password changes, which is not recommended. +Setting the number of days to 0 allows immediate password changes. This setting is not recommended. Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. For example, suppose a password is "Ra1ny day!" and the history requirement is 24. If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!". @@ -76,7 +76,7 @@ This section describes how an attacker might exploit a feature or its configurat Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords can be compromised and if an attacker is targeting a specific individual user account, with knowledge of data about that user, reuse of old passwords can cause a security breach. -To address password reuse, you must use a combination of security settings. Using this policy setting with the [Enforce password history](enforce-password-history.md) policy setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history policy setting to ensure that users cannot reuse any of their last 12 passwords, but you do not configure the **Minimum password age** policy setting to a number that is greater than 0, users could change their password 13 times in a few minutes and reuse their original password. You must configure this policy setting to a number that is greater than 0 for the Enforce password history policy setting to be effective. +To address password reuse, you must use a combination of security settings. Using this policy setting with the [Enforce password history](enforce-password-history.md) policy setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history policy setting to ensure that users cannot reuse any of their last 12 passwords, but you do not configure the **Minimum password age** policy setting to a number that is greater than 0, users could change their password 13 times in a few minutes and reuse their original password. Configure this policy setting to a number that is greater than 0 for the Enforce password history policy setting to be effective. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index 74ed307f82..ae21ed863f 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -22,7 +22,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting. +This article describes the recommended practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting. ## Reference @@ -35,9 +35,9 @@ The **Minimum password length** policy setting determines the least number of ch ### Best practices -Set Minimum password length to at least a value of 8. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it is long enough to provide adequate security and still short enough for users to easily remember. A minimum password length greater than 14 is not supported at this time. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md). +Set Minimum password length to at least a value of 8. If the number of characters is set to 0, no password is required. In most environments, an eight-character password is recommended because it's long enough to provide adequate security and still short enough for users to easily remember. A minimum password length greater than 14 isn't supported at this time. This value will help provide adequate defense against a brute force attack. Adding complexity requirements will help reduce the possibility of a dictionary attack. For more info, see [Password must meet complexity requirements](password-must-meet-complexity-requirements.md). -Permitting short passwords reduces security because short passwords can be easily broken with tools that perform dictionary or brute force attacks against the passwords. Requiring very long passwords can result in mistyped passwords that might cause an account lockout and subsequently increase the volume of Help Desk calls. +Permitting short passwords reduces security because short passwords can be easily broken with tools that do dictionary or brute force attacks against the passwords. Requiring very long passwords can result in mistyped passwords that might cause account lockouts and might increase the volume of Help Desk calls. In addition, requiring extremely long passwords can actually decrease the security of an organization because users might be more likely to write down their passwords to avoid forgetting them. However, if users are taught that they can use passphrases (sentences such as "I want to drink a $5 milkshake"), they should be much more likely to remember. @@ -51,12 +51,12 @@ The following table lists the actual and effective default policy values. Defaul | Server type or Group Policy Object (GPO) | Default value | | - | - | -| Default domain policy| 7 characters| +| Default domain policy| Seven characters| | Default domain controller policy | Not defined| -| Stand-alone server default settings | 0 characters| -| Domain controller effective default settings | 7 characters| -| Member server effective default settings | 7 characters| -| Effective GPO default settings on client computers | 0 characters| +| Stand-alone server default settings | Zero characters| +| Domain controller effective default settings | Seven characters| +| Member server effective default settings | Seven characters| +| Effective GPO default settings on client computers | Zero characters| ## Policy management @@ -64,7 +64,7 @@ This section describes features, tools, and guidance to help you manage this pol ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -78,14 +78,14 @@ Types of password attacks include dictionary attacks (which attempt to use commo Configure the **Minimum password length** policy setting to a value of 8 or more. If the number of characters is set to 0, no password will be required. -In most environments, we recommend an eight-character password because it is long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack. +In most environments, we recommend an eight-character password because it's long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack. > [!NOTE] > Some jurisdictions have established legal requirements for password length as part of establishing security regulations. ### Potential impact -Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover. +Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords because of password length requirements, consider teaching your users about passphrases, which are often easier to remember and, because of the larger number of character combinations, much harder to discover. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md index d063da47e0..9775374e5e 100644 --- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md +++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md @@ -96,7 +96,7 @@ This section describes how an attacker might exploit a feature or its configurat Anyone with the **Modify an object label** user right can change the integrity level of a file or process so that it becomes elevated or decreased to a point where it can be deleted by lower integrity processes. Either of these states effectively circumvents the protection that is offered by Windows Integrity Controls and makes your system vulnerable to attacks by malicious software. -If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts do not have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be re-labeled. However, the re-labeling must occur by using a process that is at the same or a higher level of integrity than the object that you are attempting to re-label. +If malicious software is set with an elevated integrity level such as Trusted Installer or System, administrator accounts do not have sufficient integrity levels to delete the program from the system. In that case, use of the **Modify an object label** right is mandated so that the object can be relabeled. However, the relabeling must occur by using a process that is at the same or a higher level of integrity than the object that you are attempting to relabel. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 43611938d0..4d792d0457 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -34,7 +34,7 @@ When a service connects with the device identity, signing and encryption are sup | Setting | Windows Server 2008 and Windows Vista | At least Windows Server 2008 R2 and Windows 7 | | - | - | - | -| Enabled | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. | +| Enabled | Services running as Local System that use Negotiate will use the computer identity. This value might cause some authentication requests between Windows operating systems to fail and log an error.| Services running as Local System that use Negotiate will use the computer identity. This is the default behavior. | | Disabled| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. This is the default behavior.| Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously.| |Neither|Services running as Local System that use Negotiate when reverting to NTLM authentication will authenticate anonymously. | Services running as Local System that use Negotiate will use the computer identity. This might cause some authentication requests between Windows operating systems to fail and log an error.| @@ -91,6 +91,6 @@ You can configure the **Network security: Allow Local System to use computer ide If you do not configure this policy setting on Windows Server 2008 and Windows Vista, services running as Local System that use the default credentials will use the NULL session and revert to NTLM authentication for Windows operating systems earlier than Windows Vista or Windows Server 2008. Beginning with Windows Server 2008 R2 and Windows 7, the system allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. -## Related topics +## Related articles - [Security Options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index 37700da3a6..51a84cfb6f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -22,11 +22,11 @@ ms.date: 04/19/2017 **Applies to** - Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 -Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting. +Describes the best practices, location, values, and security considerations for the **Network security: Configure encryption types allowed for Kerberos** security policy setting. ## Reference -This policy setting allows you to set the encryption types that the Kerberos protocol is allowed to use. If it is not selected, the encryption type will not be allowed. This setting might affect compatibility with client computers or services and applications. Multiple selections are permitted. +This policy setting allows you to set the encryption types that the Kerberos protocol is allowed to use. If it isn't selected, the encryption type won't be allowed. This setting might affect compatibility with client computers or services and applications. Multiple selections are permitted. For more information, see [article 977321](https://support.microsoft.com/kb/977321) in the Microsoft Knowledge Base. @@ -35,11 +35,11 @@ The following table lists and explains the allowed encryption types. | Encryption type | Description and version support | | - | - | -| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2 and later operating systems do not support DES by default. | -| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2 and later operating systems do not support DES by default. | +| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems don't support DES by default. | +| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10, Windows Server 2008 R2, and later operating systems do not support DES by default. | | RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function
    Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.| -| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
    Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. | -| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
    Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2. | +| AES128_HMAC_SHA1| Advanced Encryption Standard in 128-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
    Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. | +| AES256_HMAC_SHA1| Advanced Encryption Standard in 256-bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).
    Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. | | Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.| ### Possible values @@ -58,7 +58,7 @@ The encryption type options include: ### Best practices -You must analyze your environment to determine which encryption types will be supported and then select those that meet that evaluation. +Analyze your environment to determine which encryption types will be supported and then select the types that meet that evaluation. ### Location @@ -81,21 +81,21 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Windows Server 2008 R2, Windows 7 and Windows 10, do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running +Windows Server 2008 R2, Windows 7, and Windows 10, don't support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running Windows Server 2008 R2, Windows 7 and Windows 10. You can also disable DES for your computers running Windows Vista and Windows Server 2008. ### Countermeasure -Do not configure this policy. This will force the computers running Windows Server 2008 R2, Windows 7 and Windows 10 to use the AES or RC4 cryptographic suites. +Do not configure this policy. This will force the computers running Windows Server 2008 R2, Windows 7, and Windows 10 to use the AES or RC4 cryptographic suites. ### Potential impact -If you do not select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol. +If you don't select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol. If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows. Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption. -## Related topics +## Related articles - [Security Options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md index 6a02220b10..9abafe6715 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md @@ -1,6 +1,6 @@ --- title: Network security Force logoff when logon hours expire (Windows 10) -description: Best practices, location, values, policy management and security considerations for the policy setting, Network security Force logoff when logon hours expire. +description: Best practices, location, values, policy management, and security considerations for the policy setting, Network security Force logoff when logon hours expire. ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926 ms.reviewer: ms.author: dansimp @@ -22,7 +22,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. +Describes the best practices, location, values, policy management, and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. ## Reference @@ -87,6 +87,6 @@ Enable the **Network security: Force logoff when logon hours expire** setting. T When a user's logon time expires, SMB sessions terminate. The user cannot log on to the device until the next scheduled access time commences. -## Related topics +## Related articles - [Security Options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index b713a96ecb..54140d60f7 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -25,12 +25,12 @@ Describes the best practices, location, values, and security considerations for ## Reference -The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of guidelines that are considered important for a strong password. Enabling this policy setting requires passwords to meet the following requirements: +The **Passwords must meet complexity requirements** policy setting determines whether passwords must meet a series of strong-password guidelines. When enabled, this setting requires passwords to meet the following requirements: 1. Passwords may not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Both checks are not case sensitive. - The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. - The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. + The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is fewer than three characters long, this check is skipped. + The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed not to be included in the password. Tokens that are shorter than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Havens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "grin" or "hagens" as a substring anywhere in the password. 