Default: Disabled | The Windows 10, version 1511 Microsoft Edge Group Policy names are: diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 0890fdadbc..9a54b72f77 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -19,7 +19,7 @@ localizationpriority: high In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese. -To provision multivariant settings, you use Windows Imaging and Configuration Designer (ICD) to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices. +To provision multivariant settings, you use Windows Configuration Designer to create a provisioning package that contains all of the customization settings that you want to apply to any of your devices. Next, you manually edit the .XML file for that project to define each set of devices (a **Target**). For each **Target**, you specify at least one **Condition** with a value, which identifies the devices to receive the configuration. Finally, for each **Target**, you provide the customization settings to be applied to those devices. Let's begin by learning how to define a **Target**. @@ -258,7 +258,7 @@ Follow these steps to create a provisioning package with multivariant capabiliti 6. Save the updated customizations.xml file and note the path to this updated file. You will need the path as one of the values for the next step. -7. Use the [Windows ICD command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. +7. Use the [Windows Configuration Designer command-line interface](provisioning-command-line.md) to create a provisioning package using the updated customizations.xml. For example: diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index 73fce9589a..babe4c7aa6 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -1,44 +1,176 @@ -# [Deploy Windows 10](index.md) -## [What's new in Windows 10 deployment](deploy-whats-new.md) -## [Plan for Windows 10 deployment](planning/index.md) -### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md) -### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) -### [Windows 10 compatibility](planning/windows-10-compatibility.md) -### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md) -### [Windows To Go: feature overview](planning/windows-to-go-overview.md) -#### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md) -#### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md) -#### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) -#### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md) -#### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md) -### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md) -#### [SUA User's Guide](planning/sua-users-guide.md) -##### [Using the SUA Wizard](planning/using-the-sua-wizard.md) -##### [Using the SUA Tool](planning/using-the-sua-tool.md) -###### [Tabs on the SUA Tool Interface](planning/tabs-on-the-sua-tool-interface.md) -###### [Showing Messages Generated by the SUA Tool](planning/showing-messages-generated-by-the-sua-tool.md) -###### [Applying Filters to Data in the SUA Tool](planning/applying-filters-to-data-in-the-sua-tool.md) -###### [Fixing Applications by Using the SUA Tool](planning/fixing-applications-by-using-the-sua-tool.md) -#### [Compatibility Administrator User's Guide](planning/compatibility-administrator-users-guide.md) -##### [Using the Compatibility Administrator Tool](planning/using-the-compatibility-administrator-tool.md) -###### [Available Data Types and Operators in Compatibility Administrator](planning/available-data-types-and-operators-in-compatibility-administrator.md) -###### [Searching for Fixed Applications in Compatibility Administrator](planning/searching-for-fixed-applications-in-compatibility-administrator.md) -###### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md) -###### [Creating a Custom Compatibility Fix in Compatibility Administrator](planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md) -###### [Creating a Custom Compatibility Mode in Compatibility Administrator](planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md) -###### [Creating an AppHelp Message in Compatibility Administrator](planning/creating-an-apphelp-message-in-compatibility-administrator.md) -###### [Viewing the Events Screen in Compatibility Administrator](planning/viewing-the-events-screen-in-compatibility-administrator.md) -###### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md) -###### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md) -##### [Managing Application-Compatibility Fixes and Custom Fix Databases](planning/managing-application-compatibility-fixes-and-custom-fix-databases.md) -###### [Understanding and Using Compatibility Fixes](planning/understanding-and-using-compatibility-fixes.md) -###### [Compatibility Fix Database Management Strategies and Deployment](planning/compatibility-fix-database-management-strategies-and-deployment.md) -###### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md) -##### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md) -#### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) -### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md) -## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) -## Upgrade Windows +# [Deploy, Upgrade and Update Windows 10](index.md) + +## Deploy Windows 10 +### [What's new in Windows 10 deployment](deploy-whats-new.md) + +### [Plan for Windows 10 deployment](planning/index.md) +#### [Windows 10 Enterprise FAQ for IT Pros](planning/windows-10-enterprise-faq-itpro.md) +#### [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) +#### [Windows 10 compatibility](planning/windows-10-compatibility.md) +#### [Windows 10 infrastructure requirements](planning/windows-10-infrastructure-requirements.md) +#### [Windows To Go: feature overview](planning/windows-to-go-overview.md) +##### [Best practice recommendations for Windows To Go](planning/best-practice-recommendations-for-windows-to-go.md) +##### [Deployment considerations for Windows To Go](planning/deployment-considerations-for-windows-to-go.md) +##### [Prepare your organization for Windows To Go](planning/prepare-your-organization-for-windows-to-go.md) +##### [Security and data protection considerations for Windows To Go](planning/security-and-data-protection-considerations-for-windows-to-go.md) +##### [Windows To Go: frequently asked questions](planning/windows-to-go-frequently-asked-questions.md) +#### [Application Compatibility Toolkit (ACT) Technical Reference](planning/act-technical-reference.md) +##### [SUA User's Guide](planning/sua-users-guide.md) +###### [Using the SUA Wizard](planning/using-the-sua-wizard.md) +###### [Using the SUA Tool](planning/using-the-sua-tool.md) +####### [Tabs on the SUA Tool Interface](planning/tabs-on-the-sua-tool-interface.md) +####### [Showing Messages Generated by the SUA Tool](planning/showing-messages-generated-by-the-sua-tool.md) +####### [Applying Filters to Data in the SUA Tool](planning/applying-filters-to-data-in-the-sua-tool.md) +####### [Fixing Applications by Using the SUA Tool](planning/fixing-applications-by-using-the-sua-tool.md) +##### [Compatibility Administrator User's Guide](planning/compatibility-administrator-users-guide.md) +###### [Using the Compatibility Administrator Tool](planning/using-the-compatibility-administrator-tool.md) +####### [Available Data Types and Operators in Compatibility Administrator](planning/available-data-types-and-operators-in-compatibility-administrator.md) +####### [Searching for Fixed Applications in Compatibility Administrator](planning/searching-for-fixed-applications-in-compatibility-administrator.md) +####### [Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator](planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md) +####### [Creating a Custom Compatibility Fix in Compatibility Administrator](planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md) +####### [Creating a Custom Compatibility Mode in Compatibility Administrator](planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md) +####### [Creating an AppHelp Message in Compatibility Administrator](planning/creating-an-apphelp-message-in-compatibility-administrator.md) +####### [Viewing the Events Screen in Compatibility Administrator](planning/viewing-the-events-screen-in-compatibility-administrator.md) +####### [Enabling and Disabling Compatibility Fixes in Compatibility