deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-27 20:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'public' into repo_sync_working_branch

Browse Source
This commit is contained in:
Tina Burden 2020-12-07 11:58:21 -08:00 committed by GitHub
commit c55fe9a06b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
30 changed files with 322 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
View File

@ -113,8 +113,7 @@ Requirements:
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use.
> [!NOTE]
> **Device Credential** Credential Type will also work, however, it is not yet supported for MDM solutions (including Intune). We don't recommend using this option until support is announced.
> **Device Credential** Credential Type may work, however, it is not yet supported by Intune. We don't recommend using this option until it's supported.
![MDM autoenrollment policy](images/autoenrollment-policy.png)
5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
@ -183,6 +182,8 @@ Requirements:
- 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591)
- 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
- 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
2. Install the package on the Domain Controller.
@ -197,6 +198,8 @@ Requirements:
- 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)**
- 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)**
- 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)**
4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.

2
windows/deployment/update/waas-delivery-optimization.md
View File

@ -65,7 +65,7 @@ For information about setting up Delivery Optimization, including tips for the b
- Office installations and updates
- Xbox game pass games
- MSIX apps (HTTP downloads only)
- Edge browser installations and updates
## Requirements

4
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
View File

@ -8,10 +8,10 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: medgarmedgar
author: robsize
ms.author: dansimp
manager: robsize
ms.date: 3/25/2020
ms.date: 12/1/2020
---
# Manage connections from Windows 10 operating system components to Microsoft services using Microsoft Intune MDM Server

2
windows/privacy/manage-windows-2004-endpoints.md
View File

@ -8,7 +8,7 @@ ms.sitesec: library
ms.localizationpriority: high
audience: ITPro
author: linque1
ms.author: obezeajo
ms.author: robsize
manager: robsize
ms.collection: M365-security-compliance
ms.topic: article

235
windows/security/identity-protection/access-control/active-directory-security-groups.md
View File