2. The password contains characters from three of the following categories: @@ -39,16 +39,16 @@ The **Passwords must meet complexity requirements** policy setting determines wh - Base 10 digits (0 through 9) - Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/) - Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting. - - Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. + Currency symbols such as the Euro or British Pound aren't counted as special characters for this policy setting. + - Any Unicode character that's categorized as an alphabetic character but isn't uppercase or lowercase. This group includes Unicode characters from Asian languages. Complexity requirements are enforced when passwords are changed or created. The rules that are included in the Windows Server password complexity requirements are part of Passfilt.dll, and they cannot be directly modified. -Enabling the default Passfilt.dll may cause some additional Help Desk calls for locked-out accounts because users might not be used to having passwords that contain characters other than those found in the alphabet. However, this policy setting is liberal enough that all users should be able to abide by the requirements with a minor learning curve. +When enabled, the default Passfilt.dll may cause some additional Help Desk calls for locked-out accounts because users aren't used to passwords that contain characters that aren't in the alphabet. But this policy setting is liberal enough that all users should get used to it. -Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. Upper-row characters are those typed by pressing and holding the SHIFT key and then pressing any of the keys on the number row of the keyboard (from 1 through 9 and 0). +Additional settings that can be included in a custom Passfilt.dll are the use of non–upper-row characters. To type upper-row characters, you hold the SHIFT key and press one of any of the keys on the number row of the keyboard (from 1 through 9 and 0). ### Possible values @@ -61,9 +61,9 @@ Additional settings that can be included in a custom Passfilt.dll are the use of > [!TIP] > For the latest best practices, see [Password Guidance](https://www.microsoft.com/research/publication/password-guidance). -Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This makes a brute force attack difficult, but still not impossible. +Set **Passwords must meet complexity requirements** to Enabled. This policy setting, combined with a minimum password length of 8, ensures that there are at least 218,340,105,584,896 different possibilities for a single password. This setting makes a brute force attack difficult, but still not impossible. -The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an extremely busy Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of this range can represent standard alphanumeric characters that do not add additional complexity to the password.) +The use of ALT key character combinations can greatly enhance the complexity of a password. However, requiring all users in an organization to adhere to such stringent password requirements can result in unhappy users and an over-worked Help Desk. Consider implementing a requirement in your organization to use ALT characters in the range from 0128 through 0159 as part of all administrator passwords. (ALT characters outside of that range can represent standard alphanumeric characters that do not add additional complexity to the password.) Passwords that contain only alphanumeric characters are easy to compromise by using publicly available tools. To prevent this, passwords should contain additional characters and meet complexity requirements. diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md index daf285e8a4..4e9a967608 100644 --- a/windows/security/threat-protection/security-policy-settings/password-policy.md +++ b/windows/security/threat-protection/security-policy-settings/password-policy.md @@ -26,7 +26,7 @@ An overview of password policies for Windows and links to information for each p In many operating systems, the most common method to authenticate a user's identity is to use a secret passphrase or password. A secure network environment requires all users to use strong passwords, which have at least eight characters and include a combination of letters, numbers, and symbols. These passwords help prevent the compromise of user accounts and administrative accounts by unauthorized users who use manual methods or automated tools to guess weak passwords. Strong passwords that are changed regularly reduce the likelihood of a successful password attack. -Introduced in Windows Server 2008 R2 and Windows Server 2008, Windows supports fine-grained password policies. This feature provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. +Introduced in Windows Server 2008 R2 and Windows Server 2008, Windows supports fine-grained password policies. This feature provides organizations with a way to define different password and account lockout policies for different sets of users in a domain. Fine-grained password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups. For more details, see [AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770842(v=ws.10)). To apply a fine-grained password policy to users of an OU, you can use a shadow group. A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups. @@ -38,7 +38,7 @@ You can configure the password policy settings in the following location by usin **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** -If individual groups require distinct password policies, these groups should be separated into another domain or forest, based on additional requirements. +This group policy is applied on the domain level. If individual groups require distinct password policies, consider using fine-grained password policies, as described above. The following topics provide a discussion of password policy implementation and best practices considerations, policy location, default values for the server type or GPO, relevant differences in operating system versions, security considerations (including the possible vulnerabilities of each setting), countermeasures that you can take, and the potential impact for each setting. diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md index 10841b338e..3ea61190ff 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md +++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md @@ -26,7 +26,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can view a sample performance of an application process. Typically, you do not need this user right to use the performance reporting tools included in the operating system. However, you do need this user right if the system’s monitor components are configured to collect data through Windows Management Instrumentation (WMI). +This policy setting determines which users can view a sample performance of an application process. Typically, you don't need this user right to use the performance reporting tools included in the operating system. However, you do need this user right if the system’s monitor components are configured to collect data through Windows Management Instrumentation (WMI). Constant: SeProfileSingleProcessPrivilege @@ -38,7 +38,7 @@ Constant: SeProfileSingleProcessPrivilege ### Best practices -- This right should not be granted to individual users. It should be granted only for trusted applications that monitor other programs. +- This right shouldn't be granted to individual users. It should be granted only for trusted applications that monitor other programs. ### Location @@ -50,7 +50,7 @@ By default this setting is Administrators on domain controllers and on stand-alo The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. -| Server type or GPO | Default value | +| Server type or Group Policy Object (GPO) | Default value | | - | - | | Default Domain Policy| Not defined| | Default Domain Controller Policy | Administrators| @@ -69,7 +69,7 @@ Any change to the user rights assignment for an account becomes effective the ne ### Group Policy -Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: +Settings are applied in the following order through a Group Policy Object, which will overwrite settings on the local computer at the next Group Policy update: 1. Local policy settings 2. Site policy settings diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md index 885ca9c205..ac9b2c0104 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md @@ -1,6 +1,6 @@ --- title: Recovery console Allow automatic administrative logon (Windows 10) -description: Best practices, location, values, policy management and security considerations for the policy setting, Recovery console Allow automatic administrative logon. +description: Best practices, location, values, policy management, and security considerations for the policy setting, Recovery console Allow automatic administrative logon. ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596 ms.reviewer: ms.author: dansimp @@ -22,13 +22,13 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. +Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. ## Reference This policy setting determines whether the built-in Administrator account password must be provided before access to the device is granted. If you enable this setting, the built-in Administrator account is automatically logged on to the computer at the Recovery Console; no password is required. -The Recovery Console can be very useful when troubleshooting and repairing systems that cannot be restarted. However, enabling this policy setting so a user can automatically log on to the console is dangerous. Anyone can walk up to the server, shut it down by disconnecting the power, reboot it, select **Recovery Console** from the **Restart** menu, and then assume full control of the server. +The Recovery Console can be useful when troubleshooting and repairing systems that cannot be restarted. However, enabling this policy setting so a user can automatically log on to the console is dangerous. Anyone can walk up to the server, shut it down by disconnecting the power, reboot it, select **Recovery Console** from the **Restart** menu, and then assume full control of the server. ### Possible values diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index 7273232870..d4c0f55aa6 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -28,7 +28,7 @@ Describes the best practices, location, values, and security considerations for The **Reset account lockout counter after** policy setting determines the number of minutes that must elapse from the time a user fails to log on before the failed logon attempt counter is reset to 0. If [Account lockout threshold](account-lockout-threshold.md) is set to a number greater than zero, this reset time must be less than or equal to the value of [Account lockout duration](account-lockout-duration.md). -A disadvantage to setting this too high is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through logon errors. Users may make excessive Help Desk calls. +The disadvantage of a high setting is that users lock themselves out for an inconveniently long period if they exceed the account lockout threshold through logon errors. Users may make excessive Help Desk calls. ### Possible values @@ -37,7 +37,7 @@ A disadvantage to setting this too high is that users lock themselves out for an ### Best practices -You need to determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. +Determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockeout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md index e1bc77d9c4..edb41ef508 100644 --- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md @@ -55,7 +55,7 @@ By default, this right is granted to the Administrators, Backup Operators, and S The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. -| Server type or GPO | Default value | +| Server type or Group Policy Object (GPO) | Default value | | - | - | |Default Domain Policy | | | Default Domain Controller Policy| Administrators
    Backup Operators
    Server Operators| @@ -74,7 +74,7 @@ Any change to the user rights assignment for an account becomes effective the ne ### Group Policy -Settings are applied in the following order through a Group Policy Object (GPO), which will overwrite settings on the local computer at the next Group Policy update: +Settings are applied in the following order through a Group Policy Object, which will overwrite settings on the local computer at the next Group Policy update: 1. Local policy settings 2. Site policy settings @@ -99,7 +99,7 @@ Ensure that only the local Administrators group is assigned the **Restore files ### Potential impact -If you remove the **Restore files and directories** user right from the Backup Operators group and other accounts, users who are not members of the local Administrators group cannot load data backups. If restoring backups is delegated to a subset of IT staff in your organization, you should verify that this change does not negatively affect the ability of your organization's personnel to do their jobs. +If you remove the **Restore files and directories** user right from the Backup Operators group and other accounts, users who aren't members of the local Administrators group can't load data backups. If restoring backups is delegated to a subset of IT staff in your organization, you should verify that this change does not negatively affect the ability of your organization's personnel to do their jobs. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md index 91a7a91634..46dbab8860 100644 --- a/windows/security/threat-protection/security-policy-settings/security-options.md +++ b/windows/security/threat-protection/security-policy-settings/security-options.md @@ -1,6 +1,6 @@ --- title: Security Options (Windows 10) -description: Provides an introduction to the settings under Security Options of the local security policies and links to information about each setting. +description: Introduction to the Security Options settings of the local security policies plus links to more information. ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b ms.reviewer: manager: dansimp @@ -19,23 +19,23 @@ ms.date: 06/28/2018 **Applies to** - Windows 10 -Provides an introduction to the settings under **Security Options** of the local security policies and links to information about each setting. +Provides an introduction to the **Security Options** settings for local security policies and links to more information. The **Security Options** contain the following groupings of security policy settings that allow you to configure the behavior of the local computer. Some of these policies can be included in a Group Policy Object and distributed over your organization. -If you edit policy settings locally on a device, you will affect the settings on only that one device. If you configure the settings in a Group Policy Object (GPO), the settings apply to all devices that are subject to that GPO. +When you edit policy settings locally on a device, you only affect the settings on only that device. If you configure the settings in a Group Policy Object (GPO), the settings apply to all devices that are subject to that GPO. For info about setting security policies, see [Configure security policy settings](how-to-configure-security-policy-settings.md). ## In this section -| Topic | Description | +| Article | Description | | - | - | | [Accounts: Administrator account status](accounts-administrator-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Administrator account status** security policy setting.| | [Accounts: Block Microsoft accounts](accounts-block-microsoft-accounts.md) | Describes the best practices, location, values, management, and security considerations for the **Accounts: Block Microsoft accounts** security policy setting.| | [Accounts: Guest account status](accounts-guest-account-status.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Guest account status** security policy setting.| | [Accounts: Limit local account use of blank passwords to console logon only](accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Limit local account use of blank passwords to console logon only** security policy setting. | -| [Accounts: Rename administrator account](accounts-rename-administrator-account.md)| This security policy reference topic for the IT professional describes the best practices, location, values, and security considerations for this policy setting.