deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-21 17:57:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into lsaldanha-4620497-batch3

Browse Source
This commit is contained in:
Lovina Saldanha 2021-01-06 11:16:19 +05:30 committed by GitHub
commit c0cd929eec
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
33 changed files with 720 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/client-management/mdm/bitlocker-csp.md
View File

@ -300,6 +300,10 @@ If you disable or do not configure this setting, users can configure only basic
> [!NOTE]
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
> [!NOTE]
> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern
> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN.
Sample value for this node to enable this policy is:
```xml

1
windows/security/threat-protection/TOC.md
View File

@ -302,6 +302,7 @@
##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md)
##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md)
##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md)
##### [Troubleshoot missing events issues](microsoft-defender-atp/linux-support-events.md)
#### [Privacy](microsoft-defender-atp/linux-privacy.md)

2
windows/security/threat-protection/auditing/event-4624.md
View File

@ -156,7 +156,7 @@ This event generates when a logon session is created (on destination machine). I
| `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
| `12` | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. |
| `12` | `CachedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. |
| `13` | `CachedUnlock` | Workstation logon. |
- **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.

6
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
View File

@ -11,9 +11,9 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer: pahuijbr
ms.reviewer: pahuijbr, shwjha
manager: dansimp
ms.date: 12/20/2020
ms.date: 01/04/2021
---
# Microsoft Defender Antivirus compatibility
@ -47,7 +47,7 @@ The following table summarizes what happens with Microsoft Defender Antivirus wh
| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | Yes | Active mode |
| Windows Server 2016 or 2019 | Microsoft Defender Antivirus | No | Active mode |
(<a id="fn1">1</a>) On Windows Server 2016 or 2019, Microsoft Defender Antivirus does not enter passive or disabled mode automatically when you install non-Microsoft antivirus product. In those cases, [disable Microsoft Defender Antivirus, or set it to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-uninstall-microsoft-defender-antivirus) to prevent problems caused by having multiple antivirus products installed on a server.
(<a id="fn1">1</a>) On Windows Server 2016 or 2019, Microsoft Defender Antivirus does not enter passive mode automatically when you install a non-Microsoft antivirus product. In those cases, [set Microsoft Defender Antivirus to passive mode](microsoft-defender-antivirus-on-windows-server-2016.md#need-to-set-microsoft-defender-antivirus-to-passive-mode) to prevent problems caused by having multiple antivirus products installed on a server.
If you are using Windows Server, version 1803 or Windows Server 2019, you set Microsoft Defender Antivirus to passive mode by setting this registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`

41
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
View File

@ -10,8 +10,8 @@ ms.sitesec: library
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 12/17/2020
ms.reviewer: pahuijbr
ms.date: 01/04/2021
ms.reviewer: pahuijbr, shwjha
manager: dansimp
---
@ -34,19 +34,13 @@ While the functionality, configuration, and management are largely the same for
The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps:
1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019)
2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019)
2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running)
3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence)
4. (As needed) [Submit samples](#submit-samples)
5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions)
6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus)
1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019).
2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019).
3. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running).
4. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence).
5. (As needed) [Submit samples](#submit-samples).
6. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions).
7. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-set-microsoft-defender-antivirus-to-passive-mode).
## Enable the user interface on Windows Server 2016 or 2019
@ -171,11 +165,11 @@ To help ensure security and performance, certain exclusions are automatically ad
See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md).
## Need to uninstall Microsoft Defender Antivirus?
## Need to set Microsoft Defender Antivirus to passive mode?
If you are using a non-Microsoft antivirus product as your primary antivirus solution, you can either disable Microsoft Defender Antivirus, or set it to passive mode, as described in the following procedures.
If you are using a non-Microsoft antivirus product as your primary antivirus solution, set Microsoft Defender Antivirus to passive mode.
### Set Microsoft Defender Antivirus to passive mode
### Set Microsoft Defender Antivirus to passive mode using a registry key
If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key:
- Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
@ -193,17 +187,6 @@ If you are using Windows Server, version 1803 or Windows Server 2019, you can se
Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature.
### Disable Microsoft Defender Antivirus using PowerShell
>[!NOTE]
>You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016 or 2019:
```PowerShell
Uninstall-WindowsFeature -Name Windows-Defender
```
### Turn off the Microsoft Defender Antivirus user interface using PowerShell
To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet:

24
windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md
View File

@ -13,7 +13,7 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: article
---
@ -26,28 +26,30 @@ ms.topic: article
- Azure Active Directory
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink)
Refer to the instructions below to use basic permissions management.
Refer to the instructions below to use basic permissions management.
You can use either of the following solutions:
- Azure PowerShell
- Azure portal
- Azure portal
For granular control over permissions, [switch to role-based access control](rbac.md).
## Assign user access using Azure PowerShell
You can assign users with one of the following levels of permissions:
- Full access (Read and Write)
- Read-only access
### Before you begin
- Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/).<br>
> [!NOTE]
> You need to run the PowerShell cmdlets in an elevated command-line.
- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx).
- Connect to your Azure Active Directory. For more information, see [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice?view=azureadps-1.0).
**Full access** <br>
Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package.
@ -61,19 +63,23 @@ Assigning read-only access rights requires adding the users to the "Security Rea
Use the following steps to assign security roles:
- For **read and write** access, assign users to the security administrator role by using the following command:
```text
```PowerShell
Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"
```
- For **read-only** access, assign users to the security reader role by using the following command:
```text
```PowerShell
Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com"
```
For more information, see, [Add, or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups).
For more information, see [Add or remove group members using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal).
## Assign user access using the Azure portal
For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
For more information, see [Assign administrator and non-administrator roles to users with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal).
## Related topic
- [Manage portal access using RBAC](rbac.md)

19
windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
View File

@ -46,12 +46,13 @@ Permission type | Permission | Permission display name
Application | Ip.Read.All | 'Read IP address profiles'
Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles'
>[!Note]
>[!NOTE]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
## HTTP request
```
```http
GET /api/ips/{ip}/stats
```
@ -75,7 +76,7 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no
Here is an example of the request.
```
```http
GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats
```
@ -84,7 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats
Here is an example of the response.
```
```http
HTTP/1.1 200 OK
Content-type: application/json
{
@ -95,3 +96,13 @@ Content-type: application/json
"orgLastSeen": "2017-08-29T13:32:59Z"
}
```
| Name | Description |
| :--- | :---------- |
| Org prevalence | the distinct count of devices that opened network connection to this IP. |
| Org first seen | the first connection for this IP in the organization. |
| Org last seen | the last connection for this IP in the organization. |
> [!NOTE]
> This statistic information is based on data from the past 30 days.

