From 28fcf74b43190e649ce3140c622765482be83a32 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sat, 9 Jan 2021 17:33:49 +0100 Subject: [PATCH 1/4] Credential Guard: Windows 10 Enterprise required From issue ticket #8935 (**clarify enterprise sku**): > based on the discussion here #4025, the following confirmation from MSRC 61355 and the resulting PR #8435 - > > could this page also be updated to specifically list "Windows 10 Enterprise" in the requirements list, to avoid confusion from Windows 10 Pro/Home? Thanks to @rrsit for noticing and reporting the lack of clarity in this document. Changes proposed: - State _specifically_ that Credential Guard _supports_ and _requires_ Windows 10 **Enterprise** - Dictionary correction: "writeable" => 'writable' (2 occurrences; the 2017 table Description text, ending Note blob) Closes #8935 --- .../credential-guard/credential-guard-requirements.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 2e56e0803c..6768635d8f 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -20,7 +20,7 @@ ms.reviewer: ## Applies to -- Windows 10 +- Windows 10 Enterprise - Windows Server 2016 For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). @@ -135,7 +135,7 @@ The following table lists qualifications for Windows 10, version 1703, which are |Protections for Improved Security|Description|Security Benefits |---|---|---| -|Firmware: **VBS enablement of No-Execute (NX) protection for UEFI runtime services**|**Requirements**:
- VBS will enable NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections must be page-aligned in memory (not required for in non-volatile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
(**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware.| +|Firmware: **VBS enablement of No-Execute (NX) protection for UEFI runtime services**|**Requirements**:
- VBS will enable NX protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable. UEFI runtime service must meet these requirements:
- Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
- PE sections must be page-aligned in memory (not required for in non-volatile storage).
- The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
- All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both.
- No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writable and non-executable.
(**SEE IMPORTANT INFORMATION AFTER THIS TABLE**)|Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware.| |Firmware: **Firmware support for SMM protection**|**Requirements**:
- The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an ACPI table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.|- Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
- Reduces the attack surface to VBS from system firmware.
- Blocks additional security attacks against SMM.| > [!IMPORTANT] @@ -148,7 +148,7 @@ The following table lists qualifications for Windows 10, version 1703, which are > > Please also note the following: > -> - Do not use sections that are both writeable and executable +> - Do not use sections that are both writable and executable > > - Do not attempt to directly modify executable system memory > From 821c2ac0c367f9eba6f3c51bb5b494816c942d8e Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 11 Jan 2021 14:31:09 +0200 Subject: [PATCH 2/4] change log level to debug --- .../microsoft-defender-atp/linux-resources.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md index 3b12f36855..2fc939ef09 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md @@ -36,20 +36,23 @@ If you can reproduce a problem, first increase the logging level, run the system 1. Increase logging level: ```bash - mdatp log level set --level verbose + mdatp log level set --level debug ``` + ```Output Log level configured successfully ``` 2. Reproduce the problem. -3. Run the following command to back up Defender for Endpoint's logs. The files will be stored inside of a .zip archive. +3. Run the following command to back up Defender for Endpoint's logs. The files will be stored inside of a .zip archive. ```bash sudo mdatp diagnostic create ``` + This command will also print out the file path to the backup after the operation succeeds: + ```Output Diagnostic file created: ``` @@ -59,6 +62,7 @@ If you can reproduce a problem, first increase the logging level, run the system ```bash mdatp log level set --level info ``` + ```Output Log level configured successfully ``` From f0f90ce9d474af605fc0786ecfab269ce0b6ec63 Mon Sep 17 00:00:00 2001 From: MatiG Date: Mon, 11 Jan 2021 14:45:52 +0200 Subject: [PATCH 3/4] adding edr cli documentation --- .../microsoft-defender-atp/linux-resources.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md index 2fc939ef09..fa1b975d62 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md @@ -128,6 +128,10 @@ The following table lists commands for some of the most common scenarios. Run `m |Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id [threat-id]` | |Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine remove --id [threat-id]` | |Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine restore --id [threat-id]` | +|Endpoint Detection and Response |Set early preview (unused) |`mdatp edr early-preview [enable|disable]` | +|Endpoint Detection and Response |Set group-id |`mdatp edr group-ids --group-id [group-id]` | +|Endpoint Detection and Response |Set/Remove tag, only `GROUP` supported |`mdatp edr tag set --name GROUP --value [tag]` | +|Endpoint Detection and Response |list exclusions (root) |`mdatp edr exclusion list [processes|paths|extensions|all]` | ## Microsoft Defender for Endpoint portal information From 330baaf27cdc43db275c1154478d92b6a96addcf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 11 Jan 2021 09:01:06 -0800 Subject: [PATCH 4/4] Update microsoft-defender-antivirus-compatibility.md --- .../microsoft-defender-antivirus-compatibility.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index e2f17d8448..a487a3c18c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: pahuijbr, shwjha manager: dansimp -ms.date: 01/04/2021 +ms.date: 01/11/2021 --- # Microsoft Defender Antivirus compatibility @@ -71,7 +71,7 @@ The following table summarizes the functionality and features that are available |State |[Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | |--|--|--|--|--|--| |Active mode

|Yes |No |Yes |Yes |Yes | -|Passive mode |Yes |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes | +|Passive mode |No |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes | |[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes | |Automatic disabled mode |No |Yes |No |No |No |