Administrator](planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md) +####### [Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator](planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md) +###### [Managing Application-Compatibility Fixes and Custom Fix Databases](planning/managing-application-compatibility-fixes-and-custom-fix-databases.md) +####### [Understanding and Using Compatibility Fixes](planning/understanding-and-using-compatibility-fixes.md) +####### [Compatibility Fix Database Management Strategies and Deployment](planning/compatibility-fix-database-management-strategies-and-deployment.md) +####### [Testing Your Application Mitigation Packages](planning/testing-your-application-mitigation-packages.md) +###### [Using the Sdbinst.exe Command-Line Tool](planning/using-the-sdbinstexe-command-line-tool.md) +##### [Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista](planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md) +#### [Change history for Plan for Windows 10 deployment](planning/change-history-for-plan-for-windows-10-deployment.md) + +### [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) + +### [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) +#### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) +#### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) +#### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) +##### [Introduction to VAMT](volume-activation/introduction-vamt.md) +##### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md) +##### [Install and Configure VAMT](volume-activation/install-configure-vamt.md) +###### [VAMT Requirements](volume-activation/vamt-requirements.md) +###### [Install VAMT](volume-activation/install-vamt.md) +###### [Configure Client Computers](volume-activation/configure-client-computers-vamt.md) +##### [Add and Manage Products](volume-activation/add-manage-products-vamt.md) +###### [Add and Remove Computers](volume-activation/add-remove-computers-vamt.md) +###### [Update Product Status](volume-activation/update-product-status-vamt.md) +###### [Remove Products](volume-activation/remove-products-vamt.md) +##### [Manage Product Keys](volume-activation/manage-product-keys-vamt.md) +###### [Add and Remove a Product Key](volume-activation/add-remove-product-key-vamt.md) +###### [Install a Product Key](volume-activation/install-product-key-vamt.md) +###### [Install a KMS Client Key](volume-activation/install-kms-client-key-vamt.md) +##### [Manage Activations](volume-activation/manage-activations-vamt.md) +###### [Perform Online Activation](volume-activation/online-activation-vamt.md) +###### [Perform Proxy Activation](volume-activation/proxy-activation-vamt.md) +###### [Perform KMS Activation](volume-activation/kms-activation-vamt.md) +###### [Perform Local Reactivation](volume-activation/local-reactivation-vamt.md) +###### [Activate an Active Directory Forest Online](volume-activation/activate-forest-vamt.md) +###### [Activate by Proxy an Active Directory Forest](volume-activation/activate-forest-by-proxy-vamt.md) +##### [Manage VAMT Data](volume-activation/manage-vamt-data.md) +###### [Import and Export VAMT Data](volume-activation/import-export-vamt-data.md) +###### [Use VAMT in Windows PowerShell](volume-activation/use-vamt-in-windows-powershell.md) +##### [VAMT Step-by-Step Scenarios](volume-activation/vamt-step-by-step.md) +###### [Scenario 1: Online Activation](volume-activation/scenario-online-activation-vamt.md) +###### [Scenario 2: Proxy Activation](volume-activation/scenario-proxy-activation-vamt.md) +###### [Scenario 3: KMS Client Activation](volume-activation/scenario-kms-activation-vamt.md) +##### [VAMT Known Issues](volume-activation/vamt-known-issues.md) +#### [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) +##### [User State Migration Tool (USMT) Overview Topics](usmt/usmt-topics.md) +###### [User State Migration Tool (USMT) Overview](usmt/usmt-overview.md) +###### [Getting Started with the User State Migration Tool (USMT)](usmt/getting-started-with-the-user-state-migration-tool.md) +###### [Windows Upgrade and Migration Considerations](upgrade/windows-upgrade-and-migration-considerations.md) +##### [User State Migration Tool (USMT) How-to topics](usmt/usmt-how-to.md) +###### [Exclude Files and Settings](usmt/usmt-exclude-files-and-settings.md) +###### [Extract Files from a Compressed USMT Migration Store](usmt/usmt-extract-files-from-a-compressed-migration-store.md) +###### [Include Files and Settings](usmt/usmt-include-files-and-settings.md) +###### [Migrate Application Settings](usmt/migrate-application-settings.md) +###### [Migrate EFS Files and Certificates](usmt/usmt-migrate-efs-files-and-certificates.md) +###### [Migrate User Accounts](usmt/usmt-migrate-user-accounts.md) +###### [Reroute Files and Settings](usmt/usmt-reroute-files-and-settings.md) +###### [Verify the Condition of a Compressed Migration Store](usmt/verify-the-condition-of-a-compressed-migration-store.md) +##### [User State Migration Tool (USMT) Troubleshooting](usmt/usmt-troubleshooting.md) +###### [Common Issues](usmt/usmt-common-issues.md) +###### [Frequently Asked Questions](usmt/usmt-faq.md) +###### [Log Files](usmt/usmt-log-files.md) +###### [Return Codes](usmt/usmt-return-codes.md) +###### [USMT Resources](usmt/usmt-resources.md) +##### [User State Migration Toolkit (USMT) Reference](usmt/usmt-reference.md) +###### [USMT Requirements](usmt/usmt-requirements.md) +###### [USMT Best Practices](usmt/usmt-best-practices.md) +###### [How USMT Works](usmt/usmt-how-it-works.md) +###### [Plan Your Migration](usmt/usmt-plan-your-migration.md) +####### [Common Migration Scenarios](usmt/usmt-common-migration-scenarios.md) +####### [What Does USMT Migrate?](usmt/usmt-what-does-usmt-migrate.md) +####### [Choose a Migration Store Type](usmt/usmt-choose-migration-store-type.md) +######## [Migration Store Types Overview](usmt/migration-store-types-overview.md) +######## [Estimate Migration Store Size](usmt/usmt-estimate-migration-store-size.md) +######## [Hard-Link Migration Store](usmt/usmt-hard-link-migration-store.md) +######## [Migration Store Encryption](usmt/usmt-migration-store-encryption.md) +####### [Determine What to Migrate](usmt/usmt-determine-what-to-migrate.md) +######## [Identify Users](usmt/usmt-identify-users.md) +######## [Identify Applications Settings](usmt/usmt-identify-application-settings.md) +######## [Identify Operating System Settings](usmt/usmt-identify-operating-system-settings.md) +######## [Identify File Types, Files, and Folders](usmt/usmt-identify-file-types-files-and-folders.md) +####### [Test Your Migration](usmt/usmt-test-your-migration.md) +###### [User State Migration Tool (USMT) Command-line Syntax](usmt/usmt-command-line-syntax.md) +####### [ScanState Syntax](usmt/usmt-scanstate-syntax.md) +####### [LoadState Syntax](usmt/usmt-loadstate-syntax.md) +####### [UsmtUtils Syntax](usmt/usmt-utilities.md) +###### [USMT XML Reference](usmt/usmt-xml-reference.md) +####### [Understanding Migration XML Files](usmt/understanding-migration-xml-files.md) +####### [Config.xml File](usmt/usmt-configxml-file.md) +####### [Customize USMT XML Files](usmt/usmt-customize-xml-files.md) +####### [Custom XML Examples](usmt/usmt-custom-xml-examples.md) +####### [Conflicts and Precedence](usmt/usmt-conflicts-and-precedence.md) +####### [General Conventions](usmt/usmt-general-conventions.md) +####### [XML File Requirements](usmt/xml-file-requirements.md) +####### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md) +####### [XML Elements Library](usmt/usmt-xml-elements-library.md) +###### [Offline Migration