22
windows/security/threat-protection/microsoft-defender-atp/linux-support-connectivity.md
View File

@ -24,7 +24,6 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
@ -37,8 +36,29 @@ To test if Defender for Endpoint for Linux can communicate to the cloud with the
mdatp connectivity test
```
expected output:
```output
Testing connection with https://cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://eu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://wu-cdn.x.cp.wd.microsoft.com/ping ... [OK]
Testing connection with https://x.cp.wd.microsoft.com/api/report ... [OK]
Testing connection with https://winatp-gw-cus.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-eus.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-weu.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-neu.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-ukw.microsoft.com/test ... [OK]
Testing connection with https://winatp-gw-uks.microsoft.com/test ... [OK]
Testing connection with https://eu-v20.events.data.microsoft.com/ping ... [OK]
Testing connection with https://us-v20.events.data.microsoft.com/ping ... [OK]
Testing connection with https://uk-v20.events.data.microsoft.com/ping ... [OK]
Testing connection with https://v20.events.data.microsoft.com/ping ... [OK]
```
If the connectivity test fails, check if the device has Internet access and if [any of the endpoints required by the product](microsoft-defender-atp-linux.md#network-connections) are blocked by a proxy or firewall.
Failures with curl error 35 or 60, indicate certificate pinning rejection. Please check if the connection is under SSL or HTTPS inspection. If so, add Microsoft Defender for Endpoint to the allow list.
## Troubleshooting steps for environments without proxy or with transparent proxy
To test that a connection is not blocked in an environment without a proxy or with a transparent proxy, run the following command in the terminal:

94
windows/security/threat-protection/microsoft-defender-atp/linux-support-events.md Normal file
View File

@ -0,0 +1,94 @@
---
title: Troubleshoot missing events or alerts issues for Microsoft Defender ATP for Linux
description: Troubleshoot missing events or alerts issues in Microsoft Defender ATP for Linux.
keywords: microsoft, defender, atp, linux, events
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: dansimp
author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
mms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
---
# Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint for Linux
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
This article provides some general steps to mitigate missing events or alerts in the [security center](https://securitycenter.windows.com/) portal.
Once Microsoft Defender for Endpoint has been installed properly on a device, a device page will be generated in the portal and _File_, _Process_, _Network_ and other events should appear in the timeline and advanced hunting pages.
In case events are not appearing or some types of events are missing, that could indicate some problem.
## Missing network and login events
Microsoft Defender for Endpoint utilized `audit` framework from linux to track network and login activity.
1. Make sure audit framework is working.
```bash
service auditd status
```
expected output:
```output
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 16666 (auditd)
Tasks: 25
CGroup: /system.slice/auditd.service
├─16666 /sbin/auditd
├─16668 /sbin/audispd
├─16670 /usr/sbin/sedispatch
└─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d
```
2. If auditd is stopped, please start it.
```bash
service auditd start
```
**On SLES15** systems, SYSCALL auditing in `auditd` is disabled by default and can explain missing events.
1. To validate that SYSCALL auditing is not disabeld, list the current audit rules:
```bash
sudo auditctl -l
```
if the following line is present, please remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs.
```output
-a task, never
```
audit rules are located at `/etc/audit/rules.d/audit.rules`.
## Missing file events
File events are collected with `fanotify` framework. In case some or all file events are missing please make sure fanotify is enabled on the device and that the file system is [supported](microsoft-defender-atp-linux.md#system-requirements).
List the filesystems on the machine with:
```bash
df -Th
```

41
windows/security/threat-protection/microsoft-defender-atp/linux-support-install.md
View File

@ -24,7 +24,6 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
@ -36,9 +35,11 @@ An error in installation may or may not result in a meaningful error message by
```bash
sudo journalctl | grep 'microsoft-mdatp' > installation.log
```
```bash
grep 'postinstall end' installation.log
```
```Output
microsoft-mdatp-installer[102243]: postinstall end [2020-03-26 07:04:43OURCE +0000] 102216
```
@ -47,6 +48,20 @@ An output from the previous command with correct date and time of installation i
Also check the [Client configuration](linux-install-manually.md#client-configuration) to verify the health of the product and detect the EICAR text file.
## Make sure you have the correct package
Please mind that the package you are installing is matching the host distribution and version.
| package | distribution |
|-------------------------------|------------------------------------------|
| mdatp-rhel8.Linux.x86_64.rpm | Oracle, RHEL and CentOS 8.x |
| mdatp-sles12.Linux.x86_64.rpm | SuSE Linux Enterprise Server 12.x |
| mdatp-sles15.Linux.x86_64.rpm | SuSE Linux Enterprise Server 15.x |
| mdatp.Linux.x86_64.rpm | Oracle, RHEL and CentOS 7.x |
| mdatp.Linux.x86_64.deb | Debian and Ubuntu 16.04, 18.04 and 20.04 |
For [manual deployment](linux-install-manually.md), make sure the correct distro and version had been chosen.
## Installation failed
Check if the mdatp service is running:
@ -54,6 +69,7 @@ Check if the mdatp service is running:
```bash
systemctl status mdatp
```
```Output
● mdatp.service - Microsoft Defender for Endpoint
Loaded: loaded (/lib/systemd/system/mdatp.service; enabled; vendor preset: enabled)
@ -69,47 +85,59 @@ systemctl status mdatp
## Steps to troubleshoot if mdatp service isn't running
1. Check if "mdatp" user exists:
```bash
id "mdatp"
```
If theres no output, run
```bash
sudo useradd --system --no-create-home --user-group --shell /usr/sbin/nologin mdatp
```
2. Try enabling and restarting the service using:
```bash
sudo systemctl enable mdatp
```
```bash
sudo systemctl restart mdatp
```
3. If mdatp.service isn't found upon running the previous command, run:
```bash
sudo cp /opt/microsoft/mdatp/conf/mdatp.service <systemd_path>
```
where ```<systemd_path>``` is
```/lib/systemd/system``` for Ubuntu and Debian distributions and
```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES.
```/usr/lib/systemd/system``` for Rhel, CentOS, Oracle and SLES.
Then rerun step 2.
4. If the above steps dont work, check if SELinux is installed and in enforcing mode. If so, try setting it to permissive (preferably) or disabled mode. It can be done by setting the parameter `SELINUX` to "permissive" or "disabled" in `/etc/selinux/config` file, followed by reboot. Check the man-page of selinux for more details.
Now try restarting the mdatp service using step 2. Revert the configuration change immediately though for security reasons after trying it and reboot.
5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`.
5. If `/opt` directory is a symbolic link, create a bind mount for `/opt/microsoft`.