@ -576,7 +576,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>BuiltIn Local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -645,7 +645,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>BuiltIn Local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -717,7 +717,7 @@ This security group includes the following changes since Windows Server 2008:
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>BuiltIn Local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -865,7 +865,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -987,7 +987,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-&lt;domain&gt;-517</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-517</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
@ -1113,7 +1113,7 @@ This security group was introduced in Windows Vista Service Pack 1, and it h
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -1241,7 +1241,7 @@ The Device Owners group applies to versions of the Windows Server operating syst
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>BuiltIn Local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -1430,7 +1430,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Domain local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -1493,7 +1493,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Domain Global</p></td>
<td><p>Global</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -1552,7 +1552,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-&lt;domain&gt;-515</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-515</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
@ -1613,7 +1613,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-&lt;domain&gt;-516</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-516</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
@ -1674,7 +1674,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-&lt;domain&gt;-514</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-514</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
@ -1737,11 +1737,11 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-&lt;domain&gt;-513</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-513</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Domain Global</p></td>
<td><p>Global</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -1950,7 +1950,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Domain Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -1985,13 +1985,13 @@ This security group has not changed since Windows Server 2008.
### <a href="" id="bkmk-gpcreatorsowners"></a>Group Policy Creators Owners
### <a href="" id="bkmk-gpcreatorsowners"></a>Group Policy Creator Owners
This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator.
For information about other features you can use with this security group, see [Group Policy Overview](https://technet.microsoft.com/library/hh831791.aspx).
The Group Policy Creators Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
The Group Policy Creator Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable).
This security group has not changed since Windows Server 2008.
@ -2009,7 +2009,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-&lt;domain&gt;-520</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-520</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
@ -2093,12 +2093,11 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Default members</p></td>
<td><p>Guest</p></td>
<td><p><a href="#bkmk-domainguests" data-raw-source="[Domain Guests](#bkmk-domainguests)">Domain Guests</a></p><p>Guest</p></td>
</tr>
<tr class="odd">
<td><p>Default member of</p></td>
<td><p><a href="#bkmk-domainguests" data-raw-source="[Domain Guests](#bkmk-domainguests)">Domain Guests</a></p>
<p>Guest</p></td>
<td><p>None</p></td>
</tr>
<tr class="even">
<td><p>Protected by ADMINSDHOLDER?</p></td>
@ -2150,7 +2149,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -2162,7 +2161,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
</tr>
<tr class="odd">
<td><p>Default member of</p></td>
<td><p>No</p></td>
<td><p>None</p></td>
</tr>
<tr class="even">
<td><p>Protected by ADMINSDHOLDER?</p></td>
@ -2211,7 +2210,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>BuiltIn Local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -2286,7 +2285,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>BuiltIn local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -2389,7 +2388,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>BuiltIn local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -2470,7 +2469,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -2551,7 +2550,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -2615,7 +2614,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -2679,7 +2678,7 @@ This security group has not changed since Windows Server 2008. However, in Windo
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -2758,7 +2757,7 @@ The following table specifies the properties of the Protected Users group.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Domain Global</p></td>
<td><p>Global</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -2819,7 +2818,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Domain local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -2876,11 +2875,11 @@ This security group was introduced in Windows Server 2012, and it has not chang
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-32-&lt;domain&gt;-576</p></td>