Reference](usmt/offline-migration-reference.md) + +### [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) +#### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) +#### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) +#### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) +#### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md) +#### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) +#### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) +#### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) +#### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) +#### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md) +#### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md) +#### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) +#### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) +#### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) +#### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) + +### [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) +#### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md) +##### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md) +##### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md) +##### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) +#### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) +#### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md) +#### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md) +#### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md) +#### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md) +#### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) +#### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md) +##### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md) +##### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md) +##### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md) +##### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md) +##### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md) +##### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md) +##### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md) +##### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md) +#### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) + +### [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) + +## Upgrade to Windows 10 ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) ### [Deploy Windows To Go in your organization](deploy-windows-to-go.md) @@ -55,47 +187,8 @@ ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md) #### [Troubleshoot Upgrade Readiness](upgrade/troubleshoot-upgrade-readiness.md) -## [Step by step guide: Configure a test lab to deploy Windows 10](windows-10-poc.md) -### [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) -### [Deploy Windows 10 in a test lab using System Center Configuration Manager](windows-10-poc-sc-config-mgr.md) -## [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) -### [Get started with the Microsoft Deployment Toolkit (MDT)](deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md) -#### [Key features in MDT](deploy-windows-mdt/key-features-in-mdt.md) -#### [MDT Lite Touch components](deploy-windows-mdt/mdt-lite-touch-components.md) -#### [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md) -### [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) -### [Deploy a Windows 10 image using MDT](deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md) -### [Build a distributed environment for Windows 10 deployment](deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md) -### [Refresh a Windows 7 computer with Windows 10](deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md) -### [Replace a Windows 7 computer with a Windows 10 computer](deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md) -### [Perform an in-place upgrade to Windows 10 with MDT](upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md) -### [Configure MDT settings](deploy-windows-mdt/configure-mdt-settings.md) -#### [Set up MDT for BitLocker](deploy-windows-mdt/set-up-mdt-for-bitlocker.md) -#### [Configure MDT deployment share rules](deploy-windows-mdt/configure-mdt-deployment-share-rules.md) -#### [Configure MDT for UserExit scripts](deploy-windows-mdt/configure-mdt-for-userexit-scripts.md) -#### [Simulate a Windows 10 deployment in a test environment](deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md) -#### [Use the MDT database to stage Windows 10 deployment information](deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md) -#### [Assign applications using roles in MDT](deploy-windows-mdt/assign-applications-using-roles-in-mdt.md) -#### [Use web services in MDT](deploy-windows-mdt/use-web-services-in-mdt.md) -#### [Use Orchestrator runbooks with MDT](deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md) -## [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md) -### [Integrate Configuration Manager with MDT](deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) -### [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) -### [Create a custom Windows PE boot image with Configuration Manager](deploy-windows-sccm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md) -### [Add a Windows 10 operating system image using Configuration Manager](deploy-windows-sccm/add-a-windows-10-operating-system-image-using-configuration-manager.md) -### [Create an application to deploy with Windows 10 using Configuration Manager](deploy-windows-sccm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) -### [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) -### [Create a task sequence with Configuration Manager and MDT](deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) -### [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](deploy-windows-sccm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) -### [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-sccm/deploy-windows-10-using-pxe-and-configuration-manager.md) -### [Monitor the Windows 10 deployment with Configuration Manager](deploy-windows-sccm/monitor-windows-10-deployment-with-configuration-manager.md) -### [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) -### [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](deploy-windows-sccm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) -### [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md) -## [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) -## [Convert MBR partition to GPT](mbr-to-gpt.md) -## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) -## [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) +### [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade-errors.md) + ## [Update Windows 10](update/index.md) ### [Quick guide to Windows as a service](update/waas-quick-start.md) ### [Overview of Windows as a service](update/waas-overview.md) @@ -117,11 +210,17 @@ ### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md) ### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) ### [Manage device restarts after updates](update/waas-restart.md) +### [Manage additional Windows Update settings](update/waas-wu-settings.md) ### [Windows Insider Program for Business](update/waas-windows-insider-for-business.md) #### [Windows Insider Program for Business using Azure Active Directory](update/waas-windows-insider-for-business-aad.md) #### [Windows Insider Program for Business Frequently Asked Questions](update/waas-windows-insider-for-business-faq.md) ### [Change history for Update Windows 10](update/change-history-for-update-windows-10.md) +## [Convert MBR partition to GPT](mbr-to-gpt.md) +## [Configure a PXE server to load Windows PE](configure-a-pxe-server-to-load-windows-pe.md) +## [Sideload apps in Windows 10](/windows/application-management/sideload-apps-in-windows-10) +## [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) + ## [Volume Activation [client]](volume-activation/volume-activation-windows-10.md) ### [Plan for volume activation [client]](volume-activation/plan-for-volume-activation-client.md) ### [Activate using Key Management Service [client]](volume-activation/activate-using-key-management-service-vamt.md) @@ -130,91 +229,5 @@ ### [Monitor activation [client]](volume-activation/monitor-activation-client.md) ### [Use the Volume Activation Management Tool [client]](volume-activation/use-the-volume-activation-management-tool-client.md) ### [Appendix: Information sent to Microsoft during activation [client]](volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md) -## [Windows 10 Enterprise E3 in CSP Overview](windows-10-enterprise-e3-overview.md) -## [Windows 10 deployment tools reference](windows-10-deployment-tools-reference.md) -### [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) -### [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md) -### [Volume Activation Management Tool (VAMT) Technical Reference](volume-activation/volume-activation-management-tool.md) -#### [Introduction to VAMT](volume-activation/introduction-vamt.md) -#### [Active Directory-Based Activation Overview](volume-activation/active-directory-based-activation-overview.md) -#### [Install and Configure VAMT](volume-activation/install-configure-vamt.md) -##### [VAMT Requirements](volume-activation/vamt-requirements.md) -##### [Install