| +| [Accounts: Rename administrator account](accounts-rename-administrator-account.md)| This security policy article for the IT professional describes the best practices, location, values, and security considerations for this policy setting.| | [Accounts: Rename guest account](accounts-rename-guest-account.md) | Describes the best practices, location, values, and security considerations for the **Accounts: Rename guest account** security policy setting.| | [Audit: Audit the access of global system objects](audit-audit-the-access-of-global-system-objects.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting.| | [Audit: Audit the use of Backup and Restore privilege](audit-audit-the-use-of-backup-and-restore-privilege.md) | Describes the best practices, location, values, and security considerations for the **Audit: Audit the use of Backup and Restore privilege** security policy setting.| @@ -64,45 +64,45 @@ For info about setting security policies, see [Configure security policy setting | [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine account lockout threshold** security policy setting.| | [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)| Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Machine inactivity limit** security policy setting.| | [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) | Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting. | -| [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. | -| [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. | -| [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)| Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. | +| [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Message title for users attempting to log on** security policy setting. | +| [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** security policy setting. | +| [Interactive logon: Prompt user to change password before expiration](interactive-logon-prompt-user-to-change-password-before-expiration.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Prompt user to change password before expiration** security policy setting. | | [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require Domain Controller authentication to unlock workstation** security policy setting. | -| [Interactive logon: Require smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting.| -| [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.| -| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. | -| [SMBv1 Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv1 only. | +| [Interactive logon: Require smart card](interactive-logon-require-smart-card.md) | Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require smart card** security policy setting.| +| [Interactive logon: Smart card removal behavior](interactive-logon-smart-card-removal-behavior.md) | Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Smart card removal behavior** security policy setting.| +| [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2. | +| [SMBv1 Microsoft network client: Digitally sign communications (always)](smbv1-microsoft-network-client-digitally-sign-communications-always.md) | Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Digitally sign communications (always)** security policy setting for SMBv1 only. | | [SMBv1 Microsoft network client: Digitally sign communications (if server agrees)](smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network client: Digitally sign communications (if server agrees)** security policy setting for SMBv1 only. | -| [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. | +| [Microsoft network client: Send unencrypted password to third-party SMB servers](microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network client: Send unencrypted password to third-party SMB servers** security policy setting. | | [Microsoft network server: Amount of idle time required before suspending session](microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Amount of idle time required before suspending session** security policy setting. | | [Microsoft network server: Attempt S4U2Self to obtain claim information](microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md)| Describes the best practices, location, values, management, and security considerations for the **Microsoft network server: Attempt S4U2Self to obtain claim information** security policy setting. | -| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.| -| [SMBv1 Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv1 only.| -| [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting for SMBv1 only. | +| [Microsoft network server: Digitally sign communications (always)](microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv3 and SMBv2.| +| [SMBv1 Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network server: Digitally sign communications (always)** security policy setting for SMBv1 only.| +| [SMBv1 Microsoft network server: Digitally sign communications (if client agrees)](smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md)| Describes the best practices, location, values, policy management, and security considerations for the **Microsoft network server: Digitally sign communications (if client agrees)** security policy setting for SMBv1 only. | | [Microsoft network server: Disconnect clients when logon hours expire](microsoft-network-server-disconnect-clients-when-logon-hours-expire.md)| Describes the best practices, location, values, and security considerations for the **Microsoft network server: Disconnect clients when logon hours expire** security policy setting. | -| [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)| Describes the best practices, location, and values, policy management and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. | -| [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.| +| [Microsoft network server: Server SPN target name validation level](microsoft-network-server-server-spn-target-name-validation-level.md)| Describes the best practices, location, and values, policy management, and security considerations for the **Microsoft network server: Server SPN target name validation level** security policy setting. | +| [Network access: Allow anonymous SID/Name translation](network-access-allow-anonymous-sidname-translation.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Allow anonymous SID/Name translation** security policy setting.| | [Network access: Do not allow anonymous enumeration of SAM accounts](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts** security policy setting. | | [Network access: Do not allow anonymous enumeration of SAM accounts and shares](network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md)| Describes the best practices, location, values, and security considerations for the **Network access: Do not allow anonymous enumeration of SAM accounts and shares** security policy setting. | -| [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. | -| [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. | -| [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. | -| [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.| +| [Network access: Do not allow storage of passwords and credentials for network authentication](network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Do not allow storage of passwords and credentials for network authentication** security policy setting. | +| [Network access: Let Everyone permissions apply to anonymous users](network-access-let-everyone-permissions-apply-to-anonymous-users.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Let Everyone permissions apply to anonymous users** security policy setting. | +| [Network access: Named Pipes that can be accessed anonymously](network-access-named-pipes-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Named Pipes that can be accessed anonymously** security policy setting. | +| [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.| | [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)| Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. | -| [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. | -| [Network access: Restrict clients allowed to make remote calls to SAM](network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting. | -| [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. | -| [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. | +| [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. | +| [Network access: Restrict clients allowed to make remote calls to SAM](network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting. | +| [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. | +| [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. | | [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)| Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. | | [Network security: Allow LocalSystem NULL session fallback](network-security-allow-localsystem-null-session-fallback.md)| Describes the best practices, location, values, and security considerations for the **Network security: Allow LocalSystem NULL session fallback** security policy setting.| | [Network security: Allow PKU2U authentication requests to this computer to use online identities](network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md)| Describes the best practices, location, and values for the **Network Security: Allow PKU2U authentication requests to this computer to use online identities** security policy setting. | -| [Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)| Describes the best practices, location, values and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. | -| [Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting. | -| [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. | -| [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: LAN Manager authentication level** security policy setting.| -| [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md) | This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. | -| [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting. | -| [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)| Describes the best practices, location, values, policy management and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting. | +| [Network security: Configure encryption types allowed for Kerberos Win7 only](network-security-configure-encryption-types-allowed-for-kerberos.md)| Describes the best practices, location, values, and security considerations for the **Network security: Configure encryption types allowed for Kerberos Win7 only** security policy setting. | +| [Network security: Do not store LAN Manager hash value on next password change](network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: Do not store LAN Manager hash value on next password change** security policy setting. | +| [Network security: Force logoff when logon hours expire](network-security-force-logoff-when-logon-hours-expire.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: Force logoff when logon hours expire** security policy setting. | +| [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: LAN Manager authentication level** security policy setting.| +| [Network security: LDAP client signing requirements](network-security-ldap-client-signing-requirements.md) | This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting. This information applies to computers running at least the Windows Server 2008 operating system. | +| [Network security: Minimum session security for NTLM SSP based (including secure RPC) clients](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** security policy setting. | +| [Network security: Minimum session security for NTLM SSP based (including secure RPC) servers](network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md)| Describes the best practices, location, values, policy management, and security considerations for the **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** security policy setting. | | [Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication](network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication** security policy setting. | | [Network security: Restrict NTLM: Add server exceptions in this domain](network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network security: Restrict NTLM: Add server exceptions in this domain** security policy setting. | | [Network security: Restrict NTLM: Audit incoming NTLM traffic](network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Audit incoming NTLM traffic** security policy setting. | @@ -110,28 +110,28 @@ For info about setting security policies, see [Configure security policy setting | [Network security: Restrict NTLM: Incoming NTLM traffic](network-security-restrict-ntlm-incoming-ntlm-traffic.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Incoming NTLM traffic** security policy setting. | | [Network security: Restrict NTLM: NTLM authentication in this domain](network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: NTLM authentication in this domain** security policy setting. | | [Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers](network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md)| Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. | -| [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)| Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. | -| [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)| Describes the best practices, location, values, policy management and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. | -| [Shutdown: Allow system to be shut down without having to lg on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. | -| [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)| Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.| -| [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)| Describes the best practices, location, values, policy management and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. | -| [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)| This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. | -| [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)| Describes the best practices, location, values, policy management and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. | -| [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)| Describes the best practices, location, values, policy management and security considerations for the **System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)** security policy setting. | -| [System settings: Optional subsystems](system-settings-optional-subsystems.md) | Describes the best practices, location, values, policy management and security considerations for the **System settings: Optional subsystems** security policy setting.| -| [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)| Describes the best practices, location, values, policy management and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting. | -| [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting. | +| [Recovery console: Allow automatic administrative logon](recovery-console-allow-automatic-administrative-logon.md)| Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow automatic administrative logon** security policy setting. | +| [Recovery console: Allow floppy copy and access to all drives and folders](recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md)| Describes the best practices, location, values, policy management, and security considerations for the **Recovery console: Allow floppy copy and access to all drives and folders** security policy setting. | +| [Shutdown: Allow system to be shut down without having to lg on](shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. | +| [Shutdown: Clear virtual memory pagefile](shutdown-clear-virtual-memory-pagefile.md)| Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Clear virtual memory pagefile** security policy setting.