<td><p>S-1-5-32-576</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -2939,7 +2938,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -3000,7 +2999,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -3035,6 +3034,78 @@ This security group was introduced in Windows Server 2012, and it has not chang
### <a href="" id="bkmk-rodc"></a>Read-Only Domain Controllers
This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality:
- Read-only AD DS database
- Unidirectional replication
- Credential caching
- Administrator role separation
- Read-only Domain Name System (DNS)
For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx).
This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Attribute</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-521</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Global</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
<td><p>CN=Users, DC=&lt;domain&gt;, DC=</p></td>
</tr>
<tr class="even">
<td><p>Default members</p></td>
<td><p>None</p></td>
</tr>
<tr class="odd">
<td><p>Default member of</p></td>
<td><p><a href="#bkmk-deniedrodcpwdrepl" data-raw-source="[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)">Denied RODC Password Replication Group</a></p></td>
</tr>
<tr class="even">
<td><p>Protected by ADMINSDHOLDER?</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>Safe to move out of default container?</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>Safe to delegate management of this group to non-Service admins?</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>Default User Rights</p></td>
<td><p>See <a href="#bkmk-deniedrodcpwdrepl" data-raw-source="[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)">Denied RODC Password Replication Group</a></p></td>
</tr>
</tbody>
</table>
### <a href="" id="bkmk-remotedesktopusers"></a>Remote Desktop Users
The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO).
@ -3094,78 +3165,6 @@ This security group has not changed since Windows Server 2008.
</tbody>
</table>
### <a href="" id="bkmk-rodc"></a>Read-Only Domain Controllers
This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role.
Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality:
- Read-only AD DS database
- Unidirectional replication
- Credential caching
- Administrator role separation
- Read-only Domain Name System (DNS)
For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](https://technet.microsoft.com/library/cc754719(v=ws.10).aspx).
This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Attribute</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-521</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
<td><p>CN=Users, DC=&lt;domain&gt;, DC=</p></td>
</tr>
<tr class="even">
<td><p>Default members</p></td>
<td><p>None</p></td>
</tr>
<tr class="odd">
<td><p>Default member of</p></td>
<td><p><a href="#bkmk-deniedrodcpwdrepl" data-raw-source="[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)">Denied RODC Password Replication Group</a></p></td>
</tr>
<tr class="even">
<td><p>Protected by ADMINSDHOLDER?</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>Safe to move out of default container?</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>Safe to delegate management of this group to non-Service admins?</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>Default User Rights</p></td>
<td><p>See <a href="#bkmk-deniedrodcpwdrepl" data-raw-source="[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)">Denied RODC Password Replication Group</a></p></td>
</tr>
</tbody>
</table>
@ -3197,7 +3196,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -3264,7 +3263,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -3327,7 +3326,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-&lt;root domain&gt;-518</p></td>
<td><p>S-1-5-21-&lt;root domain&gt;-518</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
@ -3394,7 +3393,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -3442,7 +3441,7 @@ The Storage Replica Administrators group applies to versions of the Windows Serv
| Attribute | Value |
|-----------|-------|
| Well-Known SID/RID | S-1-5-32-582 |
| Type | BuiltIn Local |
| Type | Builtin Local |
| Default container | CN=BuiltIn, DC=&lt;domain&gt;, DC= |
| Default members | None |
| Default member of | None |
@ -3463,7 +3462,7 @@ The System Managed Accounts group applies to versions of the Windows Server oper
| Attribute | Value |
|-----------|-------|
| Well-Known SID/RID | S-1-5-32-581 |
| Type | BuiltIn Local |
| Type | Builtin Local |
| Default container | CN=BuiltIn, DC=&lt;domain&gt;, DC= |
| Default members | Users |
| Default member of | None |
@ -3507,7 +3506,7 @@ This security group only applies to Windows Server 2003 and Windows Server 200
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -3574,7 +3573,7 @@ This security group includes the following changes since Windows Server 2008:
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>
@ -3588,7 +3587,7 @@ This security group includes the following changes since Windows Server 2008:
</tr>
<tr class="odd">
<td><p>Default member of</p></td>
<td><p>Domain Users (this membership is due to the fact that the Primary Group ID of all user accounts is Domain Users.)</p></td>
<td><p>None</p></td>
</tr>
<tr class="even">
<td><p>Protected by ADMINSDHOLDER?</p></td>
@ -3641,7 +3640,7 @@ This security group has not changed since Windows Server 2008.
</tr>
<tr class="even">
<td><p>Type</p></td>
<td><p>Builtin local</p></td>
<td><p>Builtin Local</p></td>
</tr>
<tr class="odd">
<td><p>Default container</p></td>

