From 9d79c614ef3fd37d6763739aa8fbbb07e22df606 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 1 Nov 2017 13:31:58 -0700 Subject: [PATCH 01/26] update to pre-reqs on actions --- ...windows-defender-advanced-threat-protection.md | 15 ++++++++++++--- ...windows-defender-advanced-threat-protection.md | 11 +++++------ 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 10734a86ca..db6ecc2b69 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -29,17 +29,26 @@ ms.date: 10/17/2017 Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details on the Action center. ->[!NOTE] -> These response actions are only available for machines on Windows 10, version 1703. +>[!IMPORTANT] +>These response actions are only available for machines on Windows 10, version 1703 or later. You can also submit files for deep analysis to run the file in a secure cloud sandbox. When the analysis is complete, you'll get a detailed report that provides information about the behavior of the file. ## Stop and quarantine files in your network You can contain an attack in your organization by stopping the malicious process and quarantine the file where it was observed. +>[!IMPORTANT] +>You can only take this action if: +> - The machine you're taking the action on is running Windows 10, version 1703 or later +> - The file does not belong to the system or not signed by Microsoft +> - Windows Defender Antivirus must at least be running on Passive mode + The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. -The action takes effect on machines with the latest Windows 10, version 1703 where the file was observed in the last 30 days. +The action takes effect on machines with the latest Windows 10, version 1703 and above where the file was observed in the last 30 days. + +>[!NOTE] +>You’ll be able to remove the file from quarantine at any time. ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index ffd0412eb8..dbed86a45a 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -24,20 +24,19 @@ ms.date: 10/17/2017 - Windows Defender Advanced Threat Protection (Windows Defender ATP) - - >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. ->[!NOTE] -> These response actions are only available for machines on Windows 10, version 1703. - - +>[!IMPORTANT] +> These response actions are only available for PCs on Windows 10, version 1703 and above. ## Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. +>[!IMPORTANT] +> This response action is only available for machines on Windows 10, version 1703 and above. + You can download the package (Zip file) and investigate the events that occurred on a machine. The package contains the following folders: From b24fe893325b29b09dba603cafcb03679064f090 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 1 Nov 2017 16:27:41 -0700 Subject: [PATCH 02/26] updates --- ...ile-alerts-windows-defender-advanced-threat-protection.md | 5 +++-- ...ine-alerts-windows-defender-advanced-threat-protection.md | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index db6ecc2b69..583a583988 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -107,8 +107,9 @@ You can roll back and remove a file from quarantine if you’ve determined that You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. >[!NOTE] ->This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

-This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. This response action is available for machines on Windows 10, version 1703 or later. +>- This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

+>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. +>- This response action is only available for machines on Windows 10, version 1703 or later. >[!IMPORTANT] > The PE file needs to be in the machine timeline for you to be able to take this action. diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index dbed86a45a..8d6f2ada9e 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -29,13 +29,13 @@ ms.date: 10/17/2017 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. >[!IMPORTANT] -> These response actions are only available for PCs on Windows 10, version 1703 and above. +> These response actions are only available for PCs on Windows 10, version 1703 and later. ## Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. >[!IMPORTANT] -> This response action is only available for machines on Windows 10, version 1703 and above. +> This response action is only available for machines on Windows 10, version 1703 and later. You can download the package (Zip file) and investigate the events that occurred on a machine. From d2f2c7b515b72e1a1b1c31f293a8499c4a52db95 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 1 Nov 2017 16:42:44 -0700 Subject: [PATCH 03/26] minor updates --- windows/threat-protection/TOC.md | 1 + ...le-alerts-windows-defender-advanced-threat-protection.md | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index ce3a47ceb7..3eb9dfc4fd 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -69,6 +69,7 @@ ###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network) ###### [Remove file from quarantine](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine) ###### [Block files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network) +###### [Remove file from blocked list](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list) ###### [Check activity details in Action center](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center) ###### [Deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis) ####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 583a583988..a559e0f478 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -40,8 +40,8 @@ You can contain an attack in your organization by stopping the malicious process >[!IMPORTANT] >You can only take this action if: > - The machine you're taking the action on is running Windows 10, version 1703 or later -> - The file does not belong to the system or not signed by Microsoft -> - Windows Defender Antivirus must at least be running on Passive mode +> - The file does not belong to trusted third-party publishers or not signed by Microsoft +> - Windows Defender Antivirus must at least be running on Passive mode The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. @@ -79,7 +79,7 @@ When the file is being removed from an endpoint, the following notification is s In the machine timeline, a new event is added for each machine where a file was stopped and quarantined. ->[!NOTE] +>[!IMPORTANT] >The **Action** button is turned off for files signed by Microsoft as well as trusted third–party publishers to prevent the removal of critical system files and files used by important applications. ![Image of action button turned off](images/atp-file-action.png) From 0ce44c44e19625d51661c484b9a885426ad9d0f1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 1 Nov 2017 17:01:05 -0700 Subject: [PATCH 04/26] minor change --- ...file-alerts-windows-defender-advanced-threat-protection.md | 4 ++-- ...hine-alerts-windows-defender-advanced-threat-protection.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index a559e0f478..20cd52d1c5 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -106,12 +106,12 @@ You can roll back and remove a file from quarantine if you’ve determined that ## Block files in your network You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. ->[!NOTE] +>[!IMPORTANT] >- This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. >- This response action is only available for machines on Windows 10, version 1703 or later. ->[!IMPORTANT] +>[!NOTE] > The PE file needs to be in the machine timeline for you to be able to take this action. diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 8d6f2ada9e..bbef37d999 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -29,7 +29,7 @@ ms.date: 10/17/2017 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. >[!IMPORTANT] -> These response actions are only available for PCs on Windows 10, version 1703 and later. +> These response actions are only available for machines on Windows 10, version 1703 and later. ## Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. From 075074135adbbaabd51586097a07b3d682454a14 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 2 Nov 2017 11:10:13 -0700 Subject: [PATCH 05/26] updates on notes and important --- ...ndows-defender-advanced-threat-protection.md | 6 +++--- ...ndows-defender-advanced-threat-protection.md | 17 ++++++++++++++--- 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 20cd52d1c5..c346dc4ffe 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -41,7 +41,7 @@ You can contain an attack in your organization by stopping the malicious process >You can only take this action if: > - The machine you're taking the action on is running Windows 10, version 1703 or later > - The file does not belong to trusted third-party publishers or not signed by Microsoft -> - Windows Defender Antivirus must at least be running on Passive mode +> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility). The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. @@ -107,9 +107,9 @@ You can roll back and remove a file from quarantine if you’ve determined that You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization. >[!IMPORTANT] ->- This feature is only available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

+>- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).

>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. ->- This response action is only available for machines on Windows 10, version 1703 or later. +>- This response action is available for machines on Windows 10, version 1703 or later. >[!NOTE] > The PE file needs to be in the machine timeline for you to be able to take this action. diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index bbef37d999..af19622d4a 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -35,7 +35,7 @@ Quickly respond to detected attacks by isolating machines or collecting an inves As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. >[!IMPORTANT] -> This response action is only available for machines on Windows 10, version 1703 and later. +> This response action is available for machines on Windows 10, version 1703 and later. You can download the package (Zip file) and investigate the events that occurred on a machine. @@ -88,8 +88,9 @@ The package contains the following folders: ## Run Windows Defender Antivirus scan on machines As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. ->[!NOTE] -> A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. +>[!IMPORTANT] +>- This action is available for machines on Windows 10, version 1709 and later. +>- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. 1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views: @@ -120,6 +121,11 @@ The machine timeline will include a new event, reflecting that a scan action was ## Restrict app execution In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. +>[!IMPORTANT] +> - This action is available for machines on Windows 10, version 1709 and later. +> - This action needs to meet the Windows Defender Application Control code integrity policy formas and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). + + The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. >[!NOTE] @@ -170,6 +176,11 @@ Depending on the severity of the attack and the state of the machine, you can ch ## Isolate machines from the network Depending on the severity of the attack and the sensitivity of the machine, you might want to isolate the machine from the network. This action can help prevent the attacker from controlling the compromised machine and performing further activities such as data exfiltration and lateral movement. +>[!IMPORTANT] +>- Full isolation is available for machines on Windows 10, version 1703. +>- Selective isolation is available for machines on Windows 10, version 1709 and above. +>- + This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. On Windows 10, version 1710 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. From d465f6fd751cb04f7c96fc75fd71cd85fe2b1ff7 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 2 Nov 2017 12:50:52 -0700 Subject: [PATCH 06/26] fix link --- ...d-file-alerts-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index c346dc4ffe..8101839e92 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -41,7 +41,7 @@ You can contain an attack in your organization by stopping the malicious process >You can only take this action if: > - The machine you're taking the action on is running Windows 10, version 1703 or later > - The file does not belong to trusted third-party publishers or not signed by Microsoft -> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility). +> - Windows Defender Antivirus must at least be running on Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. From c236872fc7c3f3a03ca9dcce0d4db69570ee4622 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 2 Nov 2017 14:47:51 -0700 Subject: [PATCH 07/26] fiddling with svg --- .../windows-defender-antivirus-compatibility.md | 2 +- .../windows-defender-exploit-guard/images/svg/check-no.svg | 7 +++++++ .../images/svg/{check-yes.md => check-yes.svg} | 0 .../images/svg/check-yes.txt | 7 +++++++ 4 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg rename windows/threat-protection/windows-defender-exploit-guard/images/svg/{check-yes.md => check-yes.svg} (100%) create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index b2d2890d2b..dc473a60bd 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -67,7 +67,7 @@ This table indicates the functionality and features that are available in each s State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md) :-|:-|:-:|:-:|:-:|:-:|:-: -Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] +Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.txt)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg new file mode 100644 index 0000000000..89a87afa8b --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg @@ -0,0 +1,7 @@ + + Check mark no + + \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg similarity index 100% rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md rename to windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt new file mode 100644 index 0000000000..483ff5fefc --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt @@ -0,0 +1,7 @@ + + Check mark yes + + \ No newline at end of file From 100f50a48374d74fed4367f277393e4c297baf1b Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 2 Nov 2017 15:58:44 -0700 Subject: [PATCH 08/26] svg --- .../windows-defender-antivirus-compatibility.md | 2 +- .../images/svg/{check-yes.svg => check-yes.md} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename windows/threat-protection/windows-defender-exploit-guard/images/svg/{check-yes.svg => check-yes.md} (100%) diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index dc473a60bd..8abaf116d0 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -67,7 +67,7 @@ This table indicates the functionality and features that are available in each s State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md) :-|:-|:-:|:-:|:-:|:-:|:-: -Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.txt)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] +Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | ![Check mark no](images/svg/check-no.svg) | [!include[Check mark yes](images/svg/check-yes.txt)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md similarity index 100% rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg rename to windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md From 7fa368519ae5709fecc0da34556ae34aac9e215b Mon Sep 17 00:00:00 2001 From: Trevor Stevens Date: Tue, 7 Nov 2017 12:39:27 -0500 Subject: [PATCH 09/26] Update firewall-csp.md Added missing slash to FirewallRules_FirewallRuleName_/Profiles --- windows/client-management/mdm/firewall-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index b15f378072..d3aec267c5 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -263,7 +263,7 @@ The following diagram shows the Firewall configuration service provider in tree

If not specified - a new rule is disabled by default.