6. Ensure that the daemon has executable permission.
```bash
ls -l /opt/microsoft/mdatp/sbin/wdavdaemon
```
```Output
-rwxr-xr-x 2 root root 15502160 Mar 3 04:47 /opt/microsoft/mdatp/sbin/wdavdaemon
```
If the daemon doesn't have executable permissions, make it executable using:
```bash
sudo chmod 0755 /opt/microsoft/mdatp/sbin/wdavdaemon
```
and retry running step 2.
7. Ensure that the file system containing wdavdaemon isn't mounted with "noexec".
@ -117,24 +145,31 @@ Now try restarting the mdatp service using step 2. Revert the configuration chan
## If mdatp service is running, but EICAR text file detection doesn't work
1. Check the file system type using:
```bash
findmnt -T <path_of_EICAR_file>
```
Currently supported file systems for on-access activity are listed [here](microsoft-defender-atp-linux.md#system-requirements). Any files outside these file systems won't be scanned.
## Command-line tool “mdatp” isn't working
1. If running the command-line tool `mdatp` gives an error `command not found`, run the following command:
```bash
sudo ln -sf /opt/microsoft/mdatp/sbin/wdavdaemonclient /usr/bin/mdatp
```
and try again.
If none of the above steps help, collect the diagnostic logs:
```bash
sudo mdatp diagnostic create
```
```Output
Diagnostic file created: <path to file>
```
Path to a zip file that contains the logs will be displayed as an output. Reach out to our customer support with these logs.

52
windows/security/threat-protection/microsoft-defender-atp/linux-support-perf.md
View File

@ -23,7 +23,6 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
**Applies to:**
- [Microsoft Defender for Endpoint for Linux](microsoft-defender-atp-linux.md)
@ -34,6 +33,8 @@ Real-time protection (RTP) is a feature of Defender for Endpoint for Linux that
Depending on the applications that you are running and your device characteristics, you may experience suboptimal performance when running Defender for Endpoint for Linux. In particular, applications or system processes that access many resources over a short timespan can lead to performance issues in Defender for Endpoint for Linux.
Before starting, **please make sure that other security products are not currenly running on the device**. Multilpe security products may conflict and impact the host performance.
The following steps can be used to troubleshoot and mitigate these issues:
1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Defender for Endpoint for Linux is contributing to the performance issues.
@ -43,19 +44,22 @@ The following steps can be used to troubleshoot and mitigate these issues:
```bash
mdatp config real-time-protection --value disabled
```
```Output
Configuration property updated
```
If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint for Linux](linux-preferences.md).
2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux.
If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response component. In this case please contact customer support for further instructions and mitigation.
2. To find the applications that are triggering the most scans, you can use real-time statistics gathered by Defender for Endpoint for Linux.
> [!NOTE]
> This feature is available in version 100.90.70 or newer.
This feature is enabled by default on the `Dogfood` and `InsiderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:
```bash
mdatp config real-time-protection-statistics --value enabled
```
@ -71,6 +75,7 @@ The following steps can be used to troubleshoot and mitigate these issues:
```bash
mdatp config real-time-protection --value enabled
```
```Output
Configuration property updated
```
@ -80,16 +85,18 @@ The following steps can be used to troubleshoot and mitigate these issues:
```bash
mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json
```
> [!NOTE]
> Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing.
The output of this command will show all processes and their associated scan activity.
The output of this command will show all processes and their associated scan activity.
3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the command:
3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the command:
```bash
wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py
```
The output of this command should be similar to the following:
```Output
@ -102,39 +109,40 @@ The following steps can be used to troubleshoot and mitigate these issues:
100%[===========================================>] 1,020 --.-K/s in 0s
```
4. Next, type the following commands:
```bash
chmod +x high_cpu_parser.py
```
```bash
cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log
```
The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact.
For example, the output of the command will be something like the below:
```Output
... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10
27432 None 76703
73467 actool     1249
73914 xcodebuild 1081
73873 bash 1050
27475 None 836
1    launchd    407
73468 ibtool     344
549  telemetryd_v1   325
4764 None 228
125  CrashPlanService 164
27432 None 76703
73467 actool     1249
73914 xcodebuild 1081
73873 bash 1050
27475 None 836
1    launchd    407
73468 ibtool     344
549  telemetryd_v1   325
4764 None 228
125  CrashPlanService 164
```
 
To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).
To improve the performance of Defender for Endpoint for Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint for Linux](linux-exclusions.md).
>[!NOTE]
> The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
5. Configure Microsoft Defender ATP for Linux with exclusions for the processes or disk locations that contribute to the performance issues and re-enable real-time protection.
For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).
For more information, see [Configure and validate exclusions for Microsoft Defender ATP for Linux](linux-exclusions.md).

103
windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md
View File

@ -13,7 +13,7 @@ author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: article
---
@ -25,10 +25,10 @@ ms.topic: article
**Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
[!include[Prerelease information](../../includes/prerelease.md)]
>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink)
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink)
Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center.
@ -46,12 +46,12 @@ You can also submit files for deep analysis, to run the file in a secure cloud s
Some actions require certain permissions. The following table describes what action certain permissions can take on portable executable (PE) and non-PE files:
Permission | PE files | Non-PE files
:---|:---|:---
View data | X | X
Alerts investigation | &#x2611; | X
Live response basic | X | X
Live response advanced | &#x2611; |&#x2611;
| Permission | PE files | Non-PE files |
| :--------------------- | :------: | :----------: |
| View data | X | X |
| Alerts investigation | &#x2611; | X |
| Live response basic | X | X |
| Live response advanced | &#x2611; | &#x2611; |
For more information on roles, see [Create and manage roles for role-based access control](user-roles.md).
@ -60,8 +60,8 @@ For more information on roles, see [Create and manage roles for role-based acces
You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed.
>[!IMPORTANT]
>You can only take this action if:
> [!IMPORTANT]
> You can only take this action if:
>
> - The device you're taking the action on is running Windows 10, version 1703 or later
> - The file does not belong to trusted third-party publishers or not signed by Microsoft