2
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -68,7 +68,7 @@ If the error occurs again, check the error code against the following table to s
| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. <br><br> -or- <br><br> Token was not found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync).
| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in AAD and the Primary SMTP address are the same in the proxy address.
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. |
| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |

3
windows/security/information-protection/bitlocker/bitlocker-overview.md
View File

@ -74,7 +74,7 @@ The hard disk must be partitioned with at least two drives:
- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker is not enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. We recommend that system drive be approximately 350 MB in size. After BitLocker is turned on it should have approximately 250 MB of free space.
A fixed data volume or removable data volume cannot be marked as an active partition.
A partition subject to encryption cannot be marked as an active partition (this applies to the operating system, fixed data, and removable data drives).
When installed on a new computer, Windows will automatically create the partitions that are required for BitLocker.
@ -99,4 +99,3 @@ When installing the BitLocker optional component on a server you will also need
| [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.|
| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/docs/securebootandbitlocker) | This topic covers how to use BitLocker with Windows 10 IoT Core |

4
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
View File

@ -39,7 +39,9 @@ To resolve this issue, follow these steps:
1. Open an elevated PowerShell window and run the following script:
```ps
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm" $ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
$Tpm = Get-WmiObject -class Win32_Tpm -namespace "root\CIMv2\Security\MicrosoftTpm"
$ConfirmationStatus = $Tpm.GetPhysicalPresenceConfirmationStatus(22).ConfirmationStatus
if($ConfirmationStatus -ne 4) {$Tpm.SetPhysicalPresenceRequest(22)}
```
1. Restart the computer. If you are prompted at the restart screen, press F12 to agree.

2
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
View File

@ -47,6 +47,8 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft
Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
For a list of recent security intelligence updates, please visit: [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes).
Engine updates are included with security intelligence updates and are released on a monthly cadence.
## Product updates

48
windows/security/threat-protection/microsoft-defender-atp/android-intune.md
View File