| +| [System cryptography: Force strong key protection for user keys stored on the computer](system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md)| Describes the best practices, location, values, policy management, and security considerations for the **System cryptography: Force strong key protection for user keys stored on the computer** security policy setting. | +| [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md)| This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for this policy setting. | +| [System objects: Require case insensitivity for non-Windows subsystems](system-objects-require-case-insensitivity-for-non-windows-subsystems.md)| Describes the best practices, location, values, policy management, and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. | +| [System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)](system-objects-strengthen-default-permissions-of-internal-system-objects.md)| Describes the best practices, location, values, policy management, and security considerations for the **System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links)** security policy setting. | +| [System settings: Optional subsystems](system-settings-optional-subsystems.md) | Describes the best practices, location, values, policy management, and security considerations for the **System settings: Optional subsystems** security policy setting.| +| [System settings: Use certificate rules on Windows executables for Software Restriction Policies](system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md)| Describes the best practices, location, values, policy management, and security considerations for the **System settings: Use certificate rules on Windows executables for Software Restriction Policies** security policy setting. | +| [User Account Control: Admin Approval Mode for the Built-in Administrator account](user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Admin Approval Mode for the Built-in Administrator account** security policy setting. | | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md)| Describes the best practices, location, values, and security considerations for the **User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop** security policy setting. | -| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting. | -| [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting. | -| [User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting. | -| [User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting. | -| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting. | -| [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. | -| [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting. | -| [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)| Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting. | +| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** security policy setting. | +| [User Account Control: Behavior of the elevation prompt for standard users](user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Behavior of the elevation prompt for standard users** security policy setting. | +| [User Account Control: Detect application installations and prompt for elevation](user-account-control-detect-application-installations-and-prompt-for-elevation.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Detect application installations and prompt for elevation** security policy setting. | +| [User Account Control: Only elevate executables that are signed and validated](user-account-control-only-elevate-executables-that-are-signed-and-validated.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting. | +| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting. | +| [User Account Control: Run all administrators in Admin Approval Mode](user-account-control-run-all-administrators-in-admin-approval-mode.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Run all administrators in Admin Approval Mode** security policy setting. | +| [User Account Control: Switch to the secure desktop when prompting for elevation](user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Switch to the secure desktop when prompting for elevation** security policy setting. | +| [User Account Control: Virtualize file and registry write failures to per-user locations](user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md)| Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Virtualize file and registry write failures to per-user locations** security policy setting. | -## Related topics +## Related articles - [Security policy settings reference](security-policy-settings-reference.md) - [Security policy settings](security-policy-settings.md) diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md index ab59c99e00..368f3b722b 100644 --- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md +++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md @@ -28,9 +28,9 @@ Describes the best practices, location, values, policy management, and security This security setting determines if a user who is logged on locally to a device can shut down Windows. -Shutting down domain controllers makes them unavailable to perform functions such as processing logon requests, processing Group Policy settings, and answering Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles (also known as flexible single master operations or FSMO roles) can disable key domain functionality; for example, processing logon requests for new passwords, which is performed by the primary domain controller (PDC) emulator master. +Shutting down domain controllers makes them unable to do things like process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. Shutting down domain controllers that have been assigned operations master roles, which are also known as flexible single master operations or FSMO roles, can disable key domain functionality. For example, processing logon requests for new passwords, which are done by the primary domain controller (PDC) emulator master. -The **Shut down the system** user right is required to enable hibernation support, to set the power management settings, and to cancela shutdown. +The **Shut down the system** user right is required to enable hibernation support, to set the power management settings, and to cancel a shutdown. Constant: SeShutdownPrivilege @@ -42,8 +42,8 @@ Constant: SeShutdownPrivilege ### Best practices -1. Ensure that only Administrators and Backup Operators have the **Shut down the system** user right on member servers, and that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks will not be negatively affected. -2. The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Even though a system shutdown requires the ability to log on to the server, you should be very careful about the accounts and groups that you allow to shut down a domain controller. +1. Ensure that only Administrators and Backup Operators have the **Shut down the system** user right on member servers. And that only Administrators have the user right on domain controllers. Removing these default groups might limit the abilities of users who are assigned to specific administrative roles in your environment. Ensure that their delegated tasks won't be negatively affected. +2. The ability to shut down domain controllers should be limited to a small number of trusted administrators. Even though a system shutdown requires the ability to log on to the server, you should be careful about the accounts and groups that you allow to shut down a domain controller. ### Location @@ -91,20 +91,20 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Although the **Shut down the system** user right requires the ability to log on to the server, you should be very careful about which accounts and groups you allow to shut down a domain controller. +The ability to shut down domain controllers should be limited to a very small number of trusted administrators. Although the **Shut down the system** user right requires the ability to log on to the server, you should be careful about which accounts and groups you allow to shut down a domain controller. -When a domain controller is shut down, it is no longer available to process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that possess operations master roles, you can disable key domain functionality, such as processing logon requests for new passwords, which is performed by the PDC master. +When a domain controller is shut down, it can't process logon requests, process Group Policy settings, and answer Lightweight Directory Access Protocol (LDAP) queries. If you shut down domain controllers that have operations master roles, you can disable key domain functionality, such as processing logon requests for new passwords, which are performed by the PDC master. -For other server roles, especially those where non-administrators have rights to log on to the server (such as RD Session Host servers), it is critical that this user right be removed from users that do not have a legitimate reason to restart the servers. +For other server roles, especially roles where non-administrators have rights to log on to the server, such as RD Session Host servers, it's critical that this user right be removed from users who don't have a legitimate reason to restart the servers. ### Countermeasure -Ensure that only the Administrators and Backup Operators groups are assigned the **Shut down the system** user right on member servers, and ensure that only the Administrators group is assigned the user right on domain controllers. +Make sure that only the Administrators and Backup Operators groups are assigned the **Shut down the system** user right on member servers. And make sure that only the Administrators group is assigned the user right on domain controllers. ### Potential impact -The impact of removing these default groups from the **Shut down the system** user right could limit the delegated abilities of assigned roles in your environment. You should confirm that delegated activities are not adversely affected. +The impact of removing these default groups from the **Shut down the system** user right could limit the delegated abilities of assigned roles in your environment. Confirm that delegated activities aren't adversely affected. -## Related topics +## Related articles - [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md index de1024fc83..49cf09a6db 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md @@ -1,6 +1,6 @@ --- title: Shutdown Allow system to be shut down without having to log on (Windows 10) -description: Best practices, security considerations and more for the security policy setting, Shutdown Allow system to be shut down without having to log on. +description: Best practices, security considerations, and more for the security policy setting Shutdown Allow system to be shut down without having to log on. ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315 ms.reviewer: ms.author: dansimp @@ -22,30 +22,31 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. +Describes the best practices, location, values, policy management, and security considerations for the **Shutdown: Allow system to be shut down without having to log on** security policy setting. ## Reference -This policy setting determines whether a device can be shut down without having to log on to Windows. If you enable this policy setting, the **Shut Down** option is available on the logon screen in Windows. If you disable this policy setting, the **Shut Down** option is removed from the logon screen. This configuration requires that users are able to log on to the device successfully and that they have the **Shut down the system** user right before they can perform a shutdown. +This policy setting determines whether you can shut down a device without having to sign in to Windows. When you enable it, the **Shut Down** option is available on the sign-in screen in Windows. If you disable this setting, the **Shut Down** option is removed from the screen. To use the option, the user must sign in on the device successfully and have the **Shut down the system** user right. + +Users who access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service +condition from a local console by restarting or shutting down the server. -Users who can access the console locally can shut down the system. Attackers or misguided users can connect to the server by using Remote Desktop Services, and then shut it down or restart it without having to identify themselves. A malicious user might also cause a temporary denial-of-service -condition by walking up to the local console and restarting the server, or shutting down the server and thus rendering unavailable all its applications and services. ### Possible values - Enabled - The shut down command is available on the logon screen. + The shutdown command is available on the sign-in screen. - Disabled - The shut down option is removed from the logon screen and users must have the **Shut down the system** user right before they can perform a shutdown. + The shut down option is removed from the sign-in screen. Users must have the **Shut down the system** user right to do a shutdown. - Not defined ### Best practices -1. On servers, set this policy to **Disabled**. You must log on to servers to shut them down or restart them. -2. On client devices, set this policy to **Enabled** and define the list of those with the right to shut them down or restart them with the User Rights Assignment policy **Shut down the system**. +1. On servers, set this policy to **Disabled**. You must sign in to servers to shut down or restart them. +2. On client devices, set this policy to **Enabled**. Define the list of users who have the right to shut them down or restart them with the User Rights Assignment policy **Shut down the system**. ### Location @@ -78,7 +79,10 @@ For info about the User Rights Assignment policy, **Shut down the system**, see ## Security considerations -This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. +This section describes: +- How an attacker might exploit a feature or its configuration. +- How to implement the countermeasure. +- Possible negative consequences of countermeasure implementation. ### Vulnerability @@ -92,8 +96,8 @@ Disable the **Shutdown: Allow system to be shut down without having to log on** ### Potential impact -You must log on to servers to shut them down or restart them. +You must sign in on servers to shut them down or restart them. -## Related topics +## Related articles - [Security Options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index 08eaf1bdab..f2b1daed5b 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -22,7 +22,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. +Describes the best practices, location, values, policy management, and security considerations for the **System objects: Require case insensitivity for non-Windows subsystems** security policy setting. ## Reference diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md index a113f6b5de..7e622b901f 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md @@ -1,5 +1,5 @@ --- -title: System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links) (Windows 10) +title: System objects Strengthen default permissions of internal system objects (e.g., Symbolic Links) (Windows 10) description: Best practices and more for the security policy setting, System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links). ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6 ms.reviewer: @@ -17,7 +17,7 @@ ms.topic: conceptual ms.date: 04/19/2017 --- -# System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) +# System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links) **Applies to** - Windows 10 diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md index 022104ca8d..af6a91841d 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md @@ -1,6 +1,6 @@ --- title: System settings Optional subsystems (Windows 10) -description: Describes the best practices, location, values, policy management and security considerations for the System settings Optional subsystems security policy setting. +description: Describes the best practices, location, values, policy management, and security considerations for the System settings Optional subsystems security policy setting. ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78 ms.reviewer: ms.author: dansimp @@ -22,7 +22,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **System settings: Optional subsystems** security policy setting. +Describes the best practices, location, values, policy management, and security considerations for the **System settings: Optional subsystems** security policy setting. ## Reference diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index 1fea6a28a0..6c3bb8ace6 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -26,17 +26,17 @@ Describes the best practices, location, values, and security considerations for ## Reference -This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts that are used by a standard user. +This security setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. >**Note:**  This setting does not change the behavior of the UAC elevation prompt for administrators. **Background** -User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level. +User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI doesn't interfere with or change the behavior of messages between applications at the same privilege (or integrity) level. -Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications on behalf of the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions do not interfere with the Microsoft UI automation model. +Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that support an accessible user experience control the behavior of other Windows applications for the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions don't interfere with the Microsoft UI automation model. -However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation cannot drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess. +However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation can't drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess. If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy checks before starting an application with UIAccess privilege. @@ -120,7 +120,7 @@ Disable the **User Account Control: Allow UIAccess applications to prompt for el ### Potential impact -If a user requests remote assistance from an administrator and the remote assistance session is established, elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator’s session during elevation requests, the user can select the "Allow IT Expert to respond to User Account Control prompts" check box when setting up the remote assistance session. However, selecting this check box requires that the interactive user respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user does not have the required credentials to allow elevation. +If a user requests remote assistance from an administrator and the remote assistance session is established, elevation prompts appear on the interactive user's secure desktop and the administrator's remote session is paused. To avoid pausing the remote administrator’s session during elevation requests, the user can select the "Allow IT Expert to respond to User Account Control prompts" check box when setting up the remote assistance session. But selecting this check box requires the interactive user to respond to an elevation prompt on the secure desktop. If the interactive user is a standard user, the user doesn't have the required credentials to allow elevation. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 6846dd303b..014e882384 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -22,7 +22,7 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting. +Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Only elevate executables that are signed and validated** security policy setting. ## Reference @@ -82,7 +82,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Intellectual property, personally identifiable information, and other confidential data are normally manipulated by applications on the computer, and elevated credentials are required to access the information. Users and administrators inherently trust applications that are used with these information sources, and they provide their credentials. If one of these applications is replaced by a rogue application that appears identical to the trusted application, the confidential data could be compromised and the user's administrative credentials would also be compromised. +Intellectual property, personal information, and other confidential data are normally manipulated by applications on the computer, and elevated credentials are required to access the information. Users and administrators inherently trust applications that are used with these information sources, and they provide their credentials. If one of these applications is replaced by a rogue application that appears identical to the trusted application, the confidential data could be compromised and the user's administrative credentials would also be compromised. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index 77c4b06163..e9d0d85e91 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -22,11 +22,11 @@ ms.date: 04/19/2017 **Applies to** - Windows 10 -Describes the best practices, location, values, policy management and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting. +Describes the best practices, location, values, policy management, and security considerations for the **User Account Control: Only elevate UIAccess applications that are installed in secure locations** security policy setting. ## Reference -This policy setting enforces the requirement that apps that request running with a UIAccess integrity level (by means of a marking of UIAccess=true in their app manifest), must reside in a secure location on the file system. Relatively secure locations are limited to the following directories: +This policy setting enforces the requirement that apps that request running with a UIAccess integrity level by marking *UIAccess=true* in their app manifest must reside in a secure location on the file system. Relatively secure locations are limited to the following directories: - \\Program Files\\ including subdirectories - \\Windows\\system32\\ @@ -36,11 +36,11 @@ This policy setting enforces the requirement that apps that request running with **Background** -User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI does not interfere with or change the behavior of messages between applications at the same privilege (or integrity) level. +User Interface Privilege Isolation (UIPI) implements restrictions in the Windows subsystem that prevent lower-privilege applications from sending messages or installing hooks in higher-privilege processes. Higher-privilege applications are permitted to send messages to lower-privilege processes. UIPI doesn't interfere with or change the behavior of messages between applications at the same privilege (or integrity) level. -Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications on behalf of the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions do not interfere with the Microsoft UI automation model. +Microsoft UI Automation is the current model to support accessibility requirements in the Windows operating systems. Applications that are designed to support an accessible user experience control the behavior of other Windows applications for the user. When all applications on the automation client computer and server are running as a standard user (that is, at a medium integrity level), the UIPI restrictions don't interfere with the Microsoft UI automation model. -However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation cannot drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess. +However, there might be times when an administrative user runs an application with elevated privilege based on UAC in Admin Approval Mode. Microsoft UI Automation can't drive the UI graphics of elevated applications on the desktop without the ability to bypass the restrictions that UIPI implements. The ability to bypass UIPI restrictions across privilege levels is available for UI automation programs by using UIAccess. If an application presents a UIAccess attribute when it requests privileges, the application is stating a requirement to bypass UIPI restrictions for sending messages across privilege levels. Devices implement the following policy checks before starting an application with UIAccess privilege. @@ -87,7 +87,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they aresaved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -95,11 +95,14 @@ All auditing capabilities are integrated in Group Policy. You can configure, dep ## Security considerations -This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. +This section describes: +- How an attacker might exploit a feature or its configuration. +- How to implement the countermeasure. +- The possible negative consequences of countermeasure implementation. ### Vulnerability -UIAccess integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. When this setting is enabled, an application that has the UIAccess flag set to true in its manifest can interchange information with applications that are running at a higher privilege level, such as logon prompts and privilege elevation prompts. This ability is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms, but it is not required by most applications. A process that is started with UIAccess rights has the following abilities: +UIAccess integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. When this setting is enabled, an application that has the UIAccess flag set to true in its manifest can interchange information with applications that are running at a higher privilege level, such as logon prompts and privilege elevation prompts. This ability is required to support accessibility features such as screen readers that transmit user interfaces to alternative forms. But it's not required by most applications. A process that's started with UIAccess rights has the following abilities: - Set the foreground window. - Drive any application window by using the SendInput function. @@ -113,8 +116,8 @@ Enable the **User Account Control: Only elevate UIAccess applications that are i ### Potential impact -If the application that requests UIAccess meets the UIAccess setting requirements, computers running at least the Windows Vista operating system start the application with the ability to bypass most of the UIPI restrictions. If the application does not meet the security restrictions, the application is started without UIAccess rights, and it can interact only with applications at the same or lower privilege level. +If the application that requests UIAccess meets the UIAccess setting requirements, computers that run at least the Windows Vista operating system start the application with the ability to bypass most UIPI restrictions. If the application does not meet the security restrictions, the application is started without UIAccess rights, and it can interact only with applications at the same or lower privilege level. -## Related topics +## Related articles - [Security Options](/windows/device-security/security-policy-settings/security-options) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index a8f8114e8a..79c0d8087a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -14,6 +14,7 @@ #### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) #### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md) #### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) +#### [Microsoft recommended driver block rules](microsoft-recommended-driver-block-rules.md) ### Create your initial WDAC policy #### [Example WDAC base policies](example-wdac-base-policies.md) #### [Policy creation for common WDAC usage scenarios](types-of-devices.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md index 3bfb26bb30..277bc78753 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md @@ -1,6 +1,6 @@ --- title: AppLocker functions (Windows 10) -description: This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. +description: This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2 ms.reviewer: ms.author: dansimp @@ -23,11 +23,11 @@ ms.date: 09/21/2017 - Windows 10 - Windows Server -This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. +This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. ## Functions -The following list includes the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2 and links to current documentation on MSDN: +Here are the SRP functions beginning with Windows Server 2003 and AppLocker functions beginning with Windows Server 2008 R2: - [SaferGetPolicyInformation Function](https://go.microsoft.com/fwlink/p/?LinkId=159781) - [SaferCreateLevel Function](https://go.microsoft.com/fwlink/p/?LinkId=159782) @@ -40,7 +40,7 @@ The following list includes the SRP functions beginning with Windows Server 200 ## Security level ID -AppLocker and SRP use the security level IDs to stipulate the access requirements to files listed in policies. The following table shows those security levels supported in SRP and AppLocker. +AppLocker and SRP use the security level IDs to specify the access requirements to files listed in policies. The following table shows those security levels supported in SRP and AppLocker. | Security level ID | SRP | AppLocker | | - | - | - | @@ -50,9 +50,10 @@ AppLocker and SRP use the security level IDs to stipulate the access requirement | SAFER_LEVELID_UNTRUSTED | Supported | Not supported | | SAFER_LEVELID_DISALLOWED | Supported | Supported | -In addition, URL zone ID is not supported in AppLocker. +>[!Note] +>URL zone ID isn't supported in AppLocker. -## Related topics +## Related articles - [AppLocker technical reference](applocker-technical-reference.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index 1f35434f95..619e173000 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -1,6 +1,6 @@ --- title: Create a rule for packaged apps (Windows 10) -description: This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. +description: This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0 ms.reviewer: ms.author: dansimp @@ -23,9 +23,9 @@ ms.date: 09/21/2017 - Windows 10 - Windows Server -This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. +This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. -Packaged apps, also known as Universal Windows apps, are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it is possible to control the entire app using a single AppLocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows does not support unsigned packaged apps which implies all packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information: +Packaged apps, also known as Universal Windows apps, are based on an app model that ensures that all the files within an app package share the same identity. Therefore, it is possible to control the entire app using a single AppLocker rule as opposed to the non-packaged apps where each file within the app could have a unique identity. Windows does not support unsigned packaged apps, which implies all packaged apps must be signed. AppLocker supports only publisher rules for packaged apps. A publisher rule for a packaged app is based on the following information: - Publisher of the package - Package name @@ -40,9 +40,9 @@ You can perform this task by using the Group Policy Management Console for an Ap **To create a packaged app rule** 1. Open the AppLocker console. -2. On the **Action** menu, or by right-clicking on **Packaged app Rules**, click **Create New Rule**. -3. On the **Before You Begin** page, click **Next**. -4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then click **Next**. +2. On the **Action** menu, or by right-clicking on **Packaged app Rules**, select **Create New Rule**. +3. On the **Before You Begin** page, select **Next**. +4. On the **Permissions** page, select the action (allow or deny) and the user or group that the rule should apply to, and then select **Next**. 5. On the **Publisher** page, you can select a specific reference for the packaged app rule and set the scope for the rule. The following table describes the reference options.
    @@ -65,8 +65,8 @@ You can perform this task by using the Group Policy Management Console for an Ap - - + +