Boolean value. Supported operations are Get and Replace.

-**FirewallRules_FirewallRuleName_/Profiles** +**FirewallRules/_FirewallRuleName_/Profiles**

Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types.

If not specified, the default is All.

Value type is integer. Supported operations are Get and Replace.

From 038a0821842c2cd0ab4e860446e5da17a82112c4 Mon Sep 17 00:00:00 2001 From: Trevor Stevens Date: Tue, 7 Nov 2017 15:33:09 -0500 Subject: [PATCH 10/26] Update firewall-csp.md Updated italics for FirewallRules/FirewallRuleName/InterfaceTypes --- windows/client-management/mdm/firewall-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index d3aec267c5..94f9d6bbf9 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -290,7 +290,7 @@ The following diagram shows the Firewall configuration service provider in tree

Value type is string. Supported operations are Get and Replace.

-**FirewallRules/FirewallRuleName/InterfaceTypes** +**FirewallRules/_FirewallRuleName_/InterfaceTypes**

Comma separated list of interface types. Valid values:

  • RemoteAccess
    • From b829576491a039eba086ceae3360dd07ebf2d8e3 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 9 Nov 2017 12:52:52 -0800 Subject: [PATCH 11/26] updates to ASR exclusions to indicate which rules can't use them --- .../attack-surface-reduction-exploit-guard.md | 5 ++-- .../customize-attack-surface-reduction.md | 30 +++++++++++++++++-- .../enable-attack-surface-reduction.md | 6 ++-- .../images/svg/check-no.svg | 7 +++++ .../images/svg/check-yes.svg | 7 +++++ 5 files changed, 48 insertions(+), 7 deletions(-) create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg create mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 5173d88d30..7aed2de7ad 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -64,7 +64,7 @@ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evalua The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: -Rule name | GUIDs +Rule name | GUID -|- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A @@ -93,7 +93,8 @@ This rule blocks the following file types from being run or launched from an ema - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) - Script archive files - +>[!IMPORTANT] +>Exclusions do not apply to this rule. ### Rule: Block Office applications from creating child processes diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index e68c054cde..da4006d74f 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -43,9 +43,35 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by Attack surface reduction rules. +You can exclude files and folders from being evaluated by most Attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an Attack surface reduction rule, the file will not be blocked from running. + +This could potentially allow unsafe files to run and infect your devices. + +>[!WARNING] +>Excluding files or folders can severly reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. +> +>If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). + +You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions. + +Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe. + +>[!IMPORTANT] +>Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table). + + +Rule description | Rule honors exclusions | GUID +-|- +Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +Block Office applications from creating child processes | ![Check mark yes](images/svg/check-yes.svg) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block execution of potentially obfuscated scripts | ![Check mark yes](images/svg/check-yes.svg) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 imports from Macro code in Office | ![Check mark yes](images/svg/check-yes.svg) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Office applications from creating executable content | ![Check mark no](images/svg/check-no.svg) | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting into other processes | ![Check mark no](images/svg/check-no.svg) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Impede JavaScript and VBScript to launch executables | ![Check mark no](images/svg/check-no.svg) | D3E037E1-3EB8-44C8-A917-57927947596D + +See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. -You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode). ### Use Group Policy to exclude files and folders diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index e4853782de..7c56eff7bf 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -50,7 +50,7 @@ Attack surface reduction rules are identified by their unique rule ID. You can manually add the rules by using the GUIDs in the following table: -Rule description | GUIDs +Rule description | GUID -|- Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A @@ -62,7 +62,7 @@ Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DD See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. -### Use Group Policy to enable Attack surface reduction rules +### Use Group Policy to enable or audit Attack surface reduction rules 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -84,7 +84,7 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to - ### Use PowerShell to enable Attack surface reduction rules + ### Use PowerShell to enable or audit Attack surface reduction rules 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg new file mode 100644 index 0000000000..89a87afa8b --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.svg @@ -0,0 +1,7 @@ + + Check mark no + + \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg new file mode 100644 index 0000000000..483ff5fefc --- /dev/null +++ b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.svg @@ -0,0 +1,7 @@ + + Check mark yes + + \ No newline at end of file From 9292352705422b4f1af31d889b2a02764d024405 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 9 Nov 2017 13:44:47 -0800 Subject: [PATCH 12/26] update svg --- .../customize-attack-surface-reduction.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index da4006d74f..71d5e72d89 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -61,14 +61,14 @@ Exclusions will only be applied to certain rules. Some rules will not honor the Rule description | Rule honors exclusions | GUID --|- +-|-|- Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block Office applications from creating child processes | ![Check mark yes](images/svg/check-yes.svg) | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block execution of potentially obfuscated scripts | ![Check mark yes](images/svg/check-yes.svg) | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 imports from Macro code in Office | ![Check mark yes](images/svg/check-yes.svg) | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block Office applications from creating executable content | ![Check mark no](images/svg/check-no.svg) | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting into other processes | ![Check mark no](images/svg/check-no.svg) | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Impede JavaScript and VBScript to launch executables | ![Check mark no](images/svg/check-no.svg) | D3E037E1-3EB8-44C8-A917-57927947596D +Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 imports from Macro code in Office | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Office applications from creating executable content | [!include[Check mark no](images/svg/check-no.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Impede JavaScript and VBScript to launch executables | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. From 0cb54f4ee924f022cbf79b50d1fbf7f732436311 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 9 Nov 2017 13:53:30 -0800 Subject: [PATCH 13/26] consistency to rule names --- .../attack-surface-reduction-exploit-guard.md | 6 +++++- .../customize-attack-surface-reduction.md | 10 +++++----- .../enable-attack-surface-reduction.md | 6 +++--- 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 7aed2de7ad..9bf3316aeb 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -117,14 +117,18 @@ Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. +>[!IMPORTANT] +>Exclusions do not apply to this rule. -### Rule: Block JavaScript ok VBScript From launching downloaded executable content +### Rule: Block JavaScript or VBScript From launching downloaded executable content JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. +>[!IMPORTANT] +>Exclusions do not apply to this rule. ### Rule: Block execution of potentially obfuscated scripts diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 71d5e72d89..8623e252d7 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -62,13 +62,13 @@ Exclusions will only be applied to certain rules. Some rules will not honor the Rule description | Rule honors exclusions | GUID -|-|- -Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 imports from Macro code in Office | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block Office applications from creating executable content | [!include[Check mark no](images/svg/check-no.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Impede JavaScript and VBScript to launch executables | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D +Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D +Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. diff --git a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 7c56eff7bf..c147b811c2 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -55,10 +55,10 @@ Rule description | GUID Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 Block Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Impede JavaScript and VBScript to launch executables | D3E037E1-3EB8-44C8-A917-57927947596D +Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 imports from Macro code in Office | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. From 0cf0214497e8c8f23254dfaf93f1ce9c94267194 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 9 Nov 2017 13:58:21 -0800 Subject: [PATCH 14/26] update imp note about rules that don't allow exclusions --- .../attack-surface-reduction-exploit-guard.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 9bf3316aeb..79d18a0881 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -94,7 +94,7 @@ This rule blocks the following file types from being run or launched from an ema - Script archive files >[!IMPORTANT] ->Exclusions do not apply to this rule. +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). ### Rule: Block Office applications from creating child processes @@ -118,7 +118,7 @@ This is typically used by malware to run malicious code in an attempt to hide th >[!IMPORTANT] ->Exclusions do not apply to this rule. +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). ### Rule: Block JavaScript or VBScript From launching downloaded executable content @@ -128,7 +128,7 @@ This rule prevents these scripts from being allowed to launch apps, thus prevent >[!IMPORTANT] ->Exclusions do not apply to this rule. +>[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). ### Rule: Block execution of potentially obfuscated scripts From 2b2fb10044869a0c20965dc4853a7ae184de79b1 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 9 Nov 2017 14:16:12 -0800 Subject: [PATCH 15/26] update svg files --- .../images/svg/check-no.md | 7 --- .../images/svg/check-no.svg} | 0 .../images/svg/check-yes.md | 7 --- .../images/svg/check-yes.svg} | 0 ...indows-defender-antivirus-compatibility.md | 6 +-- .../customize-attack-surface-reduction.md | 2 +- .../customize-exploit-protection.md | 52 +++++++++---------- .../images/svg/check-yes.txt | 7 --- 8 files changed, 30 insertions(+), 51 deletions(-) delete mode 100644 windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md rename windows/threat-protection/{windows-defender-exploit-guard/images/svg/check-no.md => windows-defender-antivirus/images/svg/check-no.svg} (100%) delete mode 100644 windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md rename windows/threat-protection/{windows-defender-exploit-guard/images/svg/check-yes.md => windows-defender-antivirus/images/svg/check-yes.svg} (100%) delete mode 100644 windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md deleted file mode 100644 index afa7a3d27d..0000000000 --- a/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.md +++ /dev/null @@ -1,7 +0,0 @@ - - Check mark no - - \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-no.svg similarity index 100% rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-no.md rename to windows/threat-protection/windows-defender-antivirus/images/svg/check-no.svg diff --git a/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md deleted file mode 100644 index 4dd10553c4..0000000000 --- a/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.md +++ /dev/null @@ -1,7 +0,0 @@ - - Check mark yes - - \ No newline at end of file diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md b/windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg similarity index 100% rename from windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.md rename to windows/threat-protection/windows-defender-antivirus/images/svg/check-yes.svg diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 8abaf116d0..ac10f8950b 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -67,9 +67,9 @@ This table indicates the functionality and features that are available in each s State | Description | [Real-time protection](configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | [Limited periodic scanning availability](limited-periodic-scanning-windows-defender-antivirus.md) | [File scanning and detection information](customize-run-review-remediate-scans-windows-defender-antivirus.md) | [Threat remediation](configure-remediation-windows-defender-antivirus.md) | [Threat definition updates](manage-updates-baselines-windows-defender-antivirus.md) :-|:-|:-:|:-:|:-:|:-:|:-: -Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | ![Check mark no](images/svg/check-no.svg) | [!include[Check mark yes](images/svg/check-yes.txt)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] -Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark no](images/svg/check-no.md)] -Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] +Passive mode | Windows Defender AV will not be used as the antivirus app, and threats will not be remediated by Windows Defender AV. Files will be scanned and reports will be provided for threat detections which are shared with the Windows Defender ATP service. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] +Automatic disabled mode | Windows Defender AV will not be used as the antivirus app. Files will not be scanned and threats will not be remediated. | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark no](images/svg/check-no.svg)]] +Active mode | Windows Defender AV is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files will be scanned and threats remediated, and detection information will be reported in your configuration tool (such as Configuration Manager or the Windows Defender AV app on the machine itself). | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index 8623e252d7..421eef2058 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -61,7 +61,7 @@ Exclusions will only be applied to certain rules. Some rules will not honor the Rule description | Rule honors exclusions | GUID --|-|- +-|:-:|- Block Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B diff --git a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 40aebba1d3..6b1389f6dd 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -63,28 +63,28 @@ The **Use default** configuration for each of the mitigation settings indicates For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic. Mitigation | Description | Can be applied to | Audit mode available -- | - | - | - -Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.md)] -Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.md)] -Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.md)] -Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] -Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | [!include[Check mark yes](images/svg/check-yes.md)] +- | - | - | :-: +Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations including those for system structures heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] +Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] >[!IMPORTANT] >If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: @@ -92,10 +92,10 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi > >Enabled in **Program settings** | Enabled in **System settings** | Behavior >:-: | :-: | :-: ->[!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark no](images/svg/check-no.md)] | As defined in **Program settings** ->[!include[Check mark yes](images/svg/check-yes.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | As defined in **Program settings** ->[!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | As defined in **System settings** ->[!include[Check mark no](images/svg/check-no.md)] | [!include[Check mark yes](images/svg/check-yes.md)] | Default as defined in **Use default** option +>[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] | As defined in **Program settings** +>[!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **Program settings** +>[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | As defined in **System settings** +>[!include[Check mark no](images/svg/check-no.svg)] | [!include[Check mark yes](images/svg/check-yes.svg)] | Default as defined in **Use default** option > > > diff --git a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt b/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt deleted file mode 100644 index 483ff5fefc..0000000000 --- a/windows/threat-protection/windows-defender-exploit-guard/images/svg/check-yes.txt +++ /dev/null @@ -1,7 +0,0 @@ - - Check mark yes - - \ No newline at end of file From 26665db1f0d3fe102af6bad0b9955f24d3d8c86f Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 9 Nov 2017 16:01:16 -0800 Subject: [PATCH 16/26] update to wdav reqs --- ...ile-alerts-windows-defender-advanced-threat-protection.md | 2 +- ...ine-alerts-windows-defender-advanced-threat-protection.md | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 8101839e92..9d43d529d6 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/17/2017 +ms.date: 11/10/2017 --- # Take response actions on a file diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index a7f615af1e..244613a878 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 10/17/2017 +ms.date: 11/10/2017 --- # Take response actions on a machine @@ -90,7 +90,8 @@ As part of the investigation or response process, you can remotely initiate an a >[!IMPORTANT] >- This action is available for machines on Windows 10, version 1709 and later. ->- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. +>- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). + 1. Select the machine that you want to run the scan on. You can select or search for a machine from any of the following views: From 2a690af06602471d349c67bac4aecc445cc563f0 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 9 Nov 2017 16:12:34 -0800 Subject: [PATCH 17/26] updates --- windows/threat-protection/TOC.md | 2 +- ...ts-windows-defender-advanced-threat-protection.md | 2 +- ...ts-windows-defender-advanced-threat-protection.md | 12 ++++++------ 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 1646612a6a..e9db3c1bbe 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -60,7 +60,7 @@ #### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md) #### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md) ##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md) -###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package) +###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines) ###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines) ###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution) ###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction) diff --git a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 9d43d529d6..f5bdb18d2e 100644 --- a/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -45,7 +45,7 @@ You can contain an attack in your organization by stopping the malicious process The **Stop and Quarantine File** action includes stopping running processes, quarantining the files, and deleting persistency such as registry keys. -The action takes effect on machines with the latest Windows 10, version 1703 and above where the file was observed in the last 30 days. +The action takes effect on machines with Windows 10, version 1703 or later, where the file was observed in the last 30 days. >[!NOTE] >You’ll be able to remove the file from quarantine at any time. diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 244613a878..3ab0892e62 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -29,13 +29,13 @@ ms.date: 11/10/2017 Quickly respond to detected attacks by isolating machines or collecting an investigation package. After taking action on machines, you can check activity details on the Action center. >[!IMPORTANT] -> These response actions are only available for machines on Windows 10, version 1703 and later. +> These response actions are only available for machines on Windows 10, version 1703 or later. ## Collect investigation package from machines As part of the investigation or response process, you can collect an investigation package from a machine. By collecting the investigation package, you can identify the current state of the machine and further understand the tools and techniques used by the attacker. >[!IMPORTANT] -> This response action is available for machines on Windows 10, version 1703 and later. +> This response action is available for machines on Windows 10, version 1703 or later. You can download the package (Zip file) and investigate the events that occurred on a machine. @@ -89,7 +89,7 @@ The package contains the following folders: As part of the investigation or response process, you can remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised machine. >[!IMPORTANT] ->- This action is available for machines on Windows 10, version 1709 and later. +>- This action is available for machines on Windows 10, version 1709 or later. >- A Windows Defender Antivirus (Windows Defender AV) scan can run alongside other antivirus solutions, whether Windows Defender AV is the active antivirus solution or not. Windows Defender AV can be in Passive mode. For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). @@ -123,7 +123,7 @@ The machine timeline will include a new event, reflecting that a scan action was In addition to the ability of containing an attack by stopping malicious processes, you can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. >[!IMPORTANT] -> - This action is available for machines on Windows 10, version 1709 and later. +> - This action is available for machines on Windows 10, version 1709 or later. > - This action needs to meet the Windows Defender Application Control code integrity policy formas and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). @@ -179,12 +179,12 @@ Depending on the severity of the attack and the sensitivity of the machine, you >[!IMPORTANT] >- Full isolation is available for machines on Windows 10, version 1703. ->- Selective isolation is available for machines on Windows 10, version 1709 and above. +>- Selective isolation is available for machines on Windows 10, version 1709 or later. >- This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. -On Windows 10, version 1709 and above, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. +On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. >[!NOTE] >You’ll be able to reconnect the machine back to the network at any time. From fcb1e46727b19587d0eba8ac2e13e685672c63f4 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 10 Nov 2017 17:43:31 +0000 Subject: [PATCH 18/26] Merged PR 4325: Policy CSP - updated description for AllowCortana policy removed section about Cortana in OOBE from AllowCortana policy in Policy CSP --- windows/client-management/mdm/policy-csp-experience.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index d01dd5566e..646d49acd0 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -175,14 +175,6 @@ ms.date: 11/01/2017