@ -109,10 +109,9 @@ list in Microsoft Defender Security Center.
Defender for Endpoint for Android supports Android Enterprise enrolled devices.
For more information on the enrollment options supported by Intune, see
[Enrollment
Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
[Enrollment Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll).
Currently only Personal devices with Work Profile enrolled are supported for deployment.
**Currently, Personally-owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment.**
@ -244,6 +243,45 @@ the *Required* section \> **Add group,** selecting the user group and click
above. Then select **Review + Save** and then **Save** again to commence
assignment.
### Auto Setup of Always-on VPN
Defender for Endpoint supports Device configuration policies for managed devices via Intune. This capability can be leveraged to **Auto setup of Always-on VPN** on Android Enterprise enrolled devices, so the end user does not need to setup VPN service while onboarding.
1. On **Devices** Page go to **Configuration Profiles** > **Create Profile** > **Platform** > **Android Enterprise**
Select **Device restrictions** under one of the following, based on your device enrollment type
- **Fully Managed, Dedicated, and Corporate-Owned Work Profile**
- **Personally-Owned Work Profile**
Select **Create**.
> ![Image of devices configuration profile Create](images/1autosetupofvpn.png)
2. **Configuration Settings**
Provide a **Name** and a **Description** to uniquely identify the configuration profile.
> ![Image of devices configuration profile Name and Description](images/2autosetupofvpn.png)
3. Select **Connectivity** and configure VPN:
- Enable **Always-on VPN**
Setup a VPN client in the work profile to automatically connect and reconnect to the VPN whenever possible. Only one VPN client can be configured for always-on VPN on a given device, so be sure to have no more than one always-on VPN policy deployed to a single device.
- Select **Custom** in VPN client dropdown list
Custom VPN in this case is Defender for Endpoint VPN which is used to provide the Web Protection feature.
> [!NOTE]
> Microsoft Defender ATP app must be installed on users device, in order to functioning of auto setup of this VPN.
- Enter **Package ID** of the Microsoft Defender ATP app in Google Play store. For the Defender app URL https://play.google.com/store/apps/details?id=com.microsoft.scmx, Package ID is **com.microsoft.scmx**
- **Lockdown mode** Not configured (Default)
> ![Image of devices configuration profile enable Always-on VPN](images/3autosetupofvpn.png)
4. **Assignment**
In the**Assignments**page, select the user group to which this app config policy would be assigned to. Click**Select groups** to includeand selecting the applicable group and then click**Next**. The group selected here is usually the same group to which you would assign Microsoft Defender for Endpoint Android app.
> ![Image of devices configuration profile Assignment](images/4autosetupofvpn.png)
5. In the **Review + Create** page that comes up next, review all the information and then select **Create**.
The device configuration profile is now assigned to the selected user group.
> ![Image of devices configuration profile Review and Create](images/5autosetupofvpn.png)
## Complete onboarding and check status
1. Confirm the installation status of Microsoft Defender for Endpoint for Android by
@ -254,9 +292,7 @@ displayed here.
> ![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png)
2. On the device, you can confirm the same by going to the **work profile** and
confirm that Defender for Endpoint is available.
2. On the device, you can validate the onboarding status by going to the **work profile**. Confirm that Defender for Endpoint is available and that you are enrolled to the **Personally-owned devices with work profile**. If you are enrolled to a **Corporate-owned, fully managed user device**, you will have a single profile on the device where you can confirm that Defender for Endpoint is available.
![Image of app in mobile device](images/c2e647fc8fa31c4f2349c76f2497bc0e.png)
3. When the app is installed, open the app and accept the permissions

1
windows/security/threat-protection/microsoft-defender-atp/common-errors.md
View File

@ -46,6 +46,7 @@ DisallowedOperation | Forbidden (403) | {the disallowed operation and the reason
NotFound | Not Found (404) | General Not Found error message.
ResourceNotFound | Not Found (404) | Resource {the requested resource} was not found.
InternalServerError | Internal Server Error (500) | (No error message, try retry the operation or contact us if it does not resolved)
TooManyRequests | Too Many Requests (429) | Response will represent reaching quota limit either by number of requests or by CPU.
## Body parameters are case-sensitive

BIN
windows/security/threat-protection/microsoft-defender-atp/images/1autosetupofvpn.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 75 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/2autosetupofvpn.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/3autosetupofvpn.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/4autosetupofvpn.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/5autosetupofvpn.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 151 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 96 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 87 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 87 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 138 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 126 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/ios-deploy-7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 96 KiB

14
windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md
View File

@ -27,20 +27,12 @@ ms.topic: conceptual
> [!NOTE]
> Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device.
> [!IMPORTANT]
> **PUBLIC PREVIEW EDITION**
>
> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
>
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
## Configure compliance policy against jailbroken devices
To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune.
> [!NOTE]
> Currently Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. Some data like your corporate email id and corporate profile picture (if available) will be exposed to the attacker on the jailbroken device.
> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally
Follow the steps below to create a compliance policy against jailbroken devices.
@ -73,3 +65,7 @@ Defender for Endpoint for iOS enables admins to configure custom indicators on i
## Web Protection
By default, Defender for Endpoint for iOS includes and enables the web protection feature. [Web protection](web-protection-overview.md) helps to secure devices against web threats and protect users from phishing attacks.
## Report unsafe site
Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site.