VAMT](volume-activation/install-vamt.md) -##### [Configure Client Computers](volume-activation/configure-client-computers-vamt.md) -#### [Add and Manage Products](volume-activation/add-manage-products-vamt.md) -##### [Add and Remove Computers](volume-activation/add-remove-computers-vamt.md) -##### [Update Product Status](volume-activation/update-product-status-vamt.md) -##### [Remove Products](volume-activation/remove-products-vamt.md) -#### [Manage Product Keys](volume-activation/manage-product-keys-vamt.md) -##### [Add and Remove a Product Key](volume-activation/add-remove-product-key-vamt.md) -##### [Install a Product Key](volume-activation/install-product-key-vamt.md) -##### [Install a KMS Client Key](volume-activation/install-kms-client-key-vamt.md) -#### [Manage Activations](volume-activation/manage-activations-vamt.md) -##### [Perform Online Activation](volume-activation/online-activation-vamt.md) -##### [Perform Proxy Activation](volume-activation/proxy-activation-vamt.md) -##### [Perform KMS Activation](volume-activation/kms-activation-vamt.md) -##### [Perform Local Reactivation](volume-activation/local-reactivation-vamt.md) -##### [Activate an Active Directory Forest Online](volume-activation/activate-forest-vamt.md) -##### [Activate by Proxy an Active Directory Forest](volume-activation/activate-forest-by-proxy-vamt.md) -#### [Manage VAMT Data](volume-activation/manage-vamt-data.md) -##### [Import and Export VAMT Data](volume-activation/import-export-vamt-data.md) -##### [Use VAMT in Windows PowerShell](volume-activation/use-vamt-in-windows-powershell.md) -#### [VAMT Step-by-Step Scenarios](volume-activation/vamt-step-by-step.md) -##### [Scenario 1: Online Activation](volume-activation/scenario-online-activation-vamt.md) -##### [Scenario 2: Proxy Activation](volume-activation/scenario-proxy-activation-vamt.md) -##### [Scenario 3: KMS Client Activation](volume-activation/scenario-kms-activation-vamt.md) -#### [VAMT Known Issues](volume-activation/vamt-known-issues.md) -### [User State Migration Tool (USMT) Technical Reference](usmt/usmt-technical-reference.md) -#### [User State Migration Tool (USMT) Overview Topics](usmt/usmt-topics.md) -##### [User State Migration Tool (USMT) Overview](usmt/usmt-overview.md) -##### [Getting Started with the User State Migration Tool (USMT)](usmt/getting-started-with-the-user-state-migration-tool.md) -##### [Windows Upgrade and Migration Considerations](upgrade/windows-upgrade-and-migration-considerations.md) -#### [User State Migration Tool (USMT) How-to topics](usmt/usmt-how-to.md) -##### [Exclude Files and Settings](usmt/usmt-exclude-files-and-settings.md) -##### [Extract Files from a Compressed USMT Migration Store](usmt/usmt-extract-files-from-a-compressed-migration-store.md) -##### [Include Files and Settings](usmt/usmt-include-files-and-settings.md) -##### [Migrate Application Settings](usmt/migrate-application-settings.md) -##### [Migrate EFS Files and Certificates](usmt/usmt-migrate-efs-files-and-certificates.md) -##### [Migrate User Accounts](usmt/usmt-migrate-user-accounts.md) -##### [Reroute Files and Settings](usmt/usmt-reroute-files-and-settings.md) -##### [Verify the Condition of a Compressed Migration Store](usmt/verify-the-condition-of-a-compressed-migration-store.md) -#### [User State Migration Tool (USMT) Troubleshooting](usmt/usmt-troubleshooting.md) -##### [Common Issues](usmt/usmt-common-issues.md) -##### [Frequently Asked Questions](usmt/usmt-faq.md) -##### [Log Files](usmt/usmt-log-files.md) -##### [Return Codes](usmt/usmt-return-codes.md) -##### [USMT Resources](usmt/usmt-resources.md) -#### [User State Migration Toolkit (USMT) Reference](usmt/usmt-reference.md) -##### [USMT Requirements](usmt/usmt-requirements.md) -##### [USMT Best Practices](usmt/usmt-best-practices.md) -##### [How USMT Works](usmt/usmt-how-it-works.md) -##### [Plan Your Migration](usmt/usmt-plan-your-migration.md) -###### [Common Migration Scenarios](usmt/usmt-common-migration-scenarios.md) -###### [What Does USMT Migrate?](usmt/usmt-what-does-usmt-migrate.md) -###### [Choose a Migration Store Type](usmt/usmt-choose-migration-store-type.md) -####### [Migration Store Types Overview](usmt/migration-store-types-overview.md) -####### [Estimate Migration Store Size](usmt/usmt-estimate-migration-store-size.md) -####### [Hard-Link Migration Store](usmt/usmt-hard-link-migration-store.md) -####### [Migration Store Encryption](usmt/usmt-migration-store-encryption.md) -###### [Determine What to Migrate](usmt/usmt-determine-what-to-migrate.md) -####### [Identify Users](usmt/usmt-identify-users.md) -####### [Identify Applications Settings](usmt/usmt-identify-application-settings.md) -####### [Identify Operating System Settings](usmt/usmt-identify-operating-system-settings.md) -####### [Identify File Types, Files, and Folders](usmt/usmt-identify-file-types-files-and-folders.md) -###### [Test Your Migration](usmt/usmt-test-your-migration.md) -##### [User State Migration Tool (USMT) Command-line Syntax](usmt/usmt-command-line-syntax.md) -###### [ScanState Syntax](usmt/usmt-scanstate-syntax.md) -###### [LoadState Syntax](usmt/usmt-loadstate-syntax.md) -###### [UsmtUtils Syntax](usmt/usmt-utilities.md) -##### [USMT XML Reference](usmt/usmt-xml-reference.md) -###### [Understanding Migration XML Files](usmt/understanding-migration-xml-files.md) -###### [Config.xml File](usmt/usmt-configxml-file.md) -###### [Customize USMT XML Files](usmt/usmt-customize-xml-files.md) -###### [Custom XML Examples](usmt/usmt-custom-xml-examples.md) -###### [Conflicts and Precedence](usmt/usmt-conflicts-and-precedence.md) -###### [General Conventions](usmt/usmt-general-conventions.md) -###### [XML File Requirements](usmt/xml-file-requirements.md) -###### [Recognized Environment Variables](usmt/usmt-recognized-environment-variables.md) -###### [XML Elements Library](usmt/usmt-xml-elements-library.md) -##### [Offline Migration Reference](usmt/offline-migration-reference.md) -## [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) \ No newline at end of file + +## [Change history for Deploy, Upgrade and Update Windows 10](change-history-for-deploy-windows-10.md) \ No newline at end of file diff --git a/windows/deployment/images/security-update.png b/windows/deployment/images/security-update.png new file mode 100644 index 0000000000..f7ca20f34e Binary files /dev/null and b/windows/deployment/images/security-update.png differ diff --git a/windows/deployment/index.md b/windows/deployment/index.md index 2ef5fbaf96..b24224172e 100644 --- a/windows/deployment/index.md +++ b/windows/deployment/index.md @@ -9,34 +9,69 @@ localizationpriority: high author: greg-lindsay --- -# Deploy Windows 10 -Learn about deploying Windows 10 for IT professionals. + +
 |
+ A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/). | +
 |
+ A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/). | +
| |
+ A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/). | +
| |
+ A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/). | +
| |
+ A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/). | +
| 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +
| 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | +Update the PC using Windows Update/Windows Server Update Services. | +
| 45 - Diagrack.dll was not found. | +Update the PC using Windows Update/Windows Server Update Services. | +
| 46 - **DisableEnterpriseAuthProxy** property should be set to **1** for **ClientProxy=Telemetry** to work. | +Set the **DisableEnterpriseAuthProxy** registry property to **1** at key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. | +
| 47 - **TelemetryProxyServer** is not present in key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. | +**ClientProxy** selected is **Telemetry**, but you need to add **TelemetryProxyServer** in key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. | +
| 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | +**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**. | +
Policy description
With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits.
With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits, and it can have a maximum length of 20 digits.
Introduced
When disabled or not configured
Users can configure a startup PIN of any length between 4 and 20 digits.
Users can configure a startup PIN of any length between 6 and 20 digits.
Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
DACL:
• Revision: 0x02
• Size: 0x0020
• Ace Count: 0x001
• Ace[00]------------------------- AceType:0x00
(ACCESS_ALLOWED_ACE_TYPE)
AceSize:0x0018
InheritFlags:0x00
Access Mask:0x00020000
AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)
SACL: Not present |Only members of the local (built-in) Administrators group get access.| + +### Default values for earlier versions of Windows + +The following sections explain how to enable audit only mode to test the restriction while using applications you plan to run. + +## Policy management + +This section explains how to configure audit-only mode, how to analyze related events that are logged when the Network access: Restrict clients allowed to make remote calls to SAM security policy setting is enabled, and how to configure event throttling to prevent flooding the event log. + +### Audit only mode + +Audit only mode configures the SAM interface to do the access check against the currently configured security descriptor but will not fail the call if the access check fails. Instead, the call will be allowed, but the SAM interface will log an event describing what would have happened if the feature had been enabled. This provides administrators a way to test their applications before enabling the policy in production. Audit only mode is not configured by default. To configure it, add the following registry setting. + +|Registry|Details| +|---|---| +|Path|HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa| +|Setting|RestrictRemoteSamAuditOnlyMode| +|Data Type|REG_DWORD| +|Value|1| +|Notes|This setting cannot be added or removed by using predefined Group Policy settings.
Administrators may create a custom policy to set the registry value if needed.
SAM responds dynamically to changes in this registry value without a reboot.
You can use the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script to parse the event logs, as explained in the next section.| + +### Related events + +There are corresponding events that indicate when remote calls to the SAM are restricted, what accounts attempted to read from the SAM database, and more. The following workflow is recommended to identify applications that may be affected by restricting remote calls to SAM: +1. Dump event logs to a common share. +2. Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script. +3. Look for the following events:
+• For domain controllers, events are logged in the Directory Services log in Event Viewer with event source Directory-Service-SAM (from Event ID 16962 to 16969, as listed in the following table).
+• For non-domain controllers, the same event IDs are logged in the System log with event source Directory-Service-SAM. +4. Identify which security contexts are enumerating users or groups in the SAM database. +5. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string. + +|Event ID|Event Message Text|Explanation | +|---|---|---| +|16962|"Remote calls to the SAM database are being restricted using the default security descriptor: %1.%n "
%2- "Default SD String:" |Emit event when registry SDDL is absent, causing fallback to default hard-coded SDDL (event should include a copy of the default SDDL).| +|16963|Message Text: "Remote calls to the SAM database are being restricted using the configured registry security descriptor: %1.%n"
%1 - "Registry SD String:" |Emit event when a new SDDL is read from the registry (either on startup or change) and is considered valid. The event includes the source and a copy of the queried SDDL. +|16964|"The registry security descriptor is malformed: %1.%n Remote calls to the SAM database are being restricted using the default security descriptor: %2.%n"
%1- "Malformed SD String:"
%2- "Default SD String:"|Emit event when registry SDDL is mal-formed, causing fallback to default hard-coded SDDL (event should include a copy of the default SDDL). +|16965|Message Text: "A remote call to the SAM database has been denied.%nClient SID: %1%n Network address: %2%n"
%1- "Client SID:" %2- "Client Network Address | Emit event when access is denied to a remote client. Event should include identity and network address of the client. +|16966|Audit Mode is enabled-
Message Text: "Audit only mode is now enabled for remote calls to the SAM database. SAM will log an event for clients who would have been denied access in normal mode. %n"|Emit event whenever training mode (see 16968) is enabled or disabled. +|16967|Audit Mode is disabled-
Message Text: "Audit only mode is now disabled for remote calls to the SAM database.%n For more information"|Emit event whenever training mode (see 16968) is enabled or disabled. +|16968| Message Text: "Audit only mode is currently enabled for remote calls to the SAM database.%n The following client would have been normally denied access:%nClient SID: %1 from network address: %2. %n"
%1- "Client SID:"
%2- "Client Network Address:"|Emit event when access would have been denied to a remote client, but was allowed through due to training mode being enabled. Event should include identity and network address of the client.| +|16969|Message Text: "%2 remote calls to the SAM database have been denied in the past %1 seconds throttling window.%n
"%1- "Throttle window:"
%2- "Suppressed Message Count:"| Throttling may be necessary for some events due to expected high volume on some servers causing the event log to wrap.
Note: There is no throttling of events when audit mode is enabled. Environments with a large number of low-privilege and anonymous querying of the remote database may see large numbers of events logged to the System log. For more info, see the [Event Throttling](#event-throttling) section. + +Compare the security context attempting to remotely enumerate accounts with the default security descriptor. Then edit the security descriptor to add accounts that require remote access. + +### Event Throttling +A busy server can flood event logs with events related to the remote enumeration access check. To prevent this, access-denied events are logged once every 15 minutes by default. The length of this period is controlled by the following registry value. + +|Registry Path|System\CurrentControlSet\Control\Lsa\ +|---|---| +Setting |RestrictRemoteSamEventThrottlingWindow| +Data Type |DWORD| +|Value|seconds| +|Reboot Required?|No| +|Notes|**Default** is 900 seconds – 15mins.
The throttling uses a suppressed events counter which starts at 0 and gets incremented during the throttling window.
For example, X events were suppressed in the last 15 minutes.
The counter is restarted after the event 16969 is logged. + +### Restart requirement + +Restarts are not required to enable, disable or modify the **Network access: Restrict clients allowed to make remote calls to SAM security** policy setting, including audit only mode. Changes become effective without a device restart when they are saved locally or distributed through Group Policy. + +## Security considerations + +This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + +### Vulnerability +The SAMRPC protocol has a default security posture that makes it possible for low-privileged attackers to query a machine on the network for data that is critical to their further hacking and penetration plans.