@ -71,35 +71,36 @@ The **Stop and Quarantine File** action includes stopping running processes, qua
This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days.
>[!NOTE]
>Youll be able to restore the file from quarantine at any time.
> [!NOTE]
> Youll be able to restore the file from quarantine at any time.
### Stop and quarantine files
1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box:
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- **Search box** - select **File** from the dropdown menu and enter the file name
- **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline
- **Search box** - select **File** from the dropdown menu and enter the file name
>[!NOTE]
>The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).
> [!NOTE]
> The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file).
2. Go to the top bar and select **Stop and Quarantine File**.
![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png)
![Image of stop and quarantine file action](images/atp-stop-quarantine-file.png)
3. Specify a reason, then click **Confirm**.
![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png)
![Image of stop and quarantine file modal window](images/atp-stop-quarantine.png)
The Action center shows the submission information:
![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png)
The Action center shows the submission information:
![Image of stop and quarantine file action center](images/atp-stopnquarantine-file.png)
- **Submission time** - Shows when the action was submitted.
- **Success** - Shows the number of devices where the file has been stopped and quarantined.
- **Failed** - Shows the number of devices where the action failed and details about the failure.
- **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network.
- **Submission time** - Shows when the action was submitted.
- **Success** - Shows the number of devices where the file has been stopped and quarantined.
- **Failed** - Shows the number of devices where the action failed and details about the failure.
- **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network.
4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed.
@ -118,38 +119,38 @@ You can roll back and remove a file from quarantine if youve determined that
1. Open an elevated commandline prompt on the device:
a. Go to **Start** and type _cmd_.
1. Go to **Start** and type _cmd_.
b. Rightclick **Command prompt** and select **Run as administrator**.
1. Rightclick **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```Powershell
```powershell
“%ProgramFiles%\Windows Defender\MpCmdRun.exe” Restore Name EUS:Win32/CustomEnterpriseBlock All
```
> [!NOTE]
> In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl.
>
>
> Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
> [!Important]
> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
> [!IMPORTANT]
> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
## Add indicator to block or allow a file
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
>[!IMPORTANT]
> [!IMPORTANT]
>
>- This feature is available if your organization uses Microsoft Defender Antivirus and Clouddelivered protection is enabled. For more information, see [Manage clouddelivered protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
> - This feature is available if your organization uses Microsoft Defender Antivirus and Clouddelivered protection is enabled. For more information, see [Manage clouddelivered protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md).
>
>- The Antimalware client version must be 4.18.1901.x or later.
>- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
>- This response action is available for devices on Windows 10, version 1703 or later.
>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
> - The Antimalware client version must be 4.18.1901.x or later.
> - This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time.
> - This response action is available for devices on Windows 10, version 1703 or later.
> - The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
>[!NOTE]
> [!NOTE]
> The PE file needs to be in the device timeline for you to be able to take this action.
>
> There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
@ -157,14 +158,14 @@ You can prevent further propagation of an attack in your organization by banning
### Enable the block file feature
To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings.
### Allow or block file
When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it.
Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue.
See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files.
See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files.
To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position that the **Add Indicator** action was, before you added the indicator.
@ -215,10 +216,10 @@ The Deep analysis summary includes a list of observed *behaviors*, some of which
Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page.<br/>
<br/>
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0]
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0]
**Submit for deep analysis** is enabled when the file is available in the Defender for Endpoint backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis.
@ -232,7 +233,7 @@ You can also manually submit a sample through the [Microsoft Security Center Por
When the sample is collected, Defender for Endpoint runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications.
**Submit files for deep analysis:**
#### Submit files for deep analysis
1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views:
@ -242,17 +243,17 @@ When the sample is collected, Defender for Endpoint runs the file in is a secure
2. In the **Deep analysis** tab of the file view, click **Submit**.
![You can only submit PE files in the file details section](images/submit-file.png)
![You can only submit PE files in the file details section](images/submit-file.png)
> [!NOTE]
> Only PE files are supported, including _.exe_ and _.dll_ files.
> [!NOTE]
> Only PE files are supported, including _.exe_ and _.dll_ files.
A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done.
> [!NOTE]
> Depending on device availability, sample collection time can vary. There is a 3hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can resubmit files for deep analysis to get fresh data on the file.
**View deep analysis reports**
#### View deep analysis reports
View the deep analysis report that Defender for Endpoint provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context.
@ -268,16 +269,19 @@ The details provided can help you investigate if there are indications of a pote
![The deep analysis report shows detailed information across a number of categories](images/analysis-results-nothing.png)
**Troubleshoot deep analysis**
#### Troubleshoot deep analysis
If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps.
1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications).
1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified.
1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error.
1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value:
```Powershell
```powershell
Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection
Name: AllowSampleCollection
Type: DWORD
@ -287,6 +291,7 @@ If you encounter a problem when trying to submit a file, try each of the followi
```
1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md).
1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com).
## Related topics