118
windows/security/threat-protection/microsoft-defender-atp/ios-install.md
View File

@ -20,62 +20,118 @@ ms.collection:
ms.topic: conceptual
---
# App-based deployment for Microsoft Defender for Endpoint for iOS
# Deploy Microsoft Defender for Endpoint for iOS
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
> [!IMPORTANT]
> **PUBLIC PREVIEW EDITION**
>
> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
>
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
Defender for Endpoint for iOS is currently available as a preview app on TestFlight, Apple's beta testing platform. In GA, it will be available on the Apple App store.
Deployment devices need to be enrolled on Intune Company portal. Refer to
[Enroll your
device](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll) to
learn more about Intune device enrollment
This topic describes deploying Defender for Endpoint for iOS on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll iOS/iPadOS devices in Intune](https://docs.microsoft.com/mem/intune/enrollment/ios-enroll).
## Before you begin
- Ensure you have access to [Microsoft Endpoint manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431).
- Ensure you have access to [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
- Ensure iOS enrollment is done for your users. Users need to have Defender for Endpoint
license assigned in order to use Defender for Endpoint for iOS. Refer [Assign licenses to
users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
for instructions on how to assign licenses.
- Ensure iOS enrollment is done for your users. Users need to have a Defender for Endpoint license assigned in order to use Defender for Endpoint for iOS. Refer to [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign) for instructions on how to assign licenses.
> [!NOTE]
> Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available in the [Apple App Store](https://aka.ms/mdatpiosappstore).
## Deployment steps
To install Defender for Endpoint for iOS, end-users can visit
<https://aka.ms/defenderios> on their iOS devices. This link will open the
TestFlight application on their device or prompt them to install TestFlight. On
the TestFlight app, follow the onscreen instructions to install Defender for Endpoint.
Deploy Defender for Endpoint for iOS via Intune Company Portal.
### Add iOS store app
![Image of deployment steps](images/testflight-get.png)
1. In [Microsoft Endpoint manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Apps** -> **iOS/iPadOS** -> **Add** -> **iOS store app** and click **Select**.
> [!div class="mx-imgBorder"]
![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-1.png)
1. On the Add app page, click on **Search the App Store** and type **Microsoft Defender ATP** in the search bar. In the search results section, click on *Microsoft Defender ATP* and click **Select**.
1. Select **iOS 11.0** as the Minimum operating system. Review the rest of information about the app and click **Next**.
1. In the *Assignments* section, go to the **Required** section and select **Add group**. You can then choose the user group(s) that you would like to target Defender for Endpoint for iOS app. Click **Select** and then **Next**.
> [!NOTE]
> The selected user group should consist of Intune enrolled users.
> [!div class="mx-imgBorder"]
![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-2.png)
1. In the *Review + Create* section, verify that all the information entered is correct and then select **Create**. In a few moments, the Defender for Endpoint app should be created successfully, and a notification should show up at the top-right corner of the page.
1. In the app information page that is displayed, in the **Monitor** section, select **Device install status** to verify that the device installation has completed successfully.
> [!div class="mx-imgBorder"]
![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-3.png)
## Complete onboarding and check status
1. Once Defender for Endpoint for iOS has been installed on the device, you
1. Once Defender for Endpoint for iOS has been installed on the device, you
will see the app icon.
![A screen shot of a smart phone Description automatically generated](images/41627a709700c324849bf7e13510c516.png)
2. Tap the Defender for Endpoint app icon and follow the on-screen
instructions to complete the onboarding steps. The details include end-user
acceptance of iOS permissions required by Defender for Endpoint for iOS.
2. Tap the Defender for Endpoint app icon and follow the on-screen instructions to complete the onboarding steps. The details include end-user acceptance of iOS permissions required by Defender for Endpoint for iOS.
3. Upon successful onboarding, the device will start showing up on the Devices
list in Microsoft Defender Security Center.
3. Upon successful onboarding, the device will start showing up on the Devices list in Microsoft Defender Security Center.
> [!div class="mx-imgBorder"]
> ![A screenshot of a cell phone Description automatically generated](images/e07f270419f7b1e5ee6744f8b38ddeaf.png)
## Configure Microsoft Defender for Endpoint for Supervised Mode
The Microsoft Defender for Endpoint for iOS app has specialized ability on supervised iOS/iPadOS devices, given the increased management capabilities provided by the platform on these types of devices. To take advantage of these capabilities, the Defender for Endpoint app needs to know if a device is in Supervised Mode.
### Configure Supervised Mode via Intune
Intune allows you to configure the Defender for iOS app through an App Configuration policy.
> [!NOTE]
> This app configuration policy for supervised devices is applicable only to managed devices and should be targeted for all managed iOS devices as a best practice.
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and go to **Apps** > **App configuration policies** > **Add**. Click on **Managed devices**.
> [!div class="mx-imgBorder"]
![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-4.png)
1. In the *Create app configuration policy* page, provide the following information:
- Policy Name
- Platform: Select iOS/iPadOS
- Targeted app: Select **Microsoft Defender ATP** from the list
> [!div class="mx-imgBorder"]
![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-5.png)
1. In the next screen, select **Use configuration designer** as the format. Specify the following property:
- Configuration Key: issupervised
- Value type: String
- Configuration Value: {{issupervised}}
> [!div class="mx-imgBorder"]
![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-6.png)
1. Click **Next** to open the **Scope tags** page. Scope tags are optional. Click **Next** to continue.
1. On the **Assignments** page, select the groups that will receive this profile. For this scenario, it is best practice to target **All Devices**. For more information on assigning profiles, see [Assign user and device profiles](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).
When deploying to user groups, a user must sign in to a device before the policy applies.
Click **Next**.
1. On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.
1. Next, for enhanced Anti-phishing capabilities, you can deploy a custom profile on the supervised iOS devices. Follow the steps below:
- Download the config profile from [https://aka.ms/mdatpiossupervisedprofile](https://aka.ms/mdatpiossupervisedprofile)
- Navigate to **Devices** -> **iOS/iPadOS** -> **Configuration profiles** -> **Create Profile**
> [!div class="mx-imgBorder"]
![Image of Microsoft Endpoint Manager Admin Center](images/ios-deploy-7.png)
- Provide a name of the profile. When prompted to import a Configuration profile file, select the one downloaded above.
- In the **Assignment** section, select the device group to which you want to apply this profile. As a best practice, this should be applied to all managed iOS devices. Click **Next**.
- On the **Review + create** page, when you're done, choose **Create**. The new profile is displayed in the list of configuration profiles.
## Next Steps
[Configure Defender for Endpoint for iOS features](ios-configure-features.md)