+The following example illustrates how an attacker might exploit remote SAM enumeration: +1. A low-privileged attacker gains a foothold on a network. +2. The attacker then queries all machines on the network to determine which ones have a highly privileged domain user configured as a local administrator on that machine. +3. If the attacker can then find any other vulnerability on that machine that allows taking it over, the attacker can then squat on the machine waiting for the high-privileged user to logon and then steal or impersonate those credentials. + +### Countermeasure +You can mitigate this vulnerability by enabling the **Network access: Restrict clients allowed to make remote calls** to SAM security policy setting and configuring the SDDL for only those accounts that are explicitly allowed access. + +### Potential impact +If the policy is defined, admin tools, scripts and software that formerly enumerated users, groups and group membership may fail. To identify accounts that may be affected, test this setting in [audit only mode](#audit-only-mode). + +## Related Topics +[Security Options](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/security-options) + +[SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b) + +
\ No newline at end of file diff --git a/windows/device-security/security-policy-settings/security-options.md b/windows/device-security/security-policy-settings/security-options.md index 2d25a87621..b4896738f7 100644 --- a/windows/device-security/security-policy-settings/security-options.md +++ b/windows/device-security/security-policy-settings/security-options.md @@ -82,6 +82,7 @@ For info about setting security policies, see [Configure security policy setting | [Network access: Remotely accessible registry paths](network-access-remotely-accessible-registry-paths.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Remotely accessible registry paths** security policy setting.| | [Network access: Remotely accessible registry paths and subpaths](network-access-remotely-accessible-registry-paths-and-subpaths.md)| Describes the best practices, location, values, and security considerations for the **Network access: Remotely accessible registry paths and subpaths** security policy setting. | | [Network access: Restrict anonymous access to Named Pipes and Shares](network-access-restrict-anonymous-access-to-named-pipes-and-shares.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict anonymous access to Named Pipes and Shares** security policy setting. | +| [Network access: Restrict clients allowed to make remote calls to SAM](network-access-restrict-clients-allowed-to-make-remote-sam-calls.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting. | | [Network access: Shares that can be accessed anonymously](network-access-shares-that-can-be-accessed-anonymously.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Shares that can be accessed anonymously** security policy setting. | | [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md)| Describes the best practices, location, values, policy management and security considerations for the **Network access: Sharing and security model for local accounts** security policy setting. | | [Network security: Allow Local System to use computer identity for NTLM](network-security-allow-local-system-to-use-computer-identity-for-ntlm.md)| Describes the location, values, policy management, and security considerations for the **Network security: Allow Local System to use computer identity for NTLM** security policy setting. | diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index bd6bc5f1e7..c0eb96f69d 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -25,7 +25,7 @@ #### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md) #### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md) #### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md) -#### [View and organize the Machines view](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md) +#### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md) #### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md) ##### [Search for specific alerts](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts) ##### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) @@ -72,8 +72,10 @@ #### [Turn on advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) #### [Turn on preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md) #### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) +#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) +#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) -### [Windows Defender ATP service status](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) +### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) ### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) ### [Windows Defender Antivirus compatibility](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) @@ -156,4 +158,4 @@ ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) -## [Change history for Threat Protection](change-history-for-threat-protection.md) \ No newline at end of file +## [Change history for Threat Protection](change-history-for-threat-protection.md) diff --git a/windows/threat-protection/images/security-update.png b/windows/threat-protection/images/security-update.png new file mode 100644 index 0000000000..f7ca20f34e Binary files /dev/null and b/windows/threat-protection/images/security-update.png differ diff --git a/windows/threat-protection/images/wanna1.png b/windows/threat-protection/images/wanna1.png new file mode 100644 index 0000000000..e90d1cc12c Binary files /dev/null and b/windows/threat-protection/images/wanna1.png differ diff --git a/windows/threat-protection/images/wanna2.png b/windows/threat-protection/images/wanna2.png new file mode 100644 index 0000000000..7b4a1dcd97 Binary files /dev/null and b/windows/threat-protection/images/wanna2.png differ diff --git a/windows/threat-protection/images/wanna3.png b/windows/threat-protection/images/wanna3.png new file mode 100644 index 0000000000..9b0b176366 Binary files /dev/null and b/windows/threat-protection/images/wanna3.png differ diff --git a/windows/threat-protection/images/wanna4.png b/windows/threat-protection/images/wanna4.png new file mode 100644 index 0000000000..17fefde707 Binary files /dev/null and b/windows/threat-protection/images/wanna4.png differ diff --git a/windows/threat-protection/images/wanna5.png b/windows/threat-protection/images/wanna5.png new file mode 100644 index 0000000000..92ecf67d20 Binary files /dev/null and b/windows/threat-protection/images/wanna5.png differ diff --git a/windows/threat-protection/images/wanna6.png b/windows/threat-protection/images/wanna6.png new file mode 100644 index 0000000000..26824af34d Binary files /dev/null and b/windows/threat-protection/images/wanna6.png differ diff --git a/windows/threat-protection/images/wanna7.png b/windows/threat-protection/images/wanna7.png new file mode 100644 index 0000000000..634bd1449d Binary files /dev/null and b/windows/threat-protection/images/wanna7.png differ diff --git a/windows/threat-protection/images/wanna8.png b/windows/threat-protection/images/wanna8.png new file mode 100644 index 0000000000..59b42eb6f6 Binary files /dev/null and b/windows/threat-protection/images/wanna8.png differ diff --git a/windows/threat-protection/index.md b/windows/threat-protection/index.md index 77a4201aad..0f6aaa04b1 100644 --- a/windows/threat-protection/index.md +++ b/windows/threat-protection/index.md @@ -8,6 +8,15 @@ ms.pagetype: security author: brianlic-msft --- + +
| |
+ A wide-spread ransomware attack, known as "WannaCrypt," targets Windows systems that do not yet have the latest updates. Given the severity of this threat, immediately update your Windows systems. [Learn more](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/). | +
*Microsoft Malware Protection Center* + diff --git a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 90098f1ce1..d3a3a91d2b 100644 --- a/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -28,7 +28,7 @@ You can use a dedicated command-line tool to perform various functions in Window This utility can be useful when you want to automate the use of Windows Defender Antivirus. -The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt. +The utility is available in _%ProgramFiles%\Windows Defender\MpCmdRun.exe_ and must be run from a command prompt. > [!NOTE] > You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. @@ -51,6 +51,7 @@ Command | Description \-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures \-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature \-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md) +\-SignatureUpdate [-UNC [-Path
+Key type is a string.
+Possible values are: +- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance +- Expedite - sets reporting frequency from the endpoint to Expedite mode + +The default value in case the registry key doesn’t exist is Normal. + ### Offboard endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. @@ -82,7 +107,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Click the **Endpoint offboarding** section. @@ -104,16 +129,20 @@ For security reasons, the package used to offboard endpoints will expire 30 days 9. Click **OK** and close any open GPMC windows. +> [!IMPORTANT] +> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. + + ## Monitor endpoint configuration With Group Policy there isn’t an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools. ## Monitor endpoints using the portal 1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/). -2. Click **Machines view**. +2. Click **Machines list**. 3. Verify that endpoints are appearing. > [!NOTE] -> It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. +> It can take several days for endpoints to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. ## Related topics diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index d714ae09df..a17a666708 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -33,7 +33,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Select **Endpoint Management** on the **Navigation pane**. + a. Select **Endpoint management** on the **Navigation pane**. b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. @@ -80,7 +80,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre  -When the policy is deployed and is propagated, endpoints will be shown in the **Machines view**. +When the policy is deployed and is propagated, endpoints will be shown in the **Machines list**. You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to: - Onboarding @@ -99,12 +99,13 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V > [!NOTE] > - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. > - Configuration of telemetry reporting frequency is only available for machines on Windows 10, version 1703. +> - Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. ### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Select **Endpoint Management** on the **Navigation pane**. + a. Select **Endpoint management** on the **Navigation pane**. b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. @@ -156,7 +157,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Click the **Endpoint offboarding** section. @@ -180,6 +181,8 @@ Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/W > [!NOTE] > The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated. +> [!IMPORTANT] +> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 89f4c7887d..8406829b2f 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -39,7 +39,7 @@ You can use System Center Configuration Manager’s existing functionality to cr 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Select **System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. @@ -61,7 +61,7 @@ This rule should be a *remediating* compliance rule configuration item that sets The configuration is set through the following registry key entry: -```text +``` Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” Name: "AllowSampleCollection" Value: 0 or 1 @@ -76,6 +76,31 @@ The default value in case the registry key doesn’t exist is 1. For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx). +### Configure reporting frequency settings +Windows Defender ATP reporting frequency was tested over a large number of machines and is optimized to provide a recommended balance between speed and performance. + +In cases where high-value assets or machines are at high risk, you can configure the reporting frequency to expedite mode, allowing the machine to report at a higher frequency. + +> [!NOTE] +> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. + +For each endpoint, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. + +The configuration is set through the following registry key entry: + +``` +Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” +Name: "latency" +Value: Normal or Expedite +``` +Where:
+Key type is a string.