6
windows/security/threat-protection/windows-defender-application-control/TOC.md
View File

@ -21,6 +21,12 @@
##### [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md)
##### [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md)
##### [Create a WDAC policy for fixed-workload devices](create-initial-default-policy.md)
##### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
#### [Using the WDAC Wizard tool](wdac-wizard.md)
##### [Create a base WDAC policy with the Wizard](wdac-wizard-create-base-policy.md)
##### [Create a supplemental WDAC policy with the Wizard](wdac-wizard-create-supplemental-policy.md)
##### [Editing a WDAC policy with the Wizard](wdac-wizard-editing-policy.md)
##### [Merging multiple WDAC policies with the Wizard](wdac-wizard-merging-policies.md)
## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md)

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-confirm-base-policy-modification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-file-attribute-rule.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 149 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-publisher-rule.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 164 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-policy-rules.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-remove-file-rule.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-merge.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI-advanced-collapsed.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 111 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-expandable.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-base.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-policy-rule-options-UI.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-template-selection.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

138
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md Normal file
View File

@ -0,0 +1,138 @@
---
title: Windows Defender Application Control Wizard Base Policy Creation
description: Creating new base application control policies with the Microsoft Windows Defender Application (WDAC) Wizard.
keywords: allow listing, block listing, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
---
# Creating a new Base Policy with the Wizard
**Applies to**
- Windows 10
- Windows Server 2016 and above
When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start with a template policy and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules.
## Template Base Policies
Each of the template policies has a unique set of policy allow list rules that will affect the circle-of-trust and security model of the policy. The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy will have a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility.
| Template Base Policy | Description |
|---------------------------------|-------------------------------------------------------------------|
| **Default Windows Mode** | Default Windows mode will authorize the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature)</li></ul>|
| **Allow Microsoft Mode** | Allow mode will authorize the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature)</li><li>*All Microsoft-signed software*</li></ul>|
| **Signed and Reputable Mode** | Signed and Reputable mode will authorize the following components: </br><ul><li>Windows operating components - any binary installed by a fresh install of Windows</li><li>Apps installed from the Microsoft Store</li><li>Microsoft Office365 apps, OneDrive, and Microsoft Teams</li><li>Third-party [Windows Hardware Compatible drivers](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature)</li><li>All Microsoft-signed software</li><li>*Files with good reputation per [Microsoft Defender's Intelligent Security Graph technology](use-windows-defender-application-control-with-intelligent-security-graph.md)*</li></ul>|
*Italicized content denotes the changes in the current policy with respect to the policy prior.*
More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example WDAC base policies article](example-wdac-base-policies.md).
![Selecting a base template for the policy](images/wdac-wizard-template-selection.png)
Once the base template is selected, give the policy a name and choose where to save the application control policy on disk.
## Configuring Policy Rules
Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen template from the previous page. Choose to enable or disable the desired policy rule options by pressing the slider button next to the policy rule titles. A short description of each rule will appear at the bottom of the page when the mouse hovers over the rule title.
### Policy Rules Description
A description of each policy rule, beginning with the left-most column, is provided below. The [Policy rules article](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules) provides a full description of each policy rule.
| Rule option | Description |
|------------ | ----------- |
| **Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. |
| **Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. |
| **Disable Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is only supported with the Windows 10 May 2019 Update (1903) and higher. Using it on earlier versions of Windows 10 is not supported and may have unintended results. |
|**[Hypervisor-protected code integrity (HVCI)](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**| When enabled, policy enforcement uses virtualization-based security to run the code integrity service inside a secure environment. HVCI provides stronger protections against kernel malware.|
| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsofts Intelligent Security Graph (ISG). |
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
| **Require WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10compatible driver must be WHQL certified. |
| **Update Policy without Rebooting** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. |
| **Unsigned System Integrity Policy** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
| **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
> [!div class="mx-imgBorder"]
> ![Rule options UI for Windows Allowed mode policy](images/wdac-wizard-rule-options-UI-advanced-collapsed.png)
### Advanced Policy Rules Description
Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules. A description of each policy rule is provided below.
| Rule option | Description |
|------------ | ----------- |
| **Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
| **Disable Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flight/preview-signed builds. |
| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path thats only writable by an administrator) for any FileRule that allows a file based on FilePath. |
| **Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries (DLLs). |
| **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.|
| **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. |
![Rule options UI for Windows Allowed mode](images/wdac-wizard-rule-options-UI.png)
> [!NOTE]
> We recommend that you **enable Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default.
## Creating custom file rules
[File rules](select-types-of-rules-to-create.md#windows-defender-application-control-file-rule-levels) in an application control policy will specify the level at which applications will be identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting the **+ Custom Rules** will open the custom file rule conditions panel to create custom file rules for your policy. The Wizard supports four types of file rules:
### Publisher Rules
The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The table below shows the relationship between the slider placement, the corresponding WDAC rule level and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule.
| Rule Condition | WDAC Rule Level | Description |
|------------ | ----------- | ----------- |
| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. |
| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example a device driver corp, is affected. |
| **File version** | SignedVersion | This rule is a combination of PCACertificate, publisher, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. |
| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate as well as a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png)
### Filepath Rules
Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button.
### File Attribute Rules
The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name parameter. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
| Rule level | Description |
|------------ | ----------- |
| **Original Filename** | Specifies the original file name, or the name with which the file was first created, of the binary. |
| **File description** | Specifies the file description provided by the developer of the binary. |
| **Product name** | Specifies the name of the product with which the binary ships. |
| **Internal name** | Specifies the internal name of the binary. |
> [!div class="mx-imgBorder"]
> ![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png)
### File Hash Rules
Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause additional administrative overhead to maintain the current product versions hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule cannot be created using the specified file rule level.
#### Deleting Signing Rules
The policy signing rules list table on the left of the page will document the allow and deny rules in the template, as well as any custom rules you create. Template signing rules and custom rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you will be prompted for additional confirmation. Select `Yes` to remove the rule from the policy and the rules table.
## Up next
- [Editing a WDAC policy using the Wizard](wdac-wizard-editing-policy.md)