    Most restricted value is 0. -

    Benefit to the customer: - -

    Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive. - -

    Sample scenario: - -

    An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more. -

    From cd16f707d1385394a0881c5f5d9ae5b201e76e3c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 10 Nov 2017 11:04:54 -0800 Subject: [PATCH 19/26] topic name updates --- windows/threat-protection/TOC.md | 4 ++-- ...mpatibility-windows-defender-advanced-threat-protection.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 85aa64621b..5ad254fd49 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -142,13 +142,13 @@ #### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) #### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) #### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) -#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) +#### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md) #### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) ### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) -### [Windows Defender Antivirus compatibility](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) +### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) ## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md) ### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md) diff --git a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index fbef87a600..d216067757 100644 --- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Antivirus compatibility +title: Windows Defender Antivirus compatibility with Windows Defender ATP description: Learn about how Windows Defender works with Windows Defender ATP and how it functions when a third-party antimalware client is used. keywords: windows defender compatibility, defender, windows defender atp search.product: eADQiWindows 10XVcnh @@ -13,7 +13,7 @@ ms.localizationpriority: high ms.date: 10/17/2017 --- -# Windows Defender Antivirus compatibility +# Windows Defender Antivirus compatibility with Windows Defender ATP **Applies to:** From 9d98852bc4325e260bb113955b63053eb9c26e31 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Fri, 10 Nov 2017 13:08:43 -0800 Subject: [PATCH 20/26] include link to signup and add MSA ocid --- .../windows-defender-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index 1fbdee219b..29fbde030a 100644 --- a/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -52,7 +52,7 @@ Windows Defender EG can be managed and reported on in the Windows Defender Secur - Windows Defender Device Guard - [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) -You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +You can use the Windows Defender ATP console to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. Each of the features in Windows Defender EG have slightly different requirements: From 3bd595bd5b75ce487014cfe5ed6b2e972a1fdd3c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 10 Nov 2017 13:17:09 -0800 Subject: [PATCH 21/26] fix typo --- ...achine-alerts-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 3ab0892e62..1e620e9791 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -124,7 +124,7 @@ In addition to the ability of containing an attack by stopping malicious process >[!IMPORTANT] > - This action is available for machines on Windows 10, version 1709 or later. -> - This action needs to meet the Windows Defender Application Control code integrity policy formas and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). +> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. From bd5b31f73f8e4ecf89d47ca7f1b815c8d62bacd8 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 10 Nov 2017 13:17:55 -0800 Subject: [PATCH 22/26] fix typo --- ...achine-alerts-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 1e620e9791..87f97bcd64 100644 --- a/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -180,7 +180,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you >[!IMPORTANT] >- Full isolation is available for machines on Windows 10, version 1703. >- Selective isolation is available for machines on Windows 10, version 1709 or later. ->- + This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. From e5896f3e4c80c0106743e48ed29d23e0f50d0b29 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 10 Nov 2017 21:19:39 +0000 Subject: [PATCH 23/26] Merged PR 4435: eUICCs CSP - new --- windows/client-management/mdm/TOC.md | 2 + windows/client-management/mdm/euiccs-csp.md | 87 +++++ .../client-management/mdm/euiccs-ddf-file.md | 343 ++++++++++++++++++ .../mdm/images/Provisioning_CSP_eUICCs.png | Bin 0 -> 14272 bytes .../mdm/images/provisioning-csp-euiccs.png | Bin 0 -> 14272 bytes ...ew-in-windows-mdm-enrollment-management.md | 8 + 6 files changed, 440 insertions(+) create mode 100644 windows/client-management/mdm/euiccs-csp.md create mode 100644 windows/client-management/mdm/euiccs-ddf-file.md create mode 100644 windows/client-management/mdm/images/Provisioning_CSP_eUICCs.png create mode 100644 windows/client-management/mdm/images/provisioning-csp-euiccs.png diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index b23dc6e57b..46ae254e64 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -142,6 +142,8 @@ ### [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) #### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md) #### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md) +### [eUICCs CSP](euiccs-csp.md) +#### [eUICCs DDF file](euiccs-ddf-file.md) ### [FileSystem CSP](filesystem-csp.md) ### [Firewall CSP](firewall-csp.md) #### [Firewall DDF file](firewall-ddf-file.md) diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md new file mode 100644 index 0000000000..127aa77257 --- /dev/null +++ b/windows/client-management/mdm/euiccs-csp.md @@ -0,0 +1,87 @@ +--- +title: eUICCs CSP +description: eUICCs CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 11/01/2017 +--- + +# eUICCs CSP + + +The eUICCs configuration service provider... This CSP was added in windows 10, version 1709. + +The following diagram shows the eUICCs configuration service provider in tree format. + +![euiccs csp](images/provisioning-csp-euiccs.png) + +**./Vendor/MSFT/eUICCs** +Root node. + +**_eUICC_** +Interior node. Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. + +Supported operation is Get. + +**_eUICC_/Identifier** +Required. Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. + +Supported operation is Get. Value type is string. + +**_eUICC_/IsActive** +Required. Indicates whether this eUICC is physically present and active. Updated only by the LPA. + +Supported operation is Get. Value type is boolean. + +**_eUICC_/Profiles** +Interior node. Required. Represents all enterprise-owned profiles. + +Supported operation is Get. + +**_eUICC_/Profiles/_ICCID_** +Interior node. Optional. Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). + +Supported operations are Add, Get, and Delete. + +**_eUICC_/Profiles/_ICCID_/ServerName** +Required. Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. + +Supported operations are Add and Get. Value type is string. + +**_eUICC_/Profiles/_ICCID_/MatchingID** +Required. Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. + +Supported operations are Add and Get. Value type is string. + +**_eUICC_/Profiles/_ICCID_/State** +Required. Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. + +Supported operation is Get. Value type is integer. Default value is 1. + +**_eUICC_/Policies** +Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile). + +Supported operation is Get. + +**_eUICC_/Policies/LocalUIEnabled** +Required. Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. + +Supported operations are Get and Replace. Value type is boolean. Default value is true. + +**_eUICC_/Actions** +Interior node. Required. Actions that can be performed on the eUICC as a whole (when it is active). + +Supported operation is Get. + +**_eUICC_/Actions/ResetToFactoryState** +Required. An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. + +Supported operation is Execute. Value type is string. + +**_eUICC_/Actions/Status** +Required. Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. + +Supported value is Get. Value type is integer. Default is 0. \ No newline at end of file diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md new file mode 100644 index 0000000000..d3d539c88e --- /dev/null +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -0,0 +1,343 @@ +--- +title: eUICCs DDF file +description: eUICCs DDF file +ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 06/19/2017 +--- + +# eUICCs DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **eUICCs** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +``` syntax + +]> + + 1.2 + + eUICCs + ./Vendor/MSFT + + + + + Subtree for all embedded UICCs (eUICC) + + + + + + + + + + + + + + com.microsoft/1.0/MDM/eUICCs + + + + + + + + + Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. + + + + + + + + + + eUICC + + + + + + Identifier + + + + + Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. + + + + + + + + + + + + + + text/plain + + + + + IsActive + + + + + Indicates whether this eUICC is physically present and active. Updated only by the LPA. + + + + + + + + + + + text/plain + + + + + Profiles + + + + + Represents all enterprise-owned profiles. + + + + + + + + + + + + + + + + + + + + + + Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). + + + + + + + + + + ICCID + + + + + + ServerName + + + + + + Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. + + + + + + + + + + + + + + text/plain + + + + + MatchingID + + + + + + Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. + + + + + + + + + + + + + + text/plain + + + + + State + + + + + 1 + Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA. + + + + + + + + + + + text/plain + + + + + + + Policies + + + + + Device policies associated with the eUICC as a whole (not per-profile). + + + + + + + + + + + + + + + LocalUIEnabled + + + + + + true + Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server. + + + + + + + + + + + text/plain + + + + + + Actions + + + + + Actions that can be performed on the eUICC as a whole (when it is active). + + + + + + + + + + + + + + + ResetToFactoryState + + + + + An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset. + + + + + + + + + + + text/plain + + + + + Status + + + + + 0 + Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors. + + + + + + + + + + + text/plain + + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/images/Provisioning_CSP_eUICCs.png b/windows/client-management/mdm/images/Provisioning_CSP_eUICCs.png new file mode 100644 index 0000000000000000000000000000000000000000..a4c67a8b7e6469ecf14d0a29392968d4dad6eed2 GIT binary patch literal 14272 zcmb_@XH=72*JiA!K~T{k0wSP*V(3LcT2P8o6a+D$NRuEXNbj*l6s7neDAJ{aG)d@1 zgCZauLJ7^#L3*!YP6B@O&YEx5yz{R4@vLXva+h=V+2y*fz4Pjpw%XAnXO2K1kfR#v z*K{F}z4suHJ&T9-f`553n_UL}x5rsm4FSn&;1~xN`>mC=lp&DZVCbgV0dRfTQT?7X z1j1BF`)|)rOsXXWBCW4+P5F+8$yD#QGl!Mm@41bc`F(5O^b-S$6aL}-nIyoa;pn-- z$m)N2|K7={_s>Imhr6BP>d(Lrq6`DxNLCqskr0R9YrjzyZf|KPenN~Wn0-F+qyG7N zd7Tw;@!rO|Lus*U6Di((+3RiL$tk1Iv-TBBi(|jAX?r0}U1)AdTx&A|qLi}n1eTSR z)lgp__G{Qyy8Lu3hn21<%iXFUH~D%huviNVm9lWiV<}{TqqFnEaxW?=mw5l;Hq|=2 zTzq!k);h*7ZRRlFsf8Q;p#v9KoYx2DKHdFLESvk~%O?{gL@5*o-<+l*9=QyaHTt>X zN8hS&Z66L@mTAY1`OLi$;IX|1L2F}>D1DV zeUOJd@X|-N>(a3mS)3{nb#)6VT+>nq()db#t`?@~4N()b4CGjg6q&Qqzti8kFnGa$iWA24GMczU9>*cC zxVjD)ZgWq?6)Cn#qIy5p*K8Y4HxP<1m0lS6@Z&R8Vu*nR)43>Z9Nt~osMs$roWCkQ zo)$PUvJ^3O)-cH7aPoNnx9OMJ9^X6Uqb?qJEZarAkt8;G^r2ea*2f-8!qpIFr(x`| zqV(e@5=0-GO|eOtC-;W=#4P+8zE!yiZ)MmDW@fsau~ne4A$51^M`7TY zlt0^7=FP=ap2;b+Vm%aaPL1Sy-@QmfRT?^~ZT)BK zbp|h6dES@pA%?pT3sXyf^HDZzyk6uLIdVP=H1{7<-M%PEu#fz0?@T&duRhL`qOs@P zIn))mqQ%YepLmO5zc+RI=pxuX?V6}I?U41Q^dz1;(QyysSv~}w!C_8(7xRd#Hm-?G zouc?6SbSfk8&XE^Z5TomD^8qpKYdSGmPGW)b+@s(xOyJ)n28@{ct-I2yx@b6dygTX z;~F2Tp1D|MT3PejX}gL&pt~p0Pv3(}W@+F>Yxn6Xwss+@m=w*pif4TY>`>J$^Wpj} zrGqSfg4xH*;|Cc|G9(w2H;`3ze`mb@=%yRH~%#1L#s$(pO37E=%H74Huy6WMW?|4JbX!_f8WT#u&sQGn0$cF2_o~?gDOZK!l9H0RXE-t{KR5V4!x%?UqrGzXKqTM7j@a7T z{+OeX=cl2iKs&^_NqBbrE&6AYYlLQgQc| z%=78kjCKQJ=`yHhEPf_%ZjrahrQMDY^H z)0c<)wCC(A|5qyM9zK}U5tqF zCsZVVPjvZySG=et>pvi)MRtNuV|JD269miI#u9kVUgfrvx;uyB{zrGbe3YN z*3uZQjJuplADa;y@KP_|8<)@E2l+y4*e(y>y?d7gWj;qh#}C5-coVKDfDBou=}=rs z=!u46>f9Ue{@S+|-f@=0Fv~%or0JztDDUh1dAq5Nba;upPaTd#7vZF>vnu@f@?I0O zx+dD~guXNj+UY}$>pN;y4MtO#rGySf*cHeV#D}6yQ7AoO#m6q6aN)F+V!0BHD2lPQ ztcz_ziul+&h;fuw;k#o7)|S>fYKOB)znITOqvPvg0ZUH|FQ9+cx&*xmmksPPET{=2 zU#xFJ<~+(|w6xDX9pl!mCr^(U97fj%OJ&cHjqHJ)&obi418$6(Hn`Q})+?pFE6SUE>1*RVdxoPv5%ew!2hLl=`xvZMV5H7)P4eFQ63X!M&;bx%uGNP;BlsTDL8 zU*1%@{+cEJ;YXyv-4FttLP|8+Cdjgq9lVQ2lgjz4_|-_(5SsC%>_I{(BZ8b`J=lU{kHJc$8Dc*%QcFfch0DC1q_yYd?`7>d4FvJhx_^S*J&TN95@Pp&Wq;09EZ~^jmJ6e2Y2H` zUPc`uUciXQX-g%l?4m8?M-ZY0`kJ2SvQ5L5cb|!FMMNZZMdjZPs)vC% zXOh2B?p=QS+nD}17xIu=6T(mldK7iKtQ$Scv!V%oBCkyQIG#)#d+BX5-C)C>C${s& zIFSW^ZM*oZ-uJxuF~v4Z$yot*QHxHYOOelYywd|G8vX?HD59P9Bh`+tn4X<|${+r8 zh1G_e1HA9s??8r6IIR18`_Dn>+(-xOOliA2Qtp=Q6|aD{pURY{=Wqqv8VHKkX7h}Vc^xlN$u^LBqH@hD$5u2g_s+pj1q-qjRf6ED3wRC%C*u(ix zpF0xocAu3`DgFb?_dVG~tV+0|xVvnH((2XE&FEz59lE*xy{Be3^l_?)~x z;hyp090l)Uq0h|l{R6RBA*iEQAVWc+i31% z4B$98yNI*nO^ElKg?&*dNU^Qo=+7d zkq`moA!r@y5ajSDnxpJhmju^n?#Fi${%@B`cR-O;7yjRG|BQFEva&kNnXH?Z`kw2r z=NcJt2pt`MU8boPC|x@<@`43;s|bc0oAOCK<$HhHWA=Z?d;e>{dy&=O*>_yBDHlHZ zG1H-b1RuEWfyUZIzE(oA$h?e2<`!Jx(5*M2AIW{*9(v+KxgJABLx+DnzA? zncPybx7e}utdo}u{DsotP6fZI!`toCw}O1)?uW6JlbEyRI5~FKcMLx}qtok^JEL8? zR+A=dIxUmIDbO3M3LRe0z8ccub_mYEE4O+SdO*07U$>pC@AUeO=}`VcD+599ZRXJx zu?zpTi;s={ev8)R+?Kh+BthwWM^Bt0D@UI@D%8&2E)+F|>YUGCkABJDG@!t_8?C@& zy%+mH+6tD&+2+kK`J~dmj4rce+G-6;*Ko>A&Tr#0ESA)EQcd=Svi~ZtTGz=J@fsy@ z`Q2H7;F$EkRuq}nN~Ai8MCGopT5CP~K+;Kl;TC#4(C$@_#_X}T z8;j1Td#-7}UdRe!-id%!*EtjG{1DMyTh5OB=73w8GycDZ$6i7BW-x_CcuD@7OWRJw z>|KCmWo8=3lu9Vb)Vj18mCWIG)9DjW=$>=R|88CfVYUMM`II*DDjz0K_*-GnjBJAFL>Kb*914 zuaEc99w>o@k50!3$9TrCJeo?aP4w!kt+-VxQTIx(@EOPzu`xv@taR!=be;MYBQ*+2 zG3$+eE7)y->7QH!i<L!DIHf z9p#Db0sA_w_UWmd8lNRUHa;koSre$7buU_A(aD| z4;aDgU%>Wqx`~3Vq1nsZ>T>4AiWH;ax0bnJ%Q|r9I>pz+~m8ZXE768ykcbgz6b-5Bw%j40gN(D7Gn4GK&9 z;8={XD8o?(YSVg)O1ZE%*I_T`Qy709nFu|sz85&HGW2>)o7Fyms(6!LlXJyR<(a}a zkj(a-|)E0se`9}#H{tws@3l@_zShf{y)alE=iElGjW*AVXeJgU75@*XQ z0U4b3^HnR`q;Dms8}Z2SB!k+N<2ZG)5ce=awuUXBp9v|Tz=Y*WJB@vHvEylApceD! zI-}?4T4tg;jJ}xBvz=?~ne!59(k|fq$;U%$h5%rdaCJqLEh`~_i4GwPb4s&>*f-|e z>kH+8ktMYGwl3YkFQ!Z(5#0DKwK^U)w% zB18iC)^aM22tELi=Qmx2Ky1-dn;2`avwkyqv8Pmp{Yo5l%BucGdJnl2wZAggID!^fS_2k8Dq zI`G}R3>S98YPDtbxkxv!(-l7}7iVX^vWb_k={srgg8t+yrBm-{&E=6^=c0&ghxEIg zk9JnxWl!0qL~%8iPE4^rXaGq@p*>%eY|_x>Lh>gLx%cy+B-Db)=uV1j!|!V zdc>mNeeczg`9U%h^<;6IeXBfX*mQLsc2k9SXPYooVSc{UP;>{=`|)TxnbtO@QSb~9 z?d+`28VKEI%RGm&p1zK#rijZkzgLA$469xK`|K4(MeOE6tgZjAwjiS^63_ccMuu$B zsr=W6`>$?366x*{u>!RwJ1Z-_5i)reSOdF6bw#49&7qhEBkWe)ZIG_WZ;Os-d#qbu zL0ujs+pnZNS{VEJ5FcjlHM*N$WA}8*10Vga90fb`@uTr!DqH<%#rDMOZRY`2kUcVa zb^O8^<_88x^o>QP@;6!wJ!f;nH9foS@UyF(UKv3R(4T1zH`Y+g%yX&dwld0kCVP?6|4V8iKzZ z&1)Z3xmY2We7yiH);bas^>*--*g|Gv6t5&b23!IRxnAl&b^EM2`n(ZaD`}MB98Wh$ z>DrwMDQV6ADB+lU_wL=^-4!}sPi#^A)LZ8d)L^ByzRiV3&x03i3*@~Ps*Mk1)Yz5k z3A~6+69FsO19#D~`5c1lzjmq7Op1rUs?o$Aaly7s-p6_E5ju9PH`$j~wF&H|sU2r? z>AqnsE-l^dOF26AlE$Se2oQ^aM0VIYID`uY&Z=FKHKQ)Irle$Pr?Q^iaW>AO3R{oq z>a=~dEY<>Qjp&TilZr0OAey6&C2v%0Pv_}w14poBxW&i5fS4KNwRlF0%03a0uE7%9 zX*yEpD3C_dI8{L^L#?p_0==2WhXRQ-4kyI&=fx|*L2GDA&=OZmP>SZn2>4ibw5M0K z-1cy0WYihLOZunE8JN#%8b=Fw{_x3N8EW#LVJwX*^P~(_Y&UL8FAMutH04`ctgC4Q zYhDb5W%sU{+uLiEW#v4lJ^cY@ejyi+$LHkSYWQ?_W4NE`&qd!PA?sfQ13VS?9?Z~< zLwO3Mn(w1@NG_IR0Zj99UsL>a6-Yz4XU5;g_>p5xdXn(TNf5Za}bk8Bv8rMKaRT zDSm@&vQ?X#r5;N*+?vgZE5sb!&6_t>ek_nN-yeu69>65(rZpixe8M?C_k;rIHibDa z8WC%zLzTBg9@=@Q<{N-)0NOeZc(^G3m>V5+iirYh%0%Y{d{s?|PGuTFss4T%c}NbB zwztu+k&@925**7{mTbG?RQzE0S%VJO8@q^llJElzntL)1=XlKk`61G-ZS40~r+7i9 zsXpx{V&=m^WgG4skU4^?)uF?ma;}D8$mPO=@3Xz{7v)MM;=Trfuk+meLo`@BZhOsj zKmzZ;BKMx5^mkPHxTYA>(e`De$y`Wv#N z0qzWq?khDYuc9`?YNwV8L~QTkX0DwQ?Npm?I^#&6)xdHzCyZk8?TN3U%}0eP;TeKl1!{_ z^MVzHR#W4btTz6>^A^XAHmh^oY?~2Bx|kL1s0`oCa~1sjKB77eog~{$r@T6p+omYsVKb535Wf%sZr7`+U5ICiRBoKuh|Gi< zv+W*QAguQ5HQS*T-uVY8G?LK7+_GtBR^AuS*?+b8$Rg$f%y9|+7FOFm{RwCPKkX=% zC-hF{w)OE!Xc{u2ZGWImFG3N4^l)=oKtuI6i73l-lKeY{WN3*^{D<&HZVGTFi)m#X zjCkPQRkhm5HL%b}Q;{<^G`Ej9y?Z!lZWfCjFWJAtk~rz^{olAEu@rYb`1qQl^8U@+ z(&BJ5UDWvC2?RZ0!S#ShA~<|eJ4#hm6~Iz+HMf%!Mkbch>g%<37h*?gX=xcv%G+UZ zZ{EFF?d<__1@ZU@ylz1{QWmossr9eX_NLb)83(ciohxz^LzjEoRhIeZyg+VJZ>#_GcK&WO9KB zUgeh?pTbTm=dpmh_-r1NDo(W$yZ$%&D1O=*gp2TN3<)#^wx@rt|FK=vUM;IbKX#V( zFR5O6Cur4nG&+!`{@W^XIv;eL2xF(NF+~J@Y(YQr^^N{ps03be1dzC8Ysut~9^;@$ zMN@m-LFM}!vA30xe~aJ$kC^>mL;D5%^PNk5=)=)fC3nc3opCsk>!6NR!i47BFUdNs z%ANYxNc=bI-mWodo+w_mE#v0hn8~&8L}=j z$F?)QyLWn<{l+tr*=yK~^4>ez-LMzSbNu4{kvC|S_?ndE$|!W0t)U&h$a^=N9Mpk} z0E`i2kuTgg;qUY_erlFKO1;6y%j%aQ+=AHdwx57A&cJ*tL@em;3ZAz!7Vu7PuznHl zvXmE1$RYLJT6B*TO5HCt1=~{4742Fx(A|Au$*6k76g^MAw2Pyw$pFq+?t@R((J>AW zJKD?|NY)@Bb}7;IX8=^H4@Hr=|u+80ub(l5_cbZB;3DX$onDR`-4t<{~Kh0`7ocf+k9VminWwx|&7@>CuV*taI z`yj^l0ZU!{2^!}&l0KQ(ox4q2XDSY8aJ@=%EaA`CVn%fo`JAdJXlPc1zzR1)q1fje zIAvUwu<>?q71 zzJ_Tj;@y$fcHdV*OB|JbaiEI)z+>Vo()C8Qp~i%*A8nWuW%lT8a#a(P{dB!xo0LI8 zc!~4Ul+6dgzPTc2+d!iNXnEl5q2kz851(&73IYw~&7gZJs3%H^sR`CkE@Mg z)?+0r9(ri+Urm_TvpT;677E_cpULJtq2Vn~UGpscDhAX^9H4kI#ccKZ3mC<~_bR zQ{D>m6jl8U?U#>y;+#n6vWG5hC3x4uUc44eal_2VY{AD-=V~z*I4z7{o(JwcutmH- ziFb4dIGmSD)JkS(3vnK}_q$%$k%(1=mi5(N1hQL^&KNriiFcHqVa<<;UTn!-8}1r) z=#9DkU)C02dOh$vl~brU_EsZ4Ew-$!qB2h(ny}F!^}=n|*|4A6(504e-@?MTHzJ%e z3VnNpZaCKP4w99{#jP@N%~DV5qJ_o#wJNsrZ@}l5U`IITH`LigHx+aNEh4sUD~JM} za9$2AZ>tv+2c~GCNqeYvdN1fbX}~589O%!V zCEPMZBG1e>g)3I&YRMA7*Uhen>PB6YT(N@?r21>Ic0V?BYu!R$E-rhnEB zA1MUcsm-JyXZqVS1~7y0n%9Oe1!HNnDSmd#@kVz{L`0#Of})}@Y<*&QzY!3L9`++Y z*msn#nQV%ece<+?AIu4+XCXl}cgQ(lFMQJxR{}{s~*F8WxpwUb~ z@ikxZUZKf=G^$`9zq=Xp;s+V1JQ@2zzxr=ah9?qJ?C<22@Q=`ybo;?RMmQeu4e&7@ zV|bm`ds;+lbsy!AiW=F(ml!BSJd~7}lf4F&1KI5&5@>2CSt@X_7)JOc8ms{we+qw# z5#BSk^Z90kpja~^BGiEYl1exGb(`Eg66~P;FRgTc0p_74+l1iqUTVC*?Hqm>2>*Yi zqmpss^z4oV+%UVZLdfYfCdlu~(qv6682*s|Xs|ZNd)z@kRg^MCB?}%3?)l`l?0$$< zX!FrR`0UU5npCEmv|jsT@GyxY?BL-7pT%k_)mO?3*2TYBIH6G4{p@24@!gIYKA5Jj zZvWHq6x-;rFoaQP2@3O;fFo05PruU$DSHd$v)4-2+3F*cvOI6D4#IR)waEkC@44TI1%5No}qQ%y}2s=%W5=PBL3F^_U=t>-P zIqj#8f_bX+GSU$1vhCS^mWVA>ZG6bgx`sI%Sjw_=XG<;xmqs_Uta$}$ESCFD!u)Ud z3m?>@5Z#q~^w_sBrFIVSr%7S=d0d-Oot>HG)*E0EF1c9GuNjKwmRqb|h36uc(t522 z(_qCzKk*_~bk|m!w1%>&?YL(EO!g_v?e||V0DzZ?1Br&xTxJY#l_!7Qky9Be=ZL1e zFFGEeI0mL&?{j&MrU*AG@B^;e;NwU=O7k?@!!NU~XI^rMMN0u;1`J3Xr1|(Uh2?2U z*F6wj5V+M7T+-K|%&z@+-tRewLvz2mOp|@+DC0S7Z#4vY2s1f(aP(~ z&?*1Yg*9{G&|0t#zN5?UNa;r7pKBn$a2TS z4=3xvzz|4oE;;X5P1|!cpFg90#~4~sEa#l>II-3mY@?>nN8&C2%*Muv9MBQ`3Unk@ z021ydV^_Z6Ows_E!wiYnh?7y%O08rqwvDRH1-etxg+0H0|5g;4_I5sg%?<9UVhe}IJzc%5{R8;#g6Z8Jm zJG02ek6D4*cpRrZX!DKLE+*3YPQX*at%6~-Int?|f~{geY6>Y>XCTbI_tnP^EjRrj zA11+mT_dRYzG6Es#s7(d5oR8GHbvb(`rz5U=>}3kiWzO}aYpyH??Ffnh<+aAYJXqx zdS^*1z>K0%KyC7yzpVi#!z>ZMl#7%;7t}JNGM(qor&k2$3o#nEtz-|297-%k6_xds zR#zrrz@+4@Gf6mgAfUfh{JfQNDBkc4lCF%=r%r_QL?-szINo-%^;^Gh@BR7~!9L!I zg6ns92US*#jc=bQsqt;AOmd{z545As2g8V`Kz~)G&y&_Hd^>vmkM+gM(MwDDX}M&C zsC`3pve}RhThJ*Q7y_X0uAQCT$ugRtUD@_pKXTp4QL!Bt|F&B%yb??mM-_@?DeQX; z%JmgXJEAwO5$rg=ju+6|l1ST(i;-_Gjk6Z>i^n(}PHHx#;Fhze^7CNHpmk>&i_J8m zB0=lU3GjEGU97^ zu;YhUM%_){Y%ioJ(#FK9MuvW@)H=J9ZZe$*h+YPaizUsyUG!x+nl}i%bedc*II(n) zLkUXxw6wI8`)WXL)TBKqUXwfuW-7h^_Ue8g1PT_IlndY;32~=_5KLNPbrX+2e#(c| zsjCv&?bLy0dsKdYz8i?>u~R_9E)}13;v3D(D^jVDSqTmH%dl^(qjeviCHdIk9XF=o zR3vxLHR#*D=7EKUg@z5O-)g#p%YB!+f-$MTB7nwUP+XjDa`USOXtj0z%kbF!e$a(8 z1OG^C(5XV7eE&}`AM_Dv^Lc+7nlx5#R>Nqo8G!?4v-NwEou*WOkxyYLxy}T}eBRLh zW`JC!^+Eg9&A-U=_~V;+0K|C%qXUWS&?nD#z(NT?Kq7Rh49!Yk9t|=~eZnabcL0Vl zSht}r9T23G*6Vb*+T3y^fSAS}+(Mg7X&m{z2|;^t z&Uus}^FP?n1s_z{@{%7DdODrl%B@R8EBu>=_}I6v@J!*d$og_VCo^EGMiB??Wm*G!Y6C@ttC&%`JIf^NtVJl34v|Y)xcip*hz&e`9j4D8dpkwqfew- z7b&z0NHz3@rgfcaMpVl5Y~{Os-uz~xpoaA3uT#|RVA=}oMP3djPj>M=&|>G6e&5kf zY)ZyCZLfE`5_}is4!gbVQ|V?n(two`s_pF9W*^RMOKT>x?jhR@ji}jpd1bn1n6{Pk zbO8l-*CMImd=x1O=|)qTn%9(q`c0dX6t~5@37B_J4rd1pZAsr~_izaO`dm#vvHoyf zwFLniH}=yUv1MC4O0F;*%tBJF54J7~K3m>Kmz+V;4{hYDj4n1w*EG8Nnd|xM=EULI zf>r;SW$*kq&&wZy5^ncq`Q?DjANNmuPRu1}v%%O49C=l%I&stkPpDTTV@(zuy0;dl z&C&6+!~P)Gua+KEJwM2WOsg*5kI5tSIr$fyh~g6Q zIE#$xah>cXhexod*Mkw{|WZ( ze5dVd=VQ{0ZZ8#{XA0j6q)y}k@xqNcaU)kX>=c3h##e=K$hxisPky97d6s!qY&-=xDj5RV+&sL9NLcld)Q=rhiEMdXKOqb6uzOn#q?ZD7Tp^fW3%^Nr;Ypi`iD@?U7 zOml0;KfEH=BaYBSJ9F?Gk+E*A;mItV`DSRYlWv7lBHcJkUzQedUo10GWBxg3i+Z!6 zD!kIkav&FjB$jAGMhRpX1m8>56?3A@IKIL+nNom&-3QnGd7rzpjks9hu1-(I6IS<) z1^$qHmcRI^;tgua>;Y7V)&pT*lY0@P2&nNqvI6(z%Qsb-K%9l_&W754wae%}P}@0x ziDo(o2S(8irekxOZ+qc$_U+!AfaAQfv!b)`$*()7y2O`Ur6?R-&*~k~5D`D%i9{a< zk7w(q0Zt2mNNOVlcol^9n~FWOUs3F({cd7E?Z*{|AY*omC=lp&DZVCbgV0dRfTQT?7X z1j1BF`)|)rOsXXWBCW4+P5F+8$yD#QGl!Mm@41bc`F(5O^b-S$6aL}-nIyoa;pn-- z$m)N2|K7={_s>Imhr6BP>d(Lrq6`DxNLCqskr0R9YrjzyZf|KPenN~Wn0-F+qyG7N zd7Tw;@!rO|Lus*U6Di((+3RiL$tk1Iv-TBBi(|jAX?r0}U1)AdTx&A|qLi}n1eTSR z)lgp__G{Qyy8Lu3hn21<%iXFUH~D%huviNVm9lWiV<}{TqqFnEaxW?=mw5l;Hq|=2 zTzq!k);h*7ZRRlFsf8Q;p#v9KoYx2DKHdFLESvk~%O?{gL@5*o-<+l*9=QyaHTt>X zN8hS&Z66L@mTAY1`OLi$;IX|1L2F}>D1DV zeUOJd@X|-N>(a3mS)3{nb#)6VT+>nq()db#t`?@~4N()b4CGjg6q&Qqzti8kFnGa$iWA24GMczU9>*cC zxVjD)ZgWq?6)Cn#qIy5p*K8Y4HxP<1m0lS6@Z&R8Vu*nR)43>Z9Nt~osMs$roWCkQ zo)$PUvJ^3O)-cH7aPoNnx9OMJ9^X6Uqb?qJEZarAkt8;G^r2ea*2f-8!qpIFr(x`| zqV(e@5=0-GO|eOtC-;W=#4P+8zE!yiZ)MmDW@fsau~ne4A$51^M`7TY zlt0^7=FP=ap2;b+Vm%aaPL1Sy-@QmfRT?^~ZT)BK zbp|h6dES@pA%?pT3sXyf^HDZzyk6uLIdVP=H1{7<-M%PEu#fz0?@T&duRhL`qOs@P zIn))mqQ%YepLmO5zc+RI=pxuX?V6}I?U41Q^dz1;(QyysSv~}w!C_8(7xRd#Hm-?G zouc?6SbSfk8&XE^Z5TomD^8qpKYdSGmPGW)b+@s(xOyJ)n28@{ct-I2yx@b6dygTX z;~F2Tp1D|MT3PejX}gL&pt~p0Pv3(}W@+F>Yxn6Xwss+@m=w*pif4TY>`>J$^Wpj} zrGqSfg4xH*;|Cc|G9(w2H;`3ze`mb@=%yRH~%#1L#s$(pO37E=%H74Huy6WMW?|4JbX!_f8WT#u&sQGn0$cF2_o~?gDOZK!l9H0RXE-t{KR5V4!x%?UqrGzXKqTM7j@a7T z{+OeX=cl2iKs&^_NqBbrE&6AYYlLQgQc| z%=78kjCKQJ=`yHhEPf_%ZjrahrQMDY^H z)0c<)wCC(A|5qyM9zK}U5tqF zCsZVVPjvZySG=et>pvi)MRtNuV|JD269miI#u9kVUgfrvx;uyB{zrGbe3YN z*3uZQjJuplADa;y@KP_|8<)@E2l+y4*e(y>y?d7gWj;qh#}C5-coVKDfDBou=}=rs z=!u46>f9Ue{@S+|-f@=0Fv~%or0JztDDUh1dAq5Nba;upPaTd#7vZF>vnu@f@?I0O zx+dD~guXNj+UY}$>pN;y4MtO#rGySf*cHeV#D}6yQ7AoO#m6q6aN)F+V!0BHD2lPQ ztcz_ziul+&h;fuw;k#o7)|S>fYKOB)znITOqvPvg0ZUH|FQ9+cx&*xmmksPPET{=2 zU#xFJ<~+(|w6xDX9pl!mCr^(U97fj%OJ&cHjqHJ)&obi418$6(Hn`Q})+?pFE6SUE>1*RVdxoPv5%ew!2hLl=`xvZMV5H7)P4eFQ63X!M&;bx%uGNP;BlsTDL8 zU*1%@{+cEJ;YXyv-4FttLP|8+Cdjgq9lVQ2lgjz4_|-_(5SsC%>_I{(BZ8b`J=lU{kHJc$8Dc*%QcFfch0DC1q_yYd?`7>d4FvJhx_^S*J&TN95@Pp&Wq;09EZ~^jmJ6e2Y2H` zUPc`uUciXQX-g%l?4m8?M-ZY0`kJ2SvQ5L5cb|!FMMNZZMdjZPs)vC% zXOh2B?p=QS+nD}17xIu=6T(mldK7iKtQ$Scv!V%oBCkyQIG#)#d+BX5-C)C>C${s& zIFSW^ZM*oZ-uJxuF~v4Z$yot*QHxHYOOelYywd|G8vX?HD59P9Bh`+tn4X<|${+r8 zh1G_e1HA9s??8r6IIR18`_Dn>+(-xOOliA2Qtp=Q6|aD{pURY{=Wqqv8VHKkX7h}Vc^xlN$u^LBqH@hD$5u2g_s+pj1q-qjRf6ED3wRC%C*u(ix zpF0xocAu3`DgFb?_dVG~tV+0|xVvnH((2XE&FEz59lE*xy{Be3^l_?)~x z;hyp090l)Uq0h|l{R6RBA*iEQAVWc+i31% z4B$98yNI*nO^ElKg?&*dNU^Qo=+7d zkq`moA!r@y5ajSDnxpJhmju^n?#Fi${%@B`cR-O;7yjRG|BQFEva&kNnXH?Z`kw2r z=NcJt2pt`MU8boPC|x@<@`43;s|bc0oAOCK<$HhHWA=Z?d;e>{dy&=O*>_yBDHlHZ zG1H-b1RuEWfyUZIzE(oA$h?e2<`!Jx(5*M2AIW{*9(v+KxgJABLx+DnzA? zncPybx7e}utdo}u{DsotP6fZI!`toCw}O1)?uW6JlbEyRI5~FKcMLx}qtok^JEL8? zR+A=dIxUmIDbO3M3LRe0z8ccub_mYEE4O+SdO*07U$>pC@AUeO=}`VcD+599ZRXJx zu?zpTi;s={ev8)R+?Kh+BthwWM^Bt0D@UI@D%8&2E)+F|>YUGCkABJDG@!t_8?C@& zy%+mH+6tD&+2+kK`J~dmj4rce+G-6;*Ko>A&Tr#0ESA)EQcd=Svi~ZtTGz=J@fsy@ z`Q2H7;F$EkRuq}nN~Ai8MCGopT5CP~K+;Kl;TC#4(C$@_#_X}T z8;j1Td#-7}UdRe!-id%!*EtjG{1DMyTh5OB=73w8GycDZ$6i7BW-x_CcuD@7OWRJw z>|KCmWo8=3lu9Vb)Vj18mCWIG)9DjW=$>=R|88CfVYUMM`II*DDjz0K_*-GnjBJAFL>Kb*914 zuaEc99w>o@k50!3$9TrCJeo?aP4w!kt+-VxQTIx(@EOPzu`xv@taR!=be;MYBQ*+2 zG3$+eE7)y->7QH!i<L!DIHf z9p#Db0sA_w_UWmd8lNRUHa;koSre$7buU_A(aD| z4;aDgU%>Wqx`~3Vq1nsZ>T>4AiWH;ax0bnJ%Q|r9I>pz+~m8ZXE768ykcbgz6b-5Bw%j40gN(D7Gn4GK&9 z;8={XD8o?(YSVg)O1ZE%*I_T`Qy709nFu|sz85&HGW2>)o7Fyms(6!LlXJyR<(a}a zkj(a-|)E0se`9}#H{tws@3l@_zShf{y)alE=iElGjW*AVXeJgU75@*XQ z0U4b3^HnR`q;Dms8}Z2SB!k+N<2ZG)5ce=awuUXBp9v|Tz=Y*WJB@vHvEylApceD! zI-}?4T4tg;jJ}xBvz=?~ne!59(k|fq$;U%$h5%rdaCJqLEh`~_i4GwPb4s&>*f-|e z>kH+8ktMYGwl3YkFQ!Z(5#0DKwK^U)w% zB18iC)^aM22tELi=Qmx2Ky1-dn;2`avwkyqv8Pmp{Yo5l%BucGdJnl2wZAggID!^fS_2k8Dq zI`G}R3>S98YPDtbxkxv!