4
windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md
View File

@ -30,6 +30,9 @@ ms.topic: conceptual
Learn how to deploy Microsoft Defender for Endpoint for macOS with Jamf Pro.
> [!NOTE]
> If you are using macOS Catalina (10.15.4) or newer versions of macOS, see [New configuration profiles for macOS Catalina and newer versions of macOS](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies).
This is a multi step process. You'll need to complete all of the following steps:
- [Login to the Jamf Portal](mac-install-jamfpro-login.md)
@ -40,4 +43,3 @@ This is a multi step process. You'll need to complete all of the following steps

2
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md
View File

@ -74,7 +74,7 @@ This topic describes how to install, configure, update, and use Defender for End
Microsoft Defender for Endpoint for Android supports installation on both modes of
enrolled devices - the legacy Device Administrator and Android Enterprise modes.
**Currently, only Work Profile enrolled devices are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.**
**Currently, Personally-owned devices with work profile and Corporate-owned fully managed user device enrolments are supported in Android Enterprise. Support for other Android Enterprise modes will be announced when ready.**
Deployment of Microsoft Defender for Endpoint for Android is via Microsoft Intune (MDM).
For more information, see [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](android-intune.md).

56
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md
View File

@ -24,53 +24,51 @@ ms.topic: conceptual
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
> [!IMPORTANT]
> **PUBLIC PREVIEW EDITION**
>
> This documentation is for a pre-release solution. The guidelines and the solution are subject to change between now and its general availability.
>
> As with any pre-release solution, remember to exercise caution when determining the target population for your deployments.
The public preview of Defender for Endpoint for iOS will offer protection
against phishing and unsafe network connections from websites, emails, and apps.
All alerts will be available through a single pane of glass in the Microsoft
Defender Security Center. The portal gives security teams a centralized view of threats on
**Microsoft Defender for Endpoint for iOS** will offer protection against phishing and unsafe network connections from websites, emails, and apps. All alerts will be available through a single pane of glass in the Microsoft Defender Security Center. The portal gives security teams a centralized view of threats on
iOS devices along with other platforms.
> [!CAUTION]
> Running other third-party endpoint protection products alongside Defender for Endpoint for iOS is likely to cause performance problems and unpredictable system errors.
## Pre-requisites
**For End Users**
- Defender for Endpoint license assigned to the end user(s) of the app. Refer
[Assign licenses to
users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign)
for instructions on how to assign licenses.
- Microsoft Defender for Endpoint license assigned to the end user(s) of the app. See [Microsoft Defender for Endpoint licensing requirements](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements#licensing-requirements).
- Device(s) are [enrolled](https://docs.microsoft.com/mem/intune/user-help/enroll-your-device-in-intune-ios) via the Intune Company Portal app to enforce Intune device compliance policies. This requires the end user to be assigned a Microsoft Intune license.
- Intune Company Portal app can be downloaded from the [Apple App Store](https://apps.apple.com/us/app/intune-company-portal/id719171358).
- For more information on how to assign licenses, see [Assign licenses to users](https://docs.microsoft.com/azure/active-directory/users-groups-roles/licensing-groups-assign).
**For Administrators**
- Access to the Microsoft Defender Security Center portal
- Access to the Microsoft Defender Security Center portal.
- Access to [Microsoft Endpoint Manager admin
center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app
to enrolled user groups in your organization
> [!NOTE]
> Microsoft Intune is the only supported Mobile Device Management (MDM) solution for deploying Microsoft Defender for Endpoint for iOS. Currently only enrolled devices are supported for enforcing Defender for Endpoint for iOS related device compliance policies in Intune.
- Access to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), to deploy the app to enrolled user groups in your organization.
**System Requirements**
- iOS devices running iOS 11.0 and later
- iOS devices running iOS 11.0 and above.
- Device is enrolled with Intune Company Portal
[app](https://apps.apple.com/us/app/intune-company-portal/id719171358)
- Device is enrolled with the [Intune Company Portal app](https://apps.apple.com/us/app/intune-company-portal/id719171358).
> [!NOTE]
> **Microsoft Defender ATP (Microsoft Defender for Endpoint) for iOS is now available on [Apple App Store](https://aka.ms/mdatpiosappstore).**
## Installation instructions
Deployment of Microsoft Defender for Endpoint for iOS is via Microsoft Intune (MDM) and both supervised and unsupervised devices are supported.
For more information, see [Deploy Microsoft Defender for Endpoint for iOS](ios-install.md).
## Resources
- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS)
- Provide feedback through in-app feedback system or through [SecOps
portal](https://securitycenter.microsoft.com)
- Stay informed about upcoming releases by visiting our [blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/iOS).
- Provide feedback through in-app feedback system or through [SecOps portal](https://securitycenter.microsoft.com)
## Next steps

33
windows/security/threat-protection/microsoft-defender-atp/non-windows.md
View File