+Possible values are: +- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance +- Expedite - sets reporting frequency from the endpoint to Expedite mode + +The default value in case the registry key doesn’t exist is Normal. + ### Offboard endpoints @@ -86,7 +111,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Click the **Endpoint offboarding** section. @@ -94,12 +119,14 @@ For security reasons, the package used to offboard endpoints will expire 30 days 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. -3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic. - -4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic. +3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic. a. Choose a predefined device collection to deploy the package to. +> [!IMPORTANT] +> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. + + ### Monitor endpoint configuration Monitoring with SCCM consists of two parts: diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 31b9b673c4..1bde6ab2f6 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -23,10 +23,13 @@ localizationpriority: high You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. +> [!NOTE] +> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). + ## Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Select **Local Script**, click **Download package** and save the .zip file. @@ -54,7 +57,7 @@ You can manually configure the sample sharing setting on the endpoint by using * The configuration is set through the following registry key entry: -```text +``` Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” Name: "AllowSampleCollection" Value: 0 or 1 @@ -76,7 +79,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Click the **Endpoint offboarding** section. @@ -96,6 +99,10 @@ For security reasons, the package used to offboard endpoints will expire 30 days 5. Press the **Enter** key or click **OK**. +> [!IMPORTANT] +> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. + + ## Monitor endpoint configuration You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running. @@ -104,7 +111,7 @@ Monitoring can also be done directly on the portal, or by using the different de ### Monitor endpoints using the portal 1. Go to the Windows Defender ATP portal. -2. Click **Machines view**. +2. Click **Machines list**. 3. Verify that endpoints are appearing. diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 2f6d228d47..6c9b1b4da5 100644 --- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -77,7 +77,7 @@ netsh winhttp set proxy
```crl.microsoft.com```
```eu.vorte If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. - If you selected US as your region, you should permit anonymous traffic for URLs listed in both Central US and East US (2). - - If you selected EU as your region, you should permit anonymous traffic for URLs listed in both West Europe and North Europe. - ## Verify client connectivity to Windows Defender ATP service URLs diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md index e8de1cb1b4..07eb913511 100644 --- a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md @@ -24,10 +24,12 @@ localizationpriority: high The **Dashboard** displays a snapshot of: - The latest active alerts on your network -- Machines reporting -- Top machines with active alerts -- The overall status of Windows Defender ATP for the past 30 days -- Machines with active malware detections +- Daily machines reporting +- Machines at risk +- Users at risk +- Machines with active malware alerts +- Sensor health +- Service health You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in. @@ -38,7 +40,7 @@ It also has clickable tiles that give visual cues on the overall health state of ## ATP alerts You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**. - + Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**). @@ -51,9 +53,9 @@ This tile shows you a list of machines with the highest number of active alerts.  -Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). +Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). -You can also click **Machines list** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). +You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). ## Users at risk The tile shows you a list of user accounts with the most active alerts. The total number of alerts for each user is shown in a circle next to the user account, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). @@ -69,19 +71,20 @@ Active malware is defined as threats that were actively executing at the time of Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days. - + The chart is sorted into five categories: -- **Password stealer** - threats that attempt to steal credentials. - **Ransomware** - threats that prevent user access to a machine or its files and demand payment to restore access. +- **Credential theft** - threats that attempt to steal credentials. - **Exploit** - threats that use software vulnerabilities to infect machines. -- **Threat** - all other threats that don't fit into the **Password stealer**, **Ransomware**, or **Exploit** categories. This includes trojans, worms, backdoors, and viruses. -- **Low severity** - threats with low severity, including adware and potentially unwanted software such as browser modifiers. +- **Backdoor** - threats that gives a malicious hacker access to and control of machines. +- **General** - threats that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. +- **PUA** - applications that install and perform undesirable activity without adequate user consent. Threats are considered "active" if there is a very high probability that the malware was executing on your network, as opposed to statically located on-disk. -Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine. +Clicking on any of these categories will navigate to the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine. > [!NOTE] > The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. @@ -93,21 +96,21 @@ The **Sensor health** tile provides information on the individual endpoint’s a There are two status indicators that provide information on the number of machines that are not reporting properly to the service: - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. -- **Misconfigured** – These machines might partially be reporting telemetry to the Windows Defender ATP service and might have configuration errors that need to be corrected. +- **Misconfigured** – These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected. -When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). +When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). ## Service health The **Service health** tile informs you if the service is active or if there are issues.  -For more information on the service status, see [Check the Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md). +For more information on the service health, see [Check the Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md). ## Daily machines reporting The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day. - + ## Related topics - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) @@ -115,8 +118,8 @@ The **Daily machines reporting** tile shows a bar graph that represents the numb - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP ](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index 073acf1b34..a74dd4b020 100644 --- a/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -134,7 +134,7 @@ This step will guide you in simulating an event in connection to a malicious IP ## Step 4: Explore the custom alert in the portal This step will guide you in exploring the custom alert in the portal. -1. Open the [Windows Defender ATP portal](http: /securitycenter.windows.com/) on a browser. +1. Open the [Windows Defender ATP portal](http://securitycenter.windows.com/) on a browser. 2. Log in with your Windows Defender ATP credentials. diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index a301137ca4..8b5493c587 100644 --- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -36,7 +36,7 @@ A reinstalled or renamed machine will generate a new machine entity in Windows D **Machine was offboarded** If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive. -Do you expect a machine to be in ‘Active’ status? [Open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). +Do you expect a machine to be in ‘Active’ status? [Open a support ticket ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). ## Misconfigured machines Misconfigured machines can further be classified to: diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png new file mode 100644 index 0000000000..61ff260c38 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png new file mode 100644 index 0000000000..8cf482904e Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-tile.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-tile.png new file mode 100644 index 0000000000..ed3cf79941 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-tile.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png b/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png new file mode 100644 index 0000000000..2b0253847e Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png index dd7fe7dc4d..f62d84df10 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png b/windows/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png new file mode 100644 index 0000000000..e46f058e86 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png new file mode 100644 index 0000000000..fd0625088a Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png index 219e958d7d..cfa3cbda3e 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png and b/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png new file mode 100644 index 0000000000..3de8f88a28 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png new file mode 100644 index 0000000000..746d043732 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png b/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png index 2aa75b7dca..3336f8a1ac 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png and b/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png b/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png index b82d66a85a..1face3083d 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png and b/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png b/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png index cd43cdf607..c2b81ca99a 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png and b/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/components.png b/windows/threat-protection/windows-defender-atp/images/components.png index 840f1cb0df..04ab864727 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/components.png and b/windows/threat-protection/windows-defender-atp/images/components.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/rules-legend.png b/windows/threat-protection/windows-defender-atp/images/rules-legend.png index a48783c6e3..7739ccfda2 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/rules-legend.png and b/windows/threat-protection/windows-defender-atp/images/rules-legend.png differ diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index 58805fa39c..e456a18096 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -79,8 +79,8 @@ Selecting an alert detail brings up the **Details pane** where you'll be able to - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index d0e04eabe5..b107b3b042 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -49,8 +49,8 @@ The **Communication with URL in organization** section provides a chronological - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index e45a3d17d3..ebf5a67b89 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -57,8 +57,8 @@ This allows for greater accuracy in defining entities to display such as if and - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index 1b792ae89e..b531ee93f6 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -57,8 +57,8 @@ Clicking any of the machine names will take you to that machine's view, where yo - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 5073e541f6..0c4eaeb6e2 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Investigate machines in the Windows Defender ATP Machines view -description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view. +title: Investigate machines in the Windows Defender ATP Machines list +description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines list. keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Investigate machines in the Windows Defender ATP Machines view +# Investigate machines in the Windows Defender ATP Machines list **Applies to:** @@ -26,7 +26,7 @@ Investigate the details of an alert raised on a specific machine to identify oth You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas: -- The [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- The [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) - The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md) - Any individual alert @@ -97,7 +97,7 @@ You can also export detailed event data from the machine timeline to conduct off ### Navigate between pages Use the events per page drop-down to choose the number of alerts you’d like to see on the page. You can choose to display 20, 50, or 100 events per page. You can also move between pages by clicking **Older** or **Newer**. -From the **Machines view**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line. +From the **Machines list**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line. From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the information to respond to events and keep your system secure. @@ -117,7 +117,7 @@ This enhances the ‘in-context’ information across investigation and explorat - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index e0b1346b9e..9f45aa0817 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -69,7 +69,7 @@ You can filter the results by the following time periods: - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 4f1523a324..9dd0f7d8b2 100644 --- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -105,7 +105,7 @@ Each rule shows: - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 6eb46cb27f..82efa42cc1 100644 --- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -41,9 +41,9 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us ### Network and data storage and configuration requirements When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter. -> **Notes** -- You cannot change your data storage location after the first-time setup. -- Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. +> [!NOTE] +> - You cannot change your data storage location after the first-time setup. +> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. ### Endpoint hardware and software requirements @@ -68,7 +68,7 @@ The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to com For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . -Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section. +Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10. ### Telemetry and diagnostics settings You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization. diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index 3e1b3c8a80..32b9dc366e 100644 --- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -45,14 +45,15 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- (1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text. **Feedback** -Access the feedback button to provide comments about the portal. **Settings** - Gives you access to the configuration settings where you can set time zones, alert suppression rules, and license information. **Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support. -(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Service health**, **Preferences setup**, and **Enpoint Management**. +(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**. +(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines list. **Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization. **Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts. -**Machines view** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. -**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues. +**Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. +**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. **Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features. -**Endpoint Management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding. -(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view. +**Endpoint management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding. + ## Windows Defender ATP icons The following table provides information on the icons used all throughout the portal: diff --git a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index dab6725222..e2904380b5 100644 --- a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -30,3 +30,5 @@ Topic | Description [Enable advanced features](advanced-features-windows-defender-advanced-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products. [Enable the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) | Allows you to turn on preview features so you can try upcoming features. [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications. +[Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) | Enable security information and event management (SIEM) integration to pull alerts from the Windows Defender ATP portal using your SIEM solution. +[Enable Threat intel API](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application. diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index a22e882c62..597cefb9a1 100644 --- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -40,7 +40,7 @@ Topic | Description - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index 6c8623a564..088b4ed61a 100644 --- a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Check the Windows Defender ATP service status -description: Check Windows Defender ATP service status, see if the service is experiencing issues and review previous issues that have been resolved. -keywords: dashboard, service, issues, service status, current issues, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time +title: Check the Windows Defender ATP service health +description: Check Windows Defender ATP service health, see if the service is experiencing issues and review previous issues that have been resolved. +keywords: dashboard, service, issues, service health, current issues, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Check the Windows Defender Advanced Threat Protection service status +# Check the Windows Defender Advanced Threat Protection service health **Applies to:** @@ -21,11 +21,11 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. +The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status. -You can view details on the service status by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane. +You can view details on the service health by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane. The **Service health** details page has the following tabs: @@ -33,7 +33,7 @@ The **Service health** details page has the following tabs: - **Status History** ## Current issues -The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service status is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: +The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: - Date and time for when the issue was detected - A short description of the issue diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 85ad29fad8..6e7445cde4 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -24,12 +24,12 @@ localizationpriority: high You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints. -If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem. +If you have completed the endpoint onboarding process and don't see endpoints in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem. ## Troubleshoot onboarding when deploying with Group Policy Deployment with Group Policy is done by running the onboarding script on the endpoints. The Group Policy console does not indicate if the deployment has succeeded or not. -If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). +If you have completed the endpoint onboarding process and don't see endpoints in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). If the script completes successfully, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. @@ -43,7 +43,7 @@ When onboarding endpoints using the following versions of System Center Configur Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the endpoints. You can track the deployment in the Configuration Manager Console. -If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). +If the deployment fails, you can check the output of the script on the endpoints. If the onboarding completed successfully but the endpoints are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. @@ -64,7 +64,7 @@ Event ID | Error Type | Resolution steps :---|:---|:--- 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. 10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. -15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). +15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). 15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure that Windows Defender is not disabled by a policy](#ensure-that-windows-defender-is-not-disabled-by-a-policy) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). @@ -82,13 +82,13 @@ Use the following tables to understand the possible causes of issues while onboa - Known issues with non-compliance table - Mobile Device Management (MDM) event logs table -If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint Management** section of the portal, and run it in an elevated command prompt. +If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint management** section of the portal, and run it in an elevated command prompt. **Microsoft Intune error codes and OMA-URIs**: Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps :---|:---|:---|:---|:--- -0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). +0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.
**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.
**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.
If it doesn't exist, open an elevated command and add the key. | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.
**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).
Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.
Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported. diff --git a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index e614c969ca..6b8436e6ef 100644 --- a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -44,7 +44,7 @@ Topic | Description [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses. [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. -[View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list. +[View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list. [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines list** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats. [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts. [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert. diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md index 5bcc8e1a05..3b756a14c7 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -342,6 +342,9 @@ After you've added the apps you want to protect with WIP, you'll need to apply a We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. +>[!NOTE] +>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). + **To add your protection mode** 1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. @@ -353,7 +356,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi |Mode |Description | |-----|------------| |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| - |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459).| + |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md index 59a4720f61..4dbf46f1e8 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -339,10 +339,13 @@ After you've added the apps you want to protect with WIP, you'll need to apply a We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. +>[!NOTE] +>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). + |Mode |Description | |-----|------------| |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| -|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | +|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. | |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md index d00786a7cf..19071542aa 100644 --- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -82,7 +82,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list. - - **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. + - **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). + - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media. @@ -123,18 +124,18 @@ Enterprise data is automatically encrypted after it’s loaded on a device from Your WIP policy includes a list of trusted apps that are allowed to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned. +>[!NOTE] +>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). + You can set your WIP policy to use 1 of 4 protection and management modes: |Mode|Description| |----|-----------| |Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| -|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | +|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| |Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.
**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
->[!NOTE]
->For info about how to collect your audit logs, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
-
## Turn off WIP
You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied.