diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md new file mode 100644 index 0000000000..5d728241b0 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -0,0 +1,209 @@ +--- +title: Deploying Certificates to Key Trust Users to Enable RDP +description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials +keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +audience: ITPro +author: mapalko +ms.author: mapalko +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +localizationpriority: medium +ms.date: 02/22/2021 +ms.reviewer: +--- + +# Deploying Certificates to Key Trust Users to Enable RDP + +**Applies To** + +- Windows 10, version 1703 or later +- Hybrid deployment +- Key trust + +Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time. + +This document discusses an approach for key trust deployments where authentication certificates can be deployed to an existing key trust user. + +Three approaches are documented here: + +1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy. + +1. Deploying a certificate to hybrid or Azure AD joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune. + +1. Working with non-Microsoft enterprise certificate authorities. + +## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy + +### Create a Windows Hello for Business certificate template + +1. Sign in to your issuing certificate authority (CA). + +1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc). + +1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list. + +1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console. + +1. Right-click the **Smartcard Logon** template and click **Duplicate Template** + + ![Duplicating Smartcard Template](images/rdpcert/duplicatetemplate.png) + +1. On the **Compatibility** tab: + 1. Clear the **Show resulting changes** check box + 1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list + 1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list + +1. On the **General** tab: + 1. Specify a Template display name, such as **WHfB Certificate Authentication** + 1. Set the validity period to the desired value + 1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example). + +1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. + +1. On the **Subject Name** tab: + 1. Select the **Build from this Active Directory** information button if it is not already selected + 1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected + 1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name** +1. On the **Request Handling** tab: + 1. Select the **Renew with same key** check box + 1. Set the Purpose to **Signature and smartcard logon** + 1. Click **Yes** when prompted to change the certificate purpose + 1. Click **Prompt the user during enrollment** + +1. On the **Cryptography** tab: + 1. Set the Provider Category to **Key Storage Provider** + 1. Set the Algorithm name to **RSA** + 1. Set the minimum key size to **2048** + 1. Select **Requests must use one of the following providers** + 1. Tick **Microsoft Software Key Storage Provider** + 1. Set the Request hash to **SHA256** + +1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them . + +1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates. + +1. Close the Certificate Templates console. + +1. Open an elevated command prompt and change to a temporary working directory. + +1. Execute the following command: + + certutil -dstemplate \ \> \.txt + + Replace \ with the Template name you took note of earlier in step 7. + +1. Open the text file created by the command above. + 1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.** + 1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"** + +1. Save the text file. + +1. Update the certificate template by executing the following command: + + certutil - dsaddtemplate \.txt + +1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue** + + ![Selecting Certificate Template to Issue](images/rdpcert/certificatetemplatetoissue.png) + +1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list. + +1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**. + +### Requesting a Certificate + +1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority. + +1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc). + +1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…** + + ![Request a new certificate](images/rdpcert/requestnewcertificate.png) + +1. On the Certificate Enrollment screen, click **Next**. + +1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**. + +1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**. + +1. After a successful certificate request, click Finish on the Certificate Installation Results screen + +## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune + +Deploying a certificate to Azure AD Joined Devices may be achieved with the Simple Certificate Enrollment Protocol (SCEP) via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/certificates-scep-configure). + +Next you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD Joined Devices using a Trusted root certificate profile with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/certificates-trusted-root). + +Once these requirements have been met, a new device configuration profile may be configured from Intune that provisions a certificate for the user of the device. Proceed as follows: + +1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +1. Navigate to Devices \> Configuration Profiles \> Create profile. + +1. Enter the following properties: + 1. For Platform, select **Windows 10 and later**. + 1. For Profile, select **SCEP Certificate**. + 1. Click **Create**. + +1. In **Basics**, enter the following parameters: + 1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company. + 1. **Description**: Enter a description for the profile. This setting is optional, but recommended. + 1. Select **Next**. + +1. In the **Configuration settings**, complete the following: + 1. For Certificate Type, choose **User**. + 1. For Subject name format, set it to **CN={{UserPrincipalName}}**. + 1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**. + 1. For Certificate validity period, set a value of your choosing. + 1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**. + 1. For Key usage, choose **Digital Signature**. + 1. For Key size (bits), choose **2048**. + 1. For Hash algorithm, choose **SHA-2**. + 1. Under Root Certificate, click **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate. + 1. Under Extended key usage, add the following: + + | Name | Object Identifier | Predefined Values | + |------|-------------------|-------------------| + | Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | Smart Card Logon | + | Client Authentication | 1.3.6.1.5.5.7.3.2 | Client Authentication | + + 1. For Renewal threshold (%), set a value of your choosing. + 1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure. + 1. Click **Next** +1. In Assignments, target the devices or users who should receive a certificate and click **Next** + +1. In Applicability Rules, provide additional issuance restrictions if required and click **Next** + +1. In Review + create, click **Create** + +Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps: + +1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc) + +1. In the left pane of the MMC, expand **Personal** and select **Certificates** + +1. In the right-hand pane of the MMC, check for the new certificate + +> [!NOTE] +> This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid AAD-Joined devices using Intune Policies. + +## Using non-Microsoft Enterprise Certificate Authorities + +If you are using a Public Key Infrastructure that uses non-Microsoft services, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/certificate-authority-add-scep-overview). + +As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest](https://www.powershellgallery.com/packages/Generate-CertificateRequest) PowerShell commandlet. + +The Generate-CertificateRequest commandlet will generate an .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file, which can be submitted to your PKI for a certificate. + +## RDP Sign-in with Windows Hello for Business Certificate Authentication + +After adding the certificate using an approach from any of the previous sections, you should be able to RDP to any Windows device or server in the same Forest as the user’s on-premises Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server. + +1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid AAD-Joined client where the authentication certificate has been deployed. +1. Attempt an RDP session to a target server. +1. Use the certificate credential protected by your Windows Hello for Business gesture. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 0ebcd33ec5..73e443551f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -1,6 +1,6 @@ --- title: Remote Desktop -description: Learn how Windows Hello for Business supports using a certificate deployed to a WHFB container to a remote desktop to a server or another device. +description: Learn how Windows Hello for Business supports using biometrics with remote desktop keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP ms.prod: w10 ms.mktglfcycl: deploy @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 09/16/2020 +ms.date: 02/24/2021 ms.reviewer: --- diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png new file mode 100644 index 0000000000..174cf0a790 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png new file mode 100644 index 0000000000..028f06544c Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png new file mode 100644 index 0000000000..322a4fcbdc Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png differ diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 8a29bb7d81..5c90875208 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -103,6 +103,8 @@ href: hello-cert-trust-policy-settings.md - name: Managing Windows Hello for Business in your organization href: hello-manage-in-organization.md + - name: Deploying Certificates to Key Trust Users to Enable RDP + href: hello-deployment-rdp-certs.md - name: Windows Hello for Business Features items: - name: Conditional Access diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index 99ac4ec111..7011ec1359 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -20,8 +20,8 @@ ms.technology: mde # Add or Remove Machine Tags API **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -90,7 +90,7 @@ If successful, this method returns 200 - Ok response code and the updated Machin Here is an example of a request that adds machine tag. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md index b28c3e7902..a2dea0cd11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md @@ -26,8 +26,8 @@ ms.technology: mde >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) + Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index 3d5528fced..3b4db6f1dc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -23,8 +23,8 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md index dfd47ce5c3..2a6d8f2f4f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md @@ -24,8 +24,8 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index 85121c67e1..4929ff1813 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -23,8 +23,8 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md index 9d8a944f7b..0bcfe50830 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md @@ -24,8 +24,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 1f725b1953..d141ee9e5e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -23,8 +23,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index 2403e7dca0..7edd695042 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -23,8 +23,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index e9bb4da83c..55f13a0d3d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -23,8 +23,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index 8d7bb09379..3635672598 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -23,8 +23,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index 606738f0a5..916d598e74 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -23,8 +23,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index 469cf50647..320ebe9bcc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -23,9 +23,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) - +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 3f8c20ce5c..d31ac843a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -23,8 +23,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index 91bf57e992..1b465882bd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -23,8 +23,8 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md index 1a30b1c1d8..504278be97 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md @@ -23,8 +23,9 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) + + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md index 33b5554fd4..e6c86587d7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md @@ -23,8 +23,8 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table.md index e26443ea9d..e3a85cf831 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table.md @@ -23,8 +23,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md index bee199aaa9..b7fc59eab2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md @@ -23,8 +23,8 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md index bbbfb435dc..27f1b068e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md @@ -23,8 +23,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md index ffff09c519..a2df5ec4b0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md @@ -23,8 +23,8 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) + >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md index 0ce701f20c..446dc8b08d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md @@ -24,8 +24,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) [Advanced hunting](advanced-hunting-overview.md) relies on data coming from across your organization. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md index 36e806bc85..5a3b9cc77f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -23,8 +23,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md index f1e57a9b92..60a963033b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md @@ -22,8 +22,8 @@ ms.technology: mde # Take action on advanced hunting query results **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) + > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md index 5fe6c98c25..69d806e699 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md @@ -25,8 +25,7 @@ ms.technology: mde [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037) > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) @@ -38,8 +37,8 @@ Topic | Description [View and organize the Alerts queue](alerts-queue.md) | Shows a list of alerts that were flagged in your network. [Manage alerts](manage-alerts.md) | Learn about how you can manage alerts such as change its status, assign it to a security operations member, and see the history of an alert. [Investigate alerts](investigate-alerts.md)| Investigate alerts that are affecting your network, understand what they mean, and how to resolve them. -[Investigate files](investigate-files.md)| Investigate the details of a file associated with a specific alert, behaviour, or event. -[Investigate devices](investigate-machines.md)| Investigate the details of a device associated with a specific alert, behaviour, or event. +[Investigate files](investigate-files.md)| Investigate the details of a file associated with a specific alert, behavior, or event. +[Investigate devices](investigate-machines.md)| Investigate the details of a device associated with a specific alert, behavior, or event. [Investigate an IP address](investigate-ip.md) | Examine possible communication between devices in your network and external internet protocol (IP) addresses. [Investigate a domain](investigate-domain.md) | Investigate a domain to see if devices and servers in your network have been communicating with a known malicious domain. [Investigate a user account](investigate-user.md) | Identify user accounts with the most active alerts and investigate cases of potential compromised credentials.