111
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md Normal file
View File

@ -0,0 +1,111 @@
---
title: Windows Defender Application Control Wizard Supplemental Policy Creation
description: Creating supplemental application control policies with the WDAC Wizard.
keywords: allowlisting, blocklisting, security, malware, supplemental policy
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
---
# Creating a new Supplemental Policy with the Wizard
**Applies to**
- Windows 10
- Windows Server 2016 and above
Beginning in Windows 10 version 1903, WDAC supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute.
Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a supplemental application control policy, configure the policy options, and the signer and file rules.
## Expanding a Base Policy
Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation.
![Base policy allows supplemental policies](images/wdac-wizard-supplemental-expandable.png)
If the base policy is not configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed.
![Wizard confirms modification of base policy](images/wdac-wizard-confirm-base-policy-modification.png)
Policies that cannot be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md).
![Wizard detects a bad base policy](images/wdac-wizard-supplemental-not-base.png)
## Configuring Policy Rules
Upon page launch, policy rules will be automatically enabled/disabled depending on the chosen base policy from the previous page. Most of the supplemental policy rules must be inherited from the base policy. The Wizard will automatically parse the base policy and set the required supplemental policy rules to match the base policy rules. Inherited policy rules will be grayed out and will not be modifiable in the user interface.
A short description of the rule will be shown at the bottom of the page when the cursor is placed on the rule title.
### Configurable Supplemental Policy Rules Description
There are only three policy rules that can be configured by the supplemental policy. A description of each policy rule, beginning with the left-most column, is provided below. Selecting the **+ Advanced Options** label will show another column of policy rules; advanced policy rules.
| Rule option | Description |
|------------ | ----------- |
| **Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsofts Intelligent Security Graph (ISG). |
| **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
| **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path thats only writable by an administrator) for any FileRule that allows a file based on FilePath. |
![Rule options UI for Windows Allowed mode](images/wdac-wizard-supplemental-policy-rule-options-UI.png)
## Creating custom file rules
File rules in an application control policy will specify the level at which applications will be identified and trusted. File rules are the main mechanism for defining trust in the application control policy. Selecting the **+ Custom Rules** will open the custom file rule conditions panel to create and customize targeted file rules for your policy. The Wizard supports four types of file rules:
### Publisher Rules
The Publisher file rule type uses properties in the code signing certificate chain to base file rules. Once the file to base the rule off of, called the *reference file*, is selected, use the slider to indicate the specificity of the rule. The table below shows the relationship between the slider placement, the corresponding WDAC rule level, and its description. The lower the placement on the table and the UI slider, the greater the specificity of the rule.
| Rule Condition | WDAC Rule Level | Description |
|------------ | ----------- | ----------- |
| **Issuing CA** | PCACertificate | Highest available certificate is added to the signers. This certificate is typically the PCA certificate, one level below the root certificate. Any file signed by this certificate will be affected. |
| **Publisher** | Publisher | This rule is a combination of the PCACertificate rule and the common name (CN) of the leaf certificate. Any file signed by a major CA but with a leaf from a specific company, for example a device driver publisher, is affected. |
| **File version** | SignedVersion | This rule is a combination of the PCACertificate and Publisher rule, and a version number. Anything from the specified publisher with a version at or above the one specified is affected. |
| **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png)
### Filepath Rules
Filepath rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. To create a filepath rule, select the file using the *Browse* button.
### File Attribute Rules
The Wizard supports the creation of [file name rules](select-types-of-rules-to-create.md#windows-defender-application-control-filename-rules) based on authenticated file attributes. File name rules are useful when an application and its dependencies (for example, DLLs) may all share the same product name, for instance. This rule level allows users to easily create targeted policies based on the Product Name file name. To select the file attribute to create the rule, move the slider on the Wizard to the desired attribute. The table below describes each of the supported file attributes off which to create a rule.
| Rule level | Description |
|------------ | ----------- |
| **Original Filename** | Specifies the original file name, or the name with which the file was first created, of the binary. |
| **File description** | Specifies the file description provided by the developer of the binary. |
| **Product name** | Specifies the name of the product with which the binary ships. |
| **Internal name** | Specifies the internal name of the binary. |
![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png)
### File Hash Rules
Lastly, the Wizard supports creating file rules using the hash of the file. Although this level is specific, it can cause extra administrative overhead to maintain the current product versions hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. By default, the Wizard will use file hash as the fallback in case a file rule cannot be created using the specified file rule level.
#### Deleting Signing Rules
The table on the left of the page will document the allow and deny rules in the template, and any custom rules you create. Rules can be deleted from the policy by selecting the rule from the rules list table. Once the rule is highlighted, press the delete button underneath the table. you will be prompted for additional confirmation. Select `Yes` to remove the rule from the policy and the rules table.
## Up next
- [Editing a WDAC policy using the Wizard](wdac-wizard-editing-policy.md)