    Use a packaged app installer as a reference

    If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name and package version of the installer to define the rule.

    Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share and choose the installer for the Payroll app as a reference to create your rule.

    If selected, AppLocker requires you to choose an app installer on which to base your new rule. A packaged app installer has the .appx extension. AppLocker uses the publisher, package name, and package version of the installer to define the rule.

    Your company has developed a number of internal line-of-business packaged apps. The app installers are stored on a common file share. Employees can install the required apps from that file share. You want to allow all your employees to install the Payroll app from this share. So you choose this option from the wizard, browse to the file share, and choose the installer for the Payroll app as a reference to create your rule.
    @@ -110,11 +110,11 @@ You can perform this task by using the Group Policy Management Console for an Ap

    Applying custom values to the rule

    Selecting the Use custom values check box allows you to adjust the scope fields for your particular circumstance.

    -

    You want to allow users to install all Microsoft.Bing* applications which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the Use custom values check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.

    +

    You want to allow users to install all Microsoft.Bing* applications, which include Microsoft.BingMaps, Microsoft.BingWeather, Microsoft.BingMoney. You can choose the Microsoft.BingMaps as a reference, select the Use custom values check box and edit the package name field by adding “Microsoft.Bing*” as the Package name.

      -6. Click **Next**. -7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Click **Next**. -8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then click **Create**. +6. Select **Next**. +7. (Optional) On the **Exceptions** page, specify conditions by which to exclude files from being affected by the rule. This allows you to add exceptions based on the same rule reference and rule scope as you set before. Select **Next**. +8. On the **Name** page, either accept the automatically generated rule name or type a new rule name, and then select **Create**. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 1c46616481..24ab242eb1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -1,6 +1,6 @@ --- title: Create a list of apps deployed to each business group (Windows 10) -description: This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. +description: This topic describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker. ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321 ms.reviewer: ms.author: dansimp @@ -27,7 +27,7 @@ This topic describes the process of gathering app usage requirements from each b ## Determining app usage -For each business group, determine the following: +For each business group, determine the following information: - The complete list of apps used, including different versions of an app - The full installation path of the app @@ -37,12 +37,12 @@ For each business group, determine the following: ### How to perform the app usage assessment -Although you might already have a method in place to understand app usage for each business group, you will need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate +You might already have a method in place to understand app usage for each business group. You'll need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection. **Application inventory methods** -Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is very useful when creating rules from a reference computer, and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer. +Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is useful when creating rules from a reference computer and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer. Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. @@ -72,7 +72,7 @@ After you have created the list of apps, the next step is to identify the rule c - Allow or deny - GPO name -To do this, see the following topics: +For guidance, see the following topics: - [Select the types of rules to create](select-types-of-rules-to-create.md) - [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index be00ebc127..a63318645f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -1,6 +1,6 @@ --- title: Delete an AppLocker rule (Windows 10) -description: This topic for IT professionals describes the steps to delete an AppLocker rule. +description: This article for IT professionals describes the steps to delete an AppLocker rule. ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5 ms.reviewer: ms.author: dansimp @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 08/02/2018 +ms.date: 11/09/2020 --- # Delete an AppLocker rule @@ -23,7 +23,7 @@ ms.date: 08/02/2018 - Windows 10 - Windows Server -This topic for IT professionals describes the steps to delete an AppLocker rule. +This article for IT professionals describes the steps to delete an AppLocker rule. As older apps are retired and new apps are deployed in your organization, it will be necessary to modify the application control policies. If an app becomes unsupported by the IT department or is no longer allowed due to the organization's security policy, then deleting the rule or rules associated with that app will prevent the app from running. @@ -34,17 +34,19 @@ AppLocker, see [Administer AppLocker](administer-applocker.md#bkmk-using-snapins These steps apply only for locally managed devices. If the device has AppLocker policies applied by using MDM or a GPO, the local policy will not override those settings. -**To delete a rule in an AppLocker policy** +## To delete a rule in an AppLocker policy 1. Open the AppLocker console. 2. Click the appropriate rule collection for which you want to delete the rule. 3. In the details pane, right-click the rule to delete, click **Delete**, and then click **Yes**. ->**Note:**  When using Group Policy, for the rule deletion to take effect on computers within the domain, the GPO must be distributed or refreshed. +> [!Note] +> - When using Group Policy, the Group Policy Object must be distributed or refreshed for rule deletion to take effect on devices. +> - Application Identity service needs to be running for deleting Applocker rules. If you disable Applocker and delete Applocker rules, make sure to stop the Application Identity service after deleting Applocker rules. If the Application Identity service is stopped before deleting Applocker rules, and if Applocker blocks apps that are disabled, delete all of the files at `C:\Windows\System32\AppLocker`. -When this procedure is performed on the local device, the AppLocker policy takes effect immediately. +When the following procedure is performed on the local device, the AppLocker policy takes effect immediately. -**To clear AppLocker policies on a single system or remote systems** +## To clear AppLocker policies on a single system or remote systems Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML file that contains the following contents: @@ -55,7 +57,7 @@ Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML -To use the Set-AppLockerPolicy cmdlet, first import the Applocker modules: +To use the Set-AppLockerPolicy cmdlet, first import the AppLocker modules: PS C:\Users\Administrator> import-module AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index adcfdab2e0..dd86101ae7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -23,9 +23,9 @@ ms.date: 09/21/2017 - Windows 10 - Windows Server -This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. +This article helps with decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. -AppLocker is very effective for organizations with app restriction requirements whose environments have a simple topography and the application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the PCs that they manage for a relatively small number of apps. +AppLocker is effective for organizations with app restriction requirements whose environments have a simple topography and whose application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is a detailed level of control on the PCs they manage for a relatively small number of apps. There are management and maintenance costs associated with a list of allowed apps. In addition, the purpose of application control policies is to allow or prevent employees from using apps that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns. @@ -59,7 +59,7 @@ Use the following table to develop your own objectives and determine which appli

    Policy maintenance

    SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).

    -

    AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.

    +

    AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.

    Policy application

    @@ -68,9 +68,9 @@ Use the following table to develop your own objectives and determine which appli

    Enforcement mode

    -

    SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.

    -

    SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.

    -

    AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.

    +

    SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.

    +

    SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.

    +

    By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule.

    File types that can be controlled

    @@ -95,7 +95,7 @@ Use the following table to develop your own objectives and determine which appli

    Designated file types

    SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.

    -

    AppLocker does not support this. AppLocker currently supports the following file extensions:

    +

    AppLocker doesn't support this. AppLocker currently supports the following file extensions:

    • Executables (.exe, .com)

    • DLLs (.ocx, .dll)

      • @@ -123,11 +123,11 @@ Use the following table to develop your own objectives and determine which appli

      Editing the hash value

      SRP allows you to select a file to hash.

      -

      AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and a SHA2 flat file hash for the rest.

      +

      AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and an SHA2 flat file hash for the rest.

      Support for different security levels

      -

      With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that notepad always runs with restricted permissions and never with administrative privileges.

      +

      With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.

      SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).

      AppLocker does not support security levels.