(-l7}7iVX^vWb_k={srgg8t+yrBm-{&E=6^=c0&ghxEIg zk9JnxWl!0qL~%8iPE4^rXaGq@p*>%eY|_x>Lh>gLx%cy+B-Db)=uV1j!|!V zdc>mNeeczg`9U%h^<;6IeXBfX*mQLsc2k9SXPYooVSc{UP;>{=`|)TxnbtO@QSb~9 z?d+`28VKEI%RGm&p1zK#rijZkzgLA$469xK`|K4(MeOE6tgZjAwjiS^63_ccMuu$B zsr=W6`>$?366x*{u>!RwJ1Z-_5i)reSOdF6bw#49&7qhEBkWe)ZIG_WZ;Os-d#qbu zL0ujs+pnZNS{VEJ5FcjlHM*N$WA}8*10Vga90fb`@uTr!DqH<%#rDMOZRY`2kUcVa zb^O8^<_88x^o>QP@;6!wJ!f;nH9foS@UyF(UKv3R(4T1zH`Y+g%yX&dwld0kCVP?6|4V8iKzZ z&1)Z3xmY2We7yiH);bas^>*--*g|Gv6t5&b23!IRxnAl&b^EM2`n(ZaD`}MB98Wh$ z>DrwMDQV6ADB+lU_wL=^-4!}sPi#^A)LZ8d)L^ByzRiV3&x03i3*@~Ps*Mk1)Yz5k z3A~6+69FsO19#D~`5c1lzjmq7Op1rUs?o$Aaly7s-p6_E5ju9PH`$j~wF&H|sU2r? z>AqnsE-l^dOF26AlE$Se2oQ^aM0VIYID`uY&Z=FKHKQ)Irle$Pr?Q^iaW>AO3R{oq z>a=~dEY<>Qjp&TilZr0OAey6&C2v%0Pv_}w14poBxW&i5fS4KNwRlF0%03a0uE7%9 zX*yEpD3C_dI8{L^L#?p_0==2WhXRQ-4kyI&=fx|*L2GDA&=OZmP>SZn2>4ibw5M0K z-1cy0WYihLOZunE8JN#%8b=Fw{_x3N8EW#LVJwX*^P~(_Y&UL8FAMutH04`ctgC4Q zYhDb5W%sU{+uLiEW#v4lJ^cY@ejyi+$LHkSYWQ?_W4NE`&qd!PA?sfQ13VS?9?Z~< zLwO3Mn(w1@NG_IR0Zj99UsL>a6-Yz4XU5;g_>p5xdXn(TNf5Za}bk8Bv8rMKaRT zDSm@&vQ?X#r5;N*+?vgZE5sb!&6_t>ek_nN-yeu69>65(rZpixe8M?C_k;rIHibDa z8WC%zLzTBg9@=@Q<{N-)0NOeZc(^G3m>V5+iirYh%0%Y{d{s?|PGuTFss4T%c}NbB zwztu+k&@925**7{mTbG?RQzE0S%VJO8@q^llJElzntL)1=XlKk`61G-ZS40~r+7i9 zsXpx{V&=m^WgG4skU4^?)uF?ma;}D8$mPO=@3Xz{7v)MM;=Trfuk+meLo`@BZhOsj zKmzZ;BKMx5^mkPHxTYA>(e`De$y`Wv#N z0qzWq?khDYuc9`?YNwV8L~QTkX0DwQ?Npm?I^#&6)xdHzCyZk8?TN3U%}0eP;TeKl1!{_ z^MVzHR#W4btTz6>^A^XAHmh^oY?~2Bx|kL1s0`oCa~1sjKB77eog~{$r@T6p+omYsVKb535Wf%sZr7`+U5ICiRBoKuh|Gi< zv+W*QAguQ5HQS*T-uVY8G?LK7+_GtBR^AuS*?+b8$Rg$f%y9|+7FOFm{RwCPKkX=% zC-hF{w)OE!Xc{u2ZGWImFG3N4^l)=oKtuI6i73l-lKeY{WN3*^{D<&HZVGTFi)m#X zjCkPQRkhm5HL%b}Q;{<^G`Ej9y?Z!lZWfCjFWJAtk~rz^{olAEu@rYb`1qQl^8U@+ z(&BJ5UDWvC2?RZ0!S#ShA~<|eJ4#hm6~Iz+HMf%!Mkbch>g%<37h*?gX=xcv%G+UZ zZ{EFF?d<__1@ZU@ylz1{QWmossr9eX_NLb)83(ciohxz^LzjEoRhIeZyg+VJZ>#_GcK&WO9KB zUgeh?pTbTm=dpmh_-r1NDo(W$yZ$%&D1O=*gp2TN3<)#^wx@rt|FK=vUM;IbKX#V( zFR5O6Cur4nG&+!`{@W^XIv;eL2xF(NF+~J@Y(YQr^^N{ps03be1dzC8Ysut~9^;@$ zMN@m-LFM}!vA30xe~aJ$kC^>mL;D5%^PNk5=)=)fC3nc3opCsk>!6NR!i47BFUdNs z%ANYxNc=bI-mWodo+w_mE#v0hn8~&8L}=j z$F?)QyLWn<{l+tr*=yK~^4>ez-LMzSbNu4{kvC|S_?ndE$|!W0t)U&h$a^=N9Mpk} z0E`i2kuTgg;qUY_erlFKO1;6y%j%aQ+=AHdwx57A&cJ*tL@em;3ZAz!7Vu7PuznHl zvXmE1$RYLJT6B*TO5HCt1=~{4742Fx(A|Au$*6k76g^MAw2Pyw$pFq+?t@R((J>AW zJKD?|NY)@Bb}7;IX8=^H4@Hr=|u+80ub(l5_cbZB;3DX$onDR`-4t<{~Kh0`7ocf+k9VminWwx|&7@>CuV*taI z`yj^l0ZU!{2^!}&l0KQ(ox4q2XDSY8aJ@=%EaA`CVn%fo`JAdJXlPc1zzR1)q1fje zIAvUwu<>?q71 zzJ_Tj;@y$fcHdV*OB|JbaiEI)z+>Vo()C8Qp~i%*A8nWuW%lT8a#a(P{dB!xo0LI8 zc!~4Ul+6dgzPTc2+d!iNXnEl5q2kz851(&73IYw~&7gZJs3%H^sR`CkE@Mg z)?+0r9(ri+Urm_TvpT;677E_cpULJtq2Vn~UGpscDhAX^9H4kI#ccKZ3mC<~_bR zQ{D>m6jl8U?U#>y;+#n6vWG5hC3x4uUc44eal_2VY{AD-=V~z*I4z7{o(JwcutmH- ziFb4dIGmSD)JkS(3vnK}_q$%$k%(1=mi5(N1hQL^&KNriiFcHqVa<<;UTn!-8}1r) z=#9DkU)C02dOh$vl~brU_EsZ4Ew-$!qB2h(ny}F!^}=n|*|4A6(504e-@?MTHzJ%e z3VnNpZaCKP4w99{#jP@N%~DV5qJ_o#wJNsrZ@}l5U`IITH`LigHx+aNEh4sUD~JM} za9$2AZ>tv+2c~GCNqeYvdN1fbX}~589O%!V zCEPMZBG1e>g)3I&YRMA7*Uhen>PB6YT(N@?r21>Ic0V?BYu!R$E-rhnEB zA1MUcsm-JyXZqVS1~7y0n%9Oe1!HNnDSmd#@kVz{L`0#Of})}@Y<*&QzY!3L9`++Y z*msn#nQV%ece<+?AIu4+XCXl}cgQ(lFMQJxR{}{s~*F8WxpwUb~ z@ikxZUZKf=G^$`9zq=Xp;s+V1JQ@2zzxr=ah9?qJ?C<22@Q=`ybo;?RMmQeu4e&7@ zV|bm`ds;+lbsy!AiW=F(ml!BSJd~7}lf4F&1KI5&5@>2CSt@X_7)JOc8ms{we+qw# z5#BSk^Z90kpja~^BGiEYl1exGb(`Eg66~P;FRgTc0p_74+l1iqUTVC*?Hqm>2>*Yi zqmpss^z4oV+%UVZLdfYfCdlu~(qv6682*s|Xs|ZNd)z@kRg^MCB?}%3?)l`l?0$$< zX!FrR`0UU5npCEmv|jsT@GyxY?BL-7pT%k_)mO?3*2TYBIH6G4{p@24@!gIYKA5Jj zZvWHq6x-;rFoaQP2@3O;fFo05PruU$DSHd$v)4-2+3F*cvOI6D4#IR)waEkC@44TI1%5No}qQ%y}2s=%W5=PBL3F^_U=t>-P zIqj#8f_bX+GSU$1vhCS^mWVA>ZG6bgx`sI%Sjw_=XG<;xmqs_Uta$}$ESCFD!u)Ud z3m?>@5Z#q~^w_sBrFIVSr%7S=d0d-Oot>HG)*E0EF1c9GuNjKwmRqb|h36uc(t522 z(_qCzKk*_~bk|m!w1%>&?YL(EO!g_v?e||V0DzZ?1Br&xTxJY#l_!7Qky9Be=ZL1e zFFGEeI0mL&?{j&MrU*AG@B^;e;NwU=O7k?@!!NU~XI^rMMN0u;1`J3Xr1|(Uh2?2U z*F6wj5V+M7T+-K|%&z@+-tRewLvz2mOp|@+DC0S7Z#4vY2s1f(aP(~ z&?*1Yg*9{G&|0t#zN5?UNa;r7pKBn$a2TS z4=3xvzz|4oE;;X5P1|!cpFg90#~4~sEa#l>II-3mY@?>nN8&C2%*Muv9MBQ`3Unk@ z021ydV^_Z6Ows_E!wiYnh?7y%O08rqwvDRH1-etxg+0H0|5g;4_I5sg%?<9UVhe}IJzc%5{R8;#g6Z8Jm zJG02ek6D4*cpRrZX!DKLE+*3YPQX*at%6~-Int?|f~{geY6>Y>XCTbI_tnP^EjRrj zA11+mT_dRYzG6Es#s7(d5oR8GHbvb(`rz5U=>}3kiWzO}aYpyH??Ffnh<+aAYJXqx zdS^*1z>K0%KyC7yzpVi#!z>ZMl#7%;7t}JNGM(qor&k2$3o#nEtz-|297-%k6_xds zR#zrrz@+4@Gf6mgAfUfh{JfQNDBkc4lCF%=r%r_QL?-szINo-%^;^Gh@BR7~!9L!I zg6ns92US*#jc=bQsqt;AOmd{z545As2g8V`Kz~)G&y&_Hd^>vmkM+gM(MwDDX}M&C zsC`3pve}RhThJ*Q7y_X0uAQCT$ugRtUD@_pKXTp4QL!Bt|F&B%yb??mM-_@?DeQX; z%JmgXJEAwO5$rg=ju+6|l1ST(i;-_Gjk6Z>i^n(}PHHx#;Fhze^7CNHpmk>&i_J8m zB0=lU3GjEGU97^ zu;YhUM%_){Y%ioJ(#FK9MuvW@)H=J9ZZe$*h+YPaizUsyUG!x+nl}i%bedc*II(n) zLkUXxw6wI8`)WXL)TBKqUXwfuW-7h^_Ue8g1PT_IlndY;32~=_5KLNPbrX+2e#(c| zsjCv&?bLy0dsKdYz8i?>u~R_9E)}13;v3D(D^jVDSqTmH%dl^(qjeviCHdIk9XF=o zR3vxLHR#*D=7EKUg@z5O-)g#p%YB!+f-$MTB7nwUP+XjDa`USOXtj0z%kbF!e$a(8 z1OG^C(5XV7eE&}`AM_Dv^Lc+7nlx5#R>Nqo8G!?4v-NwEou*WOkxyYLxy}T}eBRLh zW`JC!^+Eg9&A-U=_~V;+0K|C%qXUWS&?nD#z(NT?Kq7Rh49!Yk9t|=~eZnabcL0Vl zSht}r9T23G*6Vb*+T3y^fSAS}+(Mg7X&m{z2|;^t z&Uus}^FP?n1s_z{@{%7DdODrl%B@R8EBu>=_}I6v@J!*d$og_VCo^EGMiB??Wm*G!Y6C@ttC&%`JIf^NtVJl34v|Y)xcip*hz&e`9j4D8dpkwqfew- z7b&z0NHz3@rgfcaMpVl5Y~{Os-uz~xpoaA3uT#|RVA=}oMP3djPj>M=&|>G6e&5kf zY)ZyCZLfE`5_}is4!gbVQ|V?n(two`s_pF9W*^RMOKT>x?jhR@ji}jpd1bn1n6{Pk zbO8l-*CMImd=x1O=|)qTn%9(q`c0dX6t~5@37B_J4rd1pZAsr~_izaO`dm#vvHoyf zwFLniH}=yUv1MC4O0F;*%tBJF54J7~K3m>Kmz+V;4{hYDj4n1w*EG8Nnd|xM=EULI zf>r;SW$*kq&&wZy5^ncq`Q?DjANNmuPRu1}v%%O49C=l%I&stkPpDTTV@(zuy0;dl z&C&6+!~P)Gua+KEJwM2WOsg*5kI5tSIr$fyh~g6Q zIE#$xah>cXhexod*Mkw{|WZ( ze5dVd=VQ{0ZZ8#{XA0j6q)y}k@xqNcaU)kX>=c3h##e=K$hxisPky97d6s!qY&-=xDj5RV+&sL9NLcld)Q=rhiEMdXKOqb6uzOn#q?ZD7Tp^fW3%^Nr;Ypi`iD@?U7 zOml0;KfEH=BaYBSJ9F?Gk+E*A;mItV`DSRYlWv7lBHcJkUzQedUo10GWBxg3i+Z!6 zD!kIkav&FjB$jAGMhRpX1m8>56?3A@IKIL+nNom&-3QnGd7rzpjks9hu1-(I6IS<) z1^$qHmcRI^;tgua>;Y7V)&pT*lY0@P2&nNqvI6(z%Qsb-K%9l_&W754wae%}P}@0x ziDo(o2S(8irekxOZ+qc$_U+!AfaAQfv!b)`$*()7y2O`Ur6?R-&*~k~5D`D%i9{a< zk7w(q0Zt2mNNOVlcol^9n~FWOUs3F({cd7E?Z*{|AY*o[Firewall CSP](firewall-csp.md)

    Added new CSP in Windows 10, version 1709.

    + +[eUICCs CSP](euiccs-csp.md) +

    Added new CSP in Windows 10, version 1709.

    + [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) New CSP added in Windows 10, version 1709. Also added the DDF topic [WindowsDefenderApplicationGuard DDF file](windowsdefenderapplicationguard-ddf-file.md). @@ -1394,6 +1398,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  • Defender/ControlledFolderAccessProtectedFolders - string separator is |.
+ +[eUICCs CSP](euiccs-csp.md) +

Added new CSP in Windows 10, version 1709.

+ [AssignedAccess CSP](assignedaccess-csp.md)

Added SyncML examples for the new Configuration node.

From 353aa363d5ff7b69c31b71b6e44d75ed6216e95d Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 10 Nov 2017 13:31:57 -0800 Subject: [PATCH 24/26] trial link --- ...s-non-windows-windows-defender-advanced-threat-protection.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index 39feb6c290..706db3ef71 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -20,6 +20,8 @@ ms.date: 11/08/2017 - Linux - Windows Defender Advanced Threat Protection (Windows Defender ATP) +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) + [!include[Prerelease information](prerelease.md)] Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. From 89d2753d20867bf12dcf0dd2d0c5ae9c0a9f49b5 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Fri, 10 Nov 2017 15:12:44 -0800 Subject: [PATCH 25/26] toc typo --- windows/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 85aa64621b..986357c45a 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -165,7 +165,7 @@ #### [Deploy and enable Windows Defender Antivirus](windows-defender-antivirus\deploy-windows-defender-antivirus.md) ##### [Deployment guide for VDI environments](windows-defender-antivirus\deployment-vdi-windows-defender-antivirus.md) #### [Report on Windows Defender Antivirus protection](windows-defender-antivirus\report-monitor-windows-defender-antivirus.md) -##### [Troublehsoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md) +##### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](windows-defender-antivirus\troubleshoot-reporting.md) #### [Manage updates and apply baselines](windows-defender-antivirus\manage-updates-baselines-windows-defender-antivirus.md) ##### [Manage protection and definition updates](windows-defender-antivirus\manage-protection-updates-windows-defender-antivirus.md) ##### [Manage when protection updates should be downloaded and applied](windows-defender-antivirus\manage-protection-update-schedule-windows-defender-antivirus.md) From 3376e1f446ce841b7812d015712de96ecbd972dc Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Sat, 11 Nov 2017 00:13:54 +0000 Subject: [PATCH 26/26] Updated .openpublishing.publish.config.json --- .openpublishing.publish.config.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index c1e7bc502b..96e3566542 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -466,8 +466,7 @@ "branches_to_filter": [ "" ], - "git_repository_url_open_to_public_contributors": "https://github.com/MicrosoftDocs/windows-itpro-docs", - "git_repository_branch_open_to_public_contributors": "master", + "git_repository_url_open_to_public_contributors": "https://cpubwin.visualstudio.com/_git/it-client", "skip_source_output_uploading": false, "need_preview_pull_request": true, "resolve_user_profile_using_github": true,