72
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md Normal file
View File

@ -0,0 +1,72 @@
---
title: Editing Windows Defender Application Control Policies with the Wizard
description: Editing existing base and supplemental policies with the Microsoft WDAC Wizard.
keywords: allowlisting, blocklisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
---
# Editing existing base and supplemental WDAC policies with the Wizard
**Applies to**
- Windows 10
- Windows Server 2016 and above
The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities:
<ul>
<li>[Configuring policy rules](#configuring-policy-rules)</li>
<li>[Adding new allow or block file rules to existing policies](#adding-file-rules)</li>
<li>[Removing allow or block file rules on existing policies](#removing-file-rules)</li>
</ul>
## Configuring Policy Rules
The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains additional policy rule options that are less common to the majority of users. To edit any of the rules, flip the corresponding policy rule state. For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules).
![Configuring the policy rules](images/wdac-wizard-edit-policy-rules.png)
A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules).
## Adding File Rules
The WDAC Wizard allows users to add rules to their existing policy seamlessly. Previously, this would have involved creating a new policy with the new rules and merging it with the existing policy.
Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more information on creating new policy file rules, see the guidelines provided in the [creating policy file rules section](wdac-wizard-create-base-policy.md#creating-custom-file-rules).
## Removing File Rules
The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table.
![Removing file rule from policy during edit](images/wdac-wizard-edit-remove-file-rule.png)
**Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2.
```xml
<Signer ID="ID_SIGNER_CONTOSO_PUBLISHER" Name="Contoso LOB Publisher CA">
<CertRoot Type="TBS" Value="0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF" />
<CertPublisher Value="Contoso IT Dept App Publisher" />
<FileAttribRef RuleID="ID_FILEATTRIB_LOB_APP_1" />
<FileAttribRef RuleID="ID_FILEATTRIB_LOB_APP_2" />
```
[comment]: <> (## Editing File Rules Coming soon!)
### Policy Creation
Once the policy is created, the new policy will be written to the same path as the in-edit policy. The new policy file name will have the policy version appended to the end of the file name. For instance, if the in-edit policy is saved at MyDocuments\BasePolicy.xml, after edit, the new policy will be saved at MyDocuments\BasePolicy_v10.0.0.1.xml.
## Up next
- [Merging WDAC policies using the Wizard](wdac-wizard-merging-policies.md)

32
windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md Normal file
View File

@ -0,0 +1,32 @@
---
title: Windows Defender Application Control Wizard Policy Merging Operation
description: Merging multiple policies into a single application control policy with the Microsoft WDAC Wizard.
keywords: allowlisting, blocklisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
---
# Merging existing policies with the WDAC Wizard
Beginning in Windows 10 version 1903, WDAC supports multiple policies. Before version 1903, however, Windows 10 could only have one WDAC policy. Consequently, users were required to merge multiple WDAC policies into one. The WDAC Wizard has a simple to use user interface to allow users to merge multiple WDAC policies. The Wizard can support up to 15 policy files as input during the merge workflow.
Select the policies you wish to merge into one policy using the `+ Add Policy` button under the table. Once added, policies will be enumerated within the table. To remove a policy from the table, if accidentally added, highlight the policy row and select the `- Remove Policy` button. Confirmation will be required before the policy is withdrawn from the table.
> [!NOTE]
> The policy type and ID of the final output policy will be determined based on the type and ID of the **first policy** in the policy list table. For instance, if a legacy policy format policy and a multi-policy format policy are merged together, the output format of the policy will be whichever policy is specified first in the table. For more information on policy formats, visit the [Multiple WDAC Policies page](deploy-multiple-windows-defender-application-control-policies.md).
Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy.
![Merging WDAC policies into a final WDAC policy](images/wdac-wizard-merge.png)

50
windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md Normal file
View File