@ -42,38 +42,38 @@ non-Windows platforms, enabling them to get a full picture of what's happening
in their environment, which empowers them to more quickly assess and respond to
threats.
## Microsoft Defender for Endpoint for Mac
## Microsoft Defender for Endpoint on macOS
Microsoft Defender for Endpoint for Mac offers antivirus and endpoint detection and response (EDR) capabilities for the three
Microsoft Defender for Endpoint on macOS offers antivirus and endpoint detection and response (EDR) capabilities for the three
latest released versions of macOS. Customers can deploy and manage the solution
through Microsoft Endpoint Manager and Jamf. Just like with Microsoft Office
applications on macOS, Microsoft Auto Update is used to manage Microsoft
Defender for Endpoint for Mac updates. For information about the key features and
Defender for Endpoint on Mac updates. For information about the key features and
benefits, read our
[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/macOS).
For more details on how to get started, visit the Defender for Endpoint for Mac
For more details on how to get started, visit the Defender for Endpoint on macOS
[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac).
## Microsoft Defender for Endpoint for Linux
## Microsoft Defender for Endpoint on Linux
Microsoft Defender for Endpoint for Linux offers preventative (AV) capabilities for Linux
Microsoft Defender for Endpoint on Linux offers preventative (AV) capabilities for Linux
servers. This includes a full command line experience to configure and manage
the agent, initiate scans, and manage threats. We support recent versions of the
six most common Linux Server distributions: RHEL 7.2+, CentOS Linux 7.2+, Ubuntu
16 LTS, or higher LTS, SLES 12+, Debian 9+, and Oracle Linux 7.2. Microsoft
Defender for Endpoint for Linux can be deployed and configured using Puppet, Ansible, or
Defender for Endpoint on Linux can be deployed and configured using Puppet, Ansible, or
using your existing Linux configuration management tool. For information about
the key features and benefits, read our
[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Linux).
For more details on how to get started, visit the Microsoft Defender for Endpoint for
For more details on how to get started, visit the Microsoft Defender for Endpoint on
Linux
[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux).
## Microsoft Defender for Endpoint for Android
## Microsoft Defender for Endpoint on Android
Microsoft Defender for Endpoint for Android is our mobile threat defense solution for
Microsoft Defender for Endpoint on Android is our mobile threat defense solution for
devices running Android 6.0 and higher. Both Android Enterprise (Work Profile)
and Device Administrator modes are supported. On Android, we offer web
protection, which includes anti-phishing, blocking of unsafe connections, and
@ -83,11 +83,20 @@ through integration with Microsoft Endpoint Manager and Conditional Access. For
information about the key features and benefits, read our
[announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/bg-p/MicrosoftDefenderATPBlog/label-name/Android).
For more details on how to get started, visit the Microsoft Defender for Endpoint for
For more details on how to get started, visit the Microsoft Defender for Endpoint on
Android
[documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android).
## Microsoft Defender for Endpoint on iOS
Microsoft Defender for Endpoint on iOS is our mobile threat defense solution for devices
running iOS 11.0 and higher. Both Supervised and Unsupervised devices are supported.
On iOS, we offer web protection which includes anti-phishing, blocking unsafe connections, and
setting custom indicators. For more information about the key features and benefits,
read our [announcements](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/iOS).
For more details on how to get started, visit the Microsoft Defender for Endpoint
on iOS [documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios).
## Licensing requirements
@ -95,7 +104,7 @@ Eligible Licensed Users may use Microsoft Defender for Endpoint on up to five co
devices. Microsoft Defender for Endpoint is also available for purchase from a Cloud
Solution Provider (CSP).
Customers can obtain Microsoft Defender for Endpoint for Mac through a standalone
Customers can obtain Microsoft Defender for Endpoint on macOS through a standalone
Microsoft Defender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365
Security.

2
windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
View File

@ -40,6 +40,8 @@ For more information preview features, see [Preview features](https://docs.micro
> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us
> ```
## December 2020
- [Microsoft Defender for Endpoint for iOS](microsoft-defender-atp-ios.md) <br> Microsoft Defender for Endpoint now adds support for iOS. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for iOS.
## September 2020
- [Microsoft Defender for Endpoint for Android](microsoft-defender-atp-android.md) <br> Microsoft Defender for Endpoint now adds support for Android. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for Android.