      @@ -144,12 +144,12 @@ Use the following table to develop your own objectives and determine which appli

      Support for rule exceptions

      SRP does not support rule exceptions

      -

      AppLocker rules can have exceptions which allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.

      +

      AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.

      Support for audit mode

      -

      SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.

      -

      AppLocker supports audit mode which allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.

      +

      SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.

      +

      AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.

      Support for exporting and importing policies

      @@ -158,8 +158,8 @@ Use the following table to develop your own objectives and determine which appli

      Rule enforcement

      -

      Internally, SRP rules enforcement happens in the user-mode which is less secure.

      -

      Internally, AppLocker rules for exes and dlls are enforced in the kernel-mode which is more secure than enforcing them in the user-mode.

      +

      Internally, SRP rules enforcement happens in user-mode, which is less secure.

      +

      Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.

      diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 828934ca43..4e49ccf26f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -69,7 +69,7 @@ The following table compares the features and functions of Software Restriction

      Enforcement mode

      -

      SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.

      +

      SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file is allowed to run by default.

      SRP can also be configured in the “allow list mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.

      AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.

      @@ -146,12 +146,12 @@ The following table compares the features and functions of Software Restriction

      Support for rule exceptions

      SRP does not support rule exceptions.

      -

      AppLocker rules can have exceptions which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.

      +

      AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.

      Support for audit mode

      SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.

      -

      AppLocker supports audit mode which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.

      +

      AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.

      Support for exporting and importing policies

      @@ -160,8 +160,8 @@ The following table compares the features and functions of Software Restriction

      Rule enforcement

      -

      Internally, SRP rules enforcement happens in the user-mode which is less secure.

      -

      Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode which is more secure than enforcing them in the user-mode.

      +

      Internally, SRP rules enforcement happens in the user-mode, which is less secure.

      +

      Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.

      diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md new file mode 100644 index 0000000000..7d56cdbe9e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -0,0 +1,387 @@ +--- +title: Microsoft recommended driver block rules (Windows 10) +description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community. +keywords: security, malware, kernel mode, driver +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jgeurten +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.date: 10/15/2020 +--- + +# Microsoft recommended driver block rules + +**Applies to:** + +- Windows 10 +- Windows Server 2016 and above + +Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices: + +- Hypervisor-protected code integrity (HVCI) enabled devices +- Windows 10 in S mode (S mode) devices + +Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events. + +> [!Note] +> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode. + +```xml + + + 10.0.19565.0 + {D2BDA982-CCF6-4344-AC5B-0B44427B6816} + {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + 0 + + + + Microsoft Windows Driver Policy + + + + + 10.0.19565.0 + + + + +``` +
      + + +## More information + +- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index 1611fdc1c9..45a707db18 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -29,19 +29,19 @@ manager: dansimp - Group Policy -You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support. +You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support. ![The security center custom fly-out](images/security-center-custom-flyout.png) -This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). +This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)). ![A security center notification](images/security-center-custom-notif.png) -Users can click on the displayed information to initiate a support request: +Users can select the displayed information to initiate a support request: -- Clicking **Call** or the phone number will open Skype to start a call to the displayed number -- Clicking **Email** or the email address will create a new email in the machine's default email app address to the displayed email -- Clicking **Help portal** or the website URL will open the machine's default web browser and go to the displayed address +- Select **Call** or the phone number to open Skype to start a call to the displayed number. +- Select **Email** or the email address to create a new email in the machine's default email app address to the displayed email. +- Select **Help portal** or the website URL to open the machine's default web browser and go to the displayed address. ## Requirements @@ -67,12 +67,12 @@ This can only be done in Group Policy. 5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**. -6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**: +6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings. Open the setting, select **Enabled**, and then add the contact information in the field under **Options**: 1. **Specify contact email address or Email ID** 2. **Specify contact phone number or Skype ID** 3. **Specify contact website** -7. Click **OK** after configuring each setting to save your changes. +7. Select **OK** after you configure each setting to save your changes. >[!IMPORTANT] >You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 4209ff2f58..7a394abba3 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -24,7 +24,7 @@ manager: dansimp The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md). -In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. +In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. ## Hide the Firewall & network protection section diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index f3c4b5e3d9..63e2d82171 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -25,9 +25,9 @@ manager: dansimp The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products. -In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in the event of a ransomware attack. +In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in case of a ransomware attack. -IT administrators and IT pros can get more information and documentation about configuration from the following: +IT administrators and IT pros can get more configuration information from these articles: - [Microsoft Defender Antivirus in the Windows Security app](../microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md) - [Microsoft Defender Antivirus documentation library](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md) @@ -36,7 +36,7 @@ IT administrators and IT pros can get more information and documentation about c - [Office 365 advanced protection](https://support.office.com/en-us/article/office-365-advanced-protection-82e72640-39be-4dc7-8efd-740fb289123a) - [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) -You can choose to hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. +You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for these features. ## Hide the Virus & threat protection section diff --git a/windows/security/threat-protection/windows-firewall/encryption-zone.md b/windows/security/threat-protection/windows-firewall/encryption-zone.md index 097cbdf870..715a2eef02 100644 --- a/windows/security/threat-protection/windows-firewall/encryption-zone.md +++ b/windows/security/threat-protection/windows-firewall/encryption-zone.md @@ -23,9 +23,9 @@ ms.date: 04/19/2017 - Windows 10 - Windows Server 2016 -Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. +Some servers in the organization host data that's very sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices. -To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic be encrypted. +To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic is encrypted. You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols. diff --git a/windows/security/threat-protection/windows-firewall/firewall-gpos.md b/windows/security/threat-protection/windows-firewall/firewall-gpos.md index e40d0eddc7..8a214a169f 100644 --- a/windows/security/threat-protection/windows-firewall/firewall-gpos.md +++ b/windows/security/threat-protection/windows-firewall/firewall-gpos.md @@ -25,6 +25,4 @@ ms.date: 04/19/2017 All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters. -The GPO created for the example Woodgrove Bank scenario include the following: - -- [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md) +The GPO created for the example Woodgrove Bank scenario includes [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md). diff --git a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md index da4b632a34..3d79b04f30 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md +++ b/windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md @@ -25,9 +25,9 @@ ms.date: 08/17/2017 Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation. -Review each of the following topics for guidance about the kinds of information that you must gather: +Review each of the following articles for guidance about the kinds of information that you must gather: -- [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md) +- [Gathering Information about Your Conversational Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md) - [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md) diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md index ee39cb7790..7ca03d22e7 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md @@ -22,14 +22,14 @@ ms.date: 08/17/2017 This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose. -This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008. +This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. ## IPsec settings -The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain The following changes are made to encryption zone copy of the GPO: +The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain. The following changes are made to encryption zone copy of the GPO: -The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This disables all integrity-only algorithm combinations. +The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This setting disables all integrity-only algorithm combinations. ## Connection security rules diff --git a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md index 2caa25566a..29b25a7dd2 100644 --- a/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md +++ b/windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md @@ -37,9 +37,9 @@ To create a domain isolation or server isolation design, you must understand the ## IPsec performance considerations -Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms. +Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This reduction is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms. -IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This frees up a device’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps. +IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This configuration frees up a device’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps. ## Domain isolation design diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md index 9718aa85cf..00b1374150 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 10/13/2017 +ms.date: 10/21/2020 ms.reviewer: ms.custom: asr --- @@ -20,8 +20,9 @@ ms.custom: asr # Windows Defender Firewall with Advanced Security **Applies to** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows Server 2016 +- Windows Server 2019 This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features. @@ -48,4 +49,3 @@ To help address your organizational network security challenges, Windows Defende - **Extends the value of existing investments.**  Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API). - diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md index db22ee475a..eb25e2cf9c 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md @@ -29,7 +29,7 @@ Before Windows Sandbox is installed, the dynamic base image package is stored as ## Memory management -Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process. +Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This method is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process. ![A chart compares memory sharing in Windows Sandbox versus a traditional VM.](images/2-dynamic-working.png) @@ -51,7 +51,7 @@ Windows Sandbox employs a unique policy that allows the virtual processors of th Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows. -This allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host. +This feature allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host. ![A chart illustrates graphics kernel use in Sandbox managed alongside apps on the host.](images/5-wddm-gpu-virtualization.png) diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 2ac125c33b..16214a5f59 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -8,7 +8,7 @@ ms.author: dansimp manager: dansimp ms.collection: ms.topic: article -ms.localizationpriority: +ms.localizationpriority: medium ms.date: ms.reviewer: --- diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index edb6146667..9be4f860e1 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -1,11 +1,12 @@ # [What's new in Windows 10](index.md) +## [What's new in Windows 10, version 20H2](whats-new-windows-10-version-20H2.md) ## [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) ## [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) ## [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) ## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) ## [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) -## [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) ## Previous versions +### [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) ### [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) ### [What's new in Windows 10, version 1607](whats-new-windows-10-version-1607.md) ### [What's new in Windows 10, versions 1507 and 1511](whats-new-windows-10-version-1507-and-1511.md) diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 5ff6fb5017..c04bfa1498 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -32,6 +32,7 @@ "externalReference": [], "globalMetadata": { "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", "ms.topic": "article", "audience": "ITPro", diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index 7f2d33540e..559ab66233 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -18,12 +18,13 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## In this section +- [What's new in Windows 10, version 20H2](whats-new-windows-10-version-20H2.md) - [What's new in Windows 10, version 2004](whats-new-windows-10-version-2004.md) - [What's new in Windows 10, version 1909](whats-new-windows-10-version-1909.md) - [What's new in Windows 10, version 1903](whats-new-windows-10-version-1903.md) - [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) - [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) -- [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) + ## Learn more diff --git a/windows/whats-new/whats-new-windows-10-version-20H2.md b/windows/whats-new/whats-new-windows-10-version-20H2.md new file mode 100644 index 0000000000..8600af198f --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-20H2.md @@ -0,0 +1,152 @@ +--- +title: What's new in Windows 10, version 20H2 +description: New and updated features in Windows 10, version 20H2 (also known as the Windows 10 October 2020 Update). +keywords: ["What's new in Windows 10", "Windows 10", "October 2020 Update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.author: greglin +manager: laurawi +ms.localizationpriority: high +ms.topic: article +--- + +# What's new in Windows 10, version 20H2 for IT Pros + +**Applies to** +- Windows 10, version 20H2 + +This article lists new and updated features and content that is of interest to IT Pros for Windows 10, version 20H2, also known as the Windows 10 October 2020 Update. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 2004. + +> [!NOTE] +> With this release and future releases, the Windows 10 release nomenclature is changing from a year and month pattern (YYMM) to a year and half-year pattern (YYH1, YYH2). + +As with previous fall releases, Windows 10, version 20H2 is a scoped set of features for select performance improvements, enterprise features, and quality enhancements. As an [H2-targeted release](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet), 20H2 is serviced for 30 months from the release date for devices running Windows 10 Enterprise or Windows 10 Education editions. + +To download and install Windows 10, version 20H2, use Windows Update (**Settings > Update & Security > Windows Update**). For more information, including a video, see [How to get the Windows 10 October 2020 Update](https://community.windows.com/videos/how-to-get-the-windows-10-october-2020-update/7c7_mWN0wi8). + +## Microsoft Edge + +This release automatically includes the new Chromium-based [Microsoft Edge](https://www.microsoft.com/edge/business) browser instead of the legacy version of Edge. For more information, see the [Microsoft Edge documentation](https://docs.microsoft.com/microsoft-edge/). + +## Servicing + +### Windows Update + +There are several changes that help improve the security of devices that scan Windows Server Update Services (WSUS) for updates. For more information, see [Changes to improve security for Windows devices scanning WSUS](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/changes-to-improve-security-for-windows-devices-scanning-wsus/ba-p/1645547). + +Starting with Windows 10, version 20H2, LCUs and SSUs have been combined into a single cumulative monthly update, available via Microsoft Catalog or Windows Server Update Services. For more information, see [Simplifying on-premises deployment of servicing stack updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039). + +## Deployment + +New guidance is available to help prepare a [servicing strategy](https://docs.microsoft.com/windows/deployment/update/waas-servicing-strategy-windows-10-updates) and move your devices to the latest version of Windows 10 quickly and as seamlessly as possible. + +Activities are grouped into the following phases: **Plan** > **Prepare** > **Deploy**: + +**Plan** your deployment by evaluating and understanding essential activities: +- Create a [phased deployment plan](https://docs.microsoft.com/windows/deployment/update/create-deployment-plan) +- Assign [roles and responsibilities](https://docs.microsoft.com/windows/deployment/update/plan-define-readiness#process-manager) within your organization +- Set [criteria](https://docs.microsoft.com/windows/deployment/update/plan-define-readiness#set-criteria-for-rating-apps) to establish readiness for the upgrade process +- Evaluate your [infrastructure and tools](https://docs.microsoft.com/windows/deployment/update/eval-infra-tools) +- Determine [readiness](https://docs.microsoft.com/windows/deployment/update/plan-determine-app-readiness) for your business applications +- Create an effective, schedule-based [servicing strategy](https://docs.microsoft.com/windows/deployment/update/plan-define-strategy) + +**Prepare** your devices and environment for deployment by performing necessary actions: +- Update [infrastructure and tools](https://docs.microsoft.com/windows/deployment/update/prepare-deploy-windows#prepare-infrastructure-and-environment) +- Ensure the needed [services](https://docs.microsoft.com/windows/deployment/update/prepare-deploy-windows#prepare-applications-and-devices) are available +- Resolve issues with [unhealthy devices](https://docs.microsoft.com/windows/deployment/update/prepare-deploy-windows#address-unhealthy-devices) +- Ensure that [users are ready](https://docs.microsoft.com/windows/deployment/update/prepare-deploy-windows) for updates + +**Deploy** and manage Windows 10 strategically in your organization: +- Use [Windows Autopilot](https://docs.microsoft.com/mem/autopilot/windows-autopilot) to streamline the set up, configuration, and delivery of new devices +- Use [Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager) or [MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt) to deploy new devices and update existing devices +- Use [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb) with Group Policy to [customize update settings](https://docs.microsoft.com/windows/deployment/update/waas-wufb-group-policy) for your devices +- [Deploy Windows updates](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wsus) with Windows Server Update Services (WSUS) +- Manage bandwidth for updates with [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) +- [Monitor Windows Updates](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor) with Update Compliance + +### Windows Autopilot + +Enhancements to Windows Autopilot since the last release of Windows 10 include: +- [Windows Autopilot for HoloLens](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-autopilot-for-hololens-2/ba-p/1371494): Set up HoloLens 2 devices with Windows Autopilot for HoloLens 2 self-deploying mode. +- [Windows Autopilot with co-management](https://docs.microsoft.com/mem/configmgr/comanage/quickstart-autopilot): Co-management and Autopilot together can help you reduce cost and improve the end user experience. +- Enhancements to Windows Autopilot deployment reporting are in preview. From the Microsoft Endpoint Manager admin center (endpoint.microsoft.com), select **Devices** > **Monitor** and scroll down to the **Enrollment** section. Click **Autopilot deployment (preview)**. + +### Windows Assessment and Deployment Toolkit (ADK) + +There is no new ADK for Windows 10, version 20H2. The ADK for Windows 10, version 2004 will also work with Windows 10, version 20H2. For more information, see [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install). + +## Device management + +Modern Device Management (MDM) policy is extended with new [Local Users and Groups settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-localusersandgroups) that match the options available for devices managed through Group Policy. + +For more information about what's new in MDM, see [What's new in mobile device enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management) + +## Security + +### Microsoft Defender Advanced Threat Protection (ATP) + +This release includes improved support for non-ASCII file paths has been added for Microsoft Defender ATP Auto Incident Response (IR). + +The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) parameter is deprecated in this release. + +### Microsoft Defender Application Guard for Office + +Microsoft Defender Application Guard now supports Office: With [Microsoft Defender Application Guard for Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard), you can launch untrusted Office documents (from outside the Enterprise) in an isolated container to prevent potentially malicious content from compromising your device. + +### Windows Hello + +With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data. + +## Virtualization + +### Windows Sandbox + +New polices for [Windows Sandbox](https://docs.microsoft.com/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) are available in this release. For more information, see [Policy CSP - WindowsSandbox](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowssandbox). + +### Windows Virtual Desktop (WVD) + +> **Note**: WVD is not tied directly to a Windows 10 release, but it is included here as an evolving capability of Windows. + +New capabilities in WVD were announced at Ignite 2020. For more information, see [Announcing new management, security, and monitoring capabilities in Windows Virtual Desktop](https://aka.ms/wvd-ignite2020-blogpost). + +In addition, [Windows Virtual Desktop is now generally available in the Azure Government cloud](https://azure.microsoft.com/updates/windows-virtual-desktop-is-now-generally-available-in-the-azure-government-cloud/). + +## Windows Shell + +Some enhancements to the Windows 10 user interface are implemented in this release: + +- With this release, the solid color behind tiles on the Start menu is replaced with a partially transparent background. Tiles are also theme-aware. +- Icons on the Start menu no longer have a square outline around each icon. +- Notifications are slightly updated in appearance. +- You can now change the monitor refresh rate on advanced display settings. +- Alt+Tab now shows Edge browser tabs by default. You can edit this setting under **Settings** > **System** > **Multitasking**: **Alt+Tab**. +- The System control panel under System and Security has been updated to the Settings > About page. Links to Device Manager, Remote desktop, System protection, Advanced system settings, and Rename this PC are moved to the About page. + +### 2-in-1 PCs + +On a 2-in-1 device, Windows will now automatically switch to tablet mode when you detach the screen. + +## Surface + +Windows 10 Pro and Enterprise are now [available on Surface Hub 2](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/announcing-the-availability-of-windows-10-pro-and-enterprise-on/ba-p/1624107). For more information, see [What's new in Surface Hub 2S for IT admins](https://docs.microsoft.com/surface-hub/surface-hub-2s-whats-new). + +## Desktop Analytics + +[Desktop Analytics](https://docs.microsoft.com/configmgr/desktop-analytics/overview) is a cloud-connected service, integrated with Configuration Manager that provides data-driven insights to the management of Windows endpoints in your organization. Desktop Analytics requires a Windows E3 or E5 license, or a Microsoft 365 E3 or E5 license. + +For information about Desktop Analytics and this release of Windows 10, see [What's new in Desktop Analytics](https://docs.microsoft.com/mem/configmgr/desktop-analytics/whats-new). + +## See Also + +[What’s new for IT pros in Windows 10, version 20H2](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-20h2/ba-p/1800132)
      +[Get started with the October 2020 update to Windows 10](https://www.linkedin.com/learning/windows-10-october-2020-update-new-features-2/get-started-with-the-october-2020-update-to-windows-10)
      +[Learn Windows 10 with the October 2020 Update](https://www.linkedin.com/learning/windows-10-october-2020-update-essential-training/learn-windows-10-with-the-october-2020-update)
      +[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.
      +[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.
      +[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
      +[Announcing more ways we’re making app development easier on Windows](https://blogs.windows.com/windowsdeveloper/2020/09/22/kevin-gallo-microsoft-ignite-2020/): Simplifying app development in Windows.
      +[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.
      +[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.