@ -0,0 +1,50 @@
---
title: Windows Defender Application Control Wizard
description: Microsoft Defender Application Control Wizard (WDAC) Wizard allows users to create, edit, and merge application control policies in a simple to use Windows application.
keywords: allowlisting, blocklisting, security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.topic: conceptual
ms.date: 10/14/2020
---
# Windows Defender Application Control Wizard
**Applies to:**
- Windows 10
- Windows Server 2016 and above
The Windows Defender Application Control (WDAC) policy Wizard is an open source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects, security and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](https://docs.microsoft.com/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical.
## Downloading the application
The WDAC Wizard can be downloaded from the official [Wizard installer website](https://bit.ly/3koHwYs) as an MSIX packaged application. The Wizard's source code is available as part of Microsoft's Open Source Software offerings on GitHub at the [WDAC Wizard Repo](https://github.com/MicrosoftDocs/WDAC-Toolkit).
**Supported Clients**
As the WDAC Wizard uses the cmdlets in the background, the Wizard is functional on clients only where the cmdlets are supported as outlined in [WDAC feature availability](feature-availability.md). Specifically, the tool will verify that the client meets one of the following requirements:
- Windows builds 1909+
- For pre-1909 builds, the Enterprise SKU of Windows is installed
If neither requirement is satisfied, the Wizard will throw an error as the cmdlets are not available.
## In this section
| Topic | Description |
| - | - |
| [Creating a new base policy](wdac-wizard-create-base-policy.md) | This article describes how to create a new base policy using one of the supplied policy templates. |
| [Creating a new supplemental policy](wdac-wizard-create-supplemental-policy.md) | This article describes the steps necessary to create a supplemental policy, from one of the supplied templates, for an existing base policy. |
| [Editing a base or supplemental policy](wdac-wizard-editing-policy.md) | This article demonstrates how to modify an existing policy and the Wizard's editing capabilities. |
| [Merging policies](wdac-wizard-merging-policies.md) | This article describes how to merge policies into a single application control policy. |

1
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
View File

@ -45,5 +45,6 @@ Once these business factors are in place, you are ready to begin planning your W
| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
| [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
| [Policy creation for common WDAC usage scenarios](types-of-devices.md) | This set of topics outlines common use case scenarios and helps you begin to develop a plan for deploying WDAC in your organization. |
| [Policy creation using the WDAC Wizard tool](wdac-wizard.md) | This set of topics describes how to use the WDAC Wizard desktop app to easily create, edit and merge WDAC policies. |
After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.

34
windows/whats-new/whats-new-windows-10-version-2004.md
View File

@ -30,8 +30,11 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
### Windows Hello
- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
- Windows Hello PIN sign-in support is [added to Safe mode](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#windows-hello-pin-in-safe-mode-build-18995).
- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
### Windows Defender System Guard
@ -52,7 +55,7 @@ Note: [Application Guard for Office](https://support.office.com/article/applicat
### Windows Setup
Windows Setup [answer files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language ](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
Windows Setup [answer files](https://docs.microsoft.com/windows-hardware/manufacture/desktop/update-windows-settings-and-scripts-create-your-own-answer-file-sxs) (unattend.xml) have [improved language handling](https://oofhours.com/2020/06/01/new-in-windows-10-2004-better-language-handling/).
Improvements in Windows Setup with this release also include:
- Reduced offline time during feature updates
@ -84,7 +87,7 @@ Also see [What's new in Microsoft Intune](https://docs.microsoft.com/mem/intune/
### Windows Assessment and Deployment Toolkit (ADK)
Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 [here](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
Download the Windows ADK and Windows PE add-on for Windows 10, version 2004 here: [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install).
For information about what's new in the ADK, see [What's new in the Windows ADK for Windows 10, version 2004](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-2004).
@ -120,8 +123,11 @@ The following [Delivery Optimization](https://docs.microsoft.com/windows/deploym
### Windows Update for Business
[Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb) enhancements in this release include:
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
- Update less: Last year, we [changed update installation policies](https://blogs.windows.com/windowsexperience/2019/04/04/improving-the-windows-10-update-experience-with-control-quality-and-transparency/#l2jH7KMkOkfcWdBs.97) for Windows 10 to only target devices running a feature update version that is nearing end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings **Advanced Options** page starting on Windows 10, version 2004. If you wish to continue leveraging deferrals, you can use local Group Policy (**Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview builds and Feature Updates are received** or **Select when Quality Updates are received**). For more information about this change, see [Simplified Windows Update settings for end users](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplified-windows-update-settings-for-end-users/ba-p/1497215).
## Networking
@ -185,9 +191,13 @@ Several enhancements to the Windows 10 user interface are implemented in this re
### Cortana
[Cortana](https://www.microsoft.com/cortana) has been updated and enhanced in Windows 10, version 2004:
- Productivity: chat-based UI gives you the ability to [interact with Cortana using typed or spoken natural language queries](https://support.microsoft.com/help/4557165) to easily get information across Microsoft 365 and stay on track. Productivity focused capabilities such as finding people profiles, checking schedules, joining meetings, and adding to lists in Microsoft To Do are currently available to English speakers in the US.
- In the coming months, with regular app updates through the Microsoft Store, well enhance this experience to support wake word invocation and enable listening when you say “Cortana,” offer more productivity capabilities such as surfacing relevant emails and documents to help you prepare for meetings, and expand supported capabilities for international users.
- Security: tightened access to Cortana so that you must be securely logged in with your work or school account or your Microsoft account before using Cortana. Because of this tightened access, some consumer skills including music, connected home, and third-party skills will no longer be available. Additionally, users [get cloud-based assistance services that meet Office 365s enterprise-level privacy, security, and compliance promises](https://docs.microsoft.com/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide) as set out in the Online Services Terms.
- Move the Cortana window: drag the Cortana window to a more convenient location on your desktop.
For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpdatesMay2020).
@ -246,13 +256,13 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
## See Also
[Whats new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.<br>
[Whats new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.<br>
[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See whats new in other versions of Windows 10.<br>
[Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.<br>
[What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.<br>
[What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.<br>
[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
[Windows 10 features were no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>
- [Whats new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.<br>
- [Whats new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.<br>
- [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
- [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See whats new in other versions of Windows 10.<br>
- [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers.<br>
- [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses.<br>
- [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.<br>
- [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
- [Windows 10 features were no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>