deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into tmv-secure-score-for-devices

Browse Source
This commit is contained in:
Beth Levin 2020-07-01 13:56:28 -07:00
commit c56ff92ce1
40 changed files with 818 additions and 334 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
.openpublishing.redirection.json
View File

Binary file not shown.

12
windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
View File

@ -17,7 +17,6 @@ ms.date: 11/15/2017
# MDM enrollment of Windows 10-based devices
In todays cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organizations resources, such as apps, the corporate network, and email.
> [!NOTE]
@ -233,7 +232,7 @@ To create a local account and connect the device:
![access work or school](images/unifiedenrollment-rs1-30.png)
4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link).
4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link).
![connect to work or school](images/unifiedenrollment-rs1-31.png)
@ -260,7 +259,7 @@ To create a local account and connect the device:
![phone settings](images/unifiedenrollment-rs1-39.png)
3. Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link).
3. Select the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link).
![access work or school page](images/unifiedenrollment-rs1-40.png)
@ -325,7 +324,7 @@ To connect your devices to MDM using deep links:
1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**:
> (Be aware that this will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.)
(Be aware that this will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.)
- IT admins can add this link to a welcome email that users can select to enroll into MDM.
@ -341,7 +340,8 @@ To connect your devices to MDM using deep links:
3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, youll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
After you complete the flow, your device will be connected to your organizations MDM.
After you complete the flow, your device will be connected to your organization's MDM.
![corporate sign in](images/deeplinkenrollment4.png)
## Manage connections
@ -375,7 +375,7 @@ The **Disconnect** button can be found on all work connections. Generally, selec
- Devices that enforce the AllowManualMDMUnenrollment policy will not allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command.
- On mobile devices, you cannot disconnect from Azure AD. These connections can only be removed by wiping the device.
> [!WARNING]  
> [!WARNING]
> Disconnecting might result in the loss of data on the device.
## Collecting diagnostic logs

6
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -727,7 +727,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
<li>User knows what policies, profiles, apps MDM has configured</li>
<li>IT helpdesk can get detailed MDM diagnostic information using client tools</li>
</ul>
<p>For details, see <a href="mdm-enrollment-of-windows-devices.md#managing-connections" data-raw-source="[Managing connection](mdm-enrollment-of-windows-devices.md#managing-connections)">Managing connection</a> and <a href="mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs" data-raw-source="[Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)">Collecting diagnostic logs</a></p>
<p>For details, see <a href="mdm-enrollment-of-windows-devices.md#manage-connections" data-raw-source="[Manage connection](mdm-enrollment-of-windows-devices.md#manage-connections)">Managing connection</a> and <a href="mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs" data-raw-source="[Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)">Collecting diagnostic logs</a></p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top"><a href="enroll-a-windows-10-device-automatically-using-group-policy.md" data-raw-source="[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)">Enroll a Windows 10 device automatically using Group Policy</a></td>
@ -1226,7 +1226,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top"><a href="mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link" data-raw-source="[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)">Connecting your Windows 10-based device to work using a deep link</a></td>
<td style="vertical-align:top"><a href="mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link" data-raw-source="[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link)">Connect your Windows 10-based device to work using a deep link</a></td>
<td style="vertical-align:top"><p>Added following deep link parameters to the table:</p>
<ul>
<li>Username</li>
@ -2899,7 +2899,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
<li>User knows what policies, profiles, apps MDM has configured</li>
<li>IT helpdesk can get detailed MDM diagnostic information using client tools</li>
</ul>
<p>For details, see <a href="mdm-enrollment-of-windows-devices.md#managing-connections" data-raw-source="[Managing connections](mdm-enrollment-of-windows-devices.md#managing-connections)">Managing connections</a> and <a href="mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs" data-raw-source="[Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)">Collecting diagnostic logs</a></p>
<p>For details, see <a href="mdm-enrollment-of-windows-devices.md#manage-connections" data-raw-source="[Manage connections](mdm-enrollment-of-windows-devices.md#manage-connections)">Managing connections</a> and <a href="mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs" data-raw-source="[Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)">Collecting diagnostic logs</a></p>
</td></tr>
</tbody>
</table>

8
windows/deployment/update/waas-delivery-optimization.md
View File

@ -141,11 +141,11 @@ For the payloads (optional):
**How does Delivery Optimization handle VPNs?**
Delivery Optimization attempts to identify VPNs by checking the network adapter type and details and will treat the connection as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
If the connection is identified as a VPN, Delivery Optimization will not use any peer-to-peer activity. However, you can allow peer-to-peer activity over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
If you have defined a boundary group in Configuration Manager and have for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN.
If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the DownloadMode policy to 0 for that boundary group to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected via VPN, it can still leverage peer-to-peer with the default of LAN.
With split tunnelling, it's best to exclude the boundary group for the VPN devices to exclude it from using peer-to-peer. (In this case, those devices won't get the policy and will default to using LAN.) If you're using split tunnelling, you should allow direct access for these endpoints:
With split tunneling, make sure to allow direct access to these endpoints:
Delivery Optimization service endpoint:
- `https://*.prod.do.dsp.mp.microsoft.com`
@ -161,7 +161,7 @@ Windows Update and Microsoft Store backend services and Windows Update and Micro
- `https://*.update.microsoft.com`
- `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
For more information about this if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
## Troubleshooting

5
windows/deployment/update/waas-wu-settings.md
View File

@ -26,16 +26,13 @@ ms.topic: article
You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update (WU) on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more.
>[!IMPORTANT]
>In Windows 10, any Group Policy user configuration settings for Windows Update are no longer supported on this platform.
## Summary of Windows Update settings
| Group Policy setting | MDM setting | Supported from version |
| --- | --- | --- |
| [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | All |
| [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | 1703 |
| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | | All |
| [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) | [Update/SetDisableUXWUAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess)| All |
| [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) | | All |
| [Enable client-side targeting](#enable-client-side-targeting) | | All |
| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |

87
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -19,11 +19,11 @@ ms.reviewer:
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
**Applies to**
- Windows 10, version 1703 or later
- On-premises deployment
- Certificate trust
Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
@ -38,6 +38,19 @@ A new Active Directory Federation Services farm should have a minimum of two fed
Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing.
> [!NOTE]
>For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
> 1. Launch AD FS management console. Brose to "Services > Scope Descriptions".
> 2. Right click "Scope Descriptions" and select "Add Scope Description".
> 3. Under name type "ugs" and Click Apply > OK.
> 4. Launch Powershell as Administrator.
> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier.
> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'.
> 7. Restart the ADFS service.
> 8. On the client: Restart the client. User should be prompted to provision WHFB.
> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot.
## Update Windows Server 2016
Sign-in the federation server with _local admin_ equivalent credentials.
@ -52,9 +65,10 @@ Sign-in the federation server with _local admin_ equivalent credentials.
Windows Hello for Business on-premises deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com)
* Subject Alternate Name: Your device registration service name, such as *enterpriseregistration.contoso.com*
- Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
- Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com)
- Subject Alternate Name: Your device registration service name, such as *enterpriseregistration.contoso.com*
You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com.
@ -65,6 +79,7 @@ Its recommended that you mark the private key as exportable so that the same
Be sure to enroll or import the certificate into the AD FS servers computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
### Internal Web Server Authentication Certificate Enrollment
Sign-in the federation server with domain administrator equivalent credentials.
1. Start the Local Computer **Certificate Manager** (certlm.msc).
@ -83,10 +98,11 @@ A server authentication certificate should appear in the computers Personal c
## Deploy the Active Directory Federation Service Role
The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments.
* Device registration
* Key registration
* Certificate registration authority (certificate trust deployments)
The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments:
- Device registration
- Key registration
- Certificate registration authority (certificate trust deployments)
>[!IMPORTANT]
> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm.
@ -94,6 +110,7 @@ The Active Directory Federation Service (AD FS) role provides the following serv
Windows Hello for Business depends on proper device registration. For on-premises deployments, Windows Server 2016 AD FS handles device registration.
Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
1. Start **Server Manager**. Click **Local Server** in the navigation pane.
2. Click **Manage** and then click **Add Roles and Features**.
3. Click **Next** on the **Before you begin** page.
@ -107,12 +124,13 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
## Review
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
* Confirm the AD FS farm uses the correct database configuration.
* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load.
* Confirm **all** AD FS servers in the farm have the latest updates.
* Confirm all AD FS servers have a valid server authentication certificate
* The subject of the certificate is the common name (FQDN) of the host or a wildcard name.
* The alternate name of the certificate contains a wildcard or the FQDN of the federation service
- Confirm the AD FS farm uses the correct database configuration.
- Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load.
- Confirm **all** AD FS servers in the farm have the latest updates.
- Confirm all AD FS servers have a valid server authentication certificate.
- The subject of the certificate is the common name (FQDN) of the host or a wildcard name.
- The alternate name of the certificate contains a wildcard or the FQDN of the federation service.
## Device Registration Service Account Prerequisite
@ -130,8 +148,9 @@ GMSA uses the Microsoft Key Distribution Service that is located on Windows Serv
#### Create KDS Root Key
Sign-in a domain controller with _Enterprise Admin_ equivalent credentials.
1. Start an elevated Windows PowerShell console.
2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`
2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)`.
### Windows Server 2008 or 2008 R2 Domain Controllers
@ -140,6 +159,7 @@ Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key
#### Create an AD FS Service Account
Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
1. Open **Active Directory Users and Computers**.
2. Right-click the **Users** container, Click **New**. Click **User**.
3. In the **New Object User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**.
@ -241,12 +261,12 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th
## Review
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
* Confirm you followed the correct procedures based on the domain controllers used in your deployment
* Confirm you followed the correct procedures based on the domain controllers used in your deployment.
* Windows Server 2012 or Windows Server 2012 R2
* Windows Server 2008 or Windows Server 2008 R2
* Confirm you have the correct service account based on your domain controller version.
* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs.
* Confirm you used a certificate with the correct names as the server authentication certificate
* Confirm you used a certificate with the correct names as the server authentication certificate.
* Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the:
* Certificate serial number
* Certificate thumbprint
@ -282,8 +302,8 @@ Sign-in a certificate authority or management workstations with _domain administ
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs.
6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
>[!NOTE]
> The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
> [!NOTE]
> The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
8. On the **Security** tab, click **Add**.
@ -316,11 +336,12 @@ Sign-in a certificate authority or management workstations with _domain administ
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs.
**Note:** If you use different template names, youll need to remember and substitute these names in different portions of the deployment.
> [!NOTE]
> If you use different template names, youll need to remember and substitute these names in different portions of the deployment.
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box.
* Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
10. On the **Request Handling** tab, select the **Renew with same key** check box.
11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**.
@ -332,7 +353,7 @@ Sign-in a certificate authority or management workstations with _domain administ
Sign-in to an **AD FS Windows Server 2016** computer with _enterprise administrator_ equivalent credentials.
1. Open an elevated command prompt.
2. Run `certutil dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
2. Run `certutil dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`.
>[!NOTE]
>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. Its important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
@ -369,14 +390,14 @@ Approximately 60 days prior to enrollment agent certificates expiration, the
### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service
> [!NOTE]
> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)?redirectedfrom=MSDN)
> Normally this script is not needed, as enabling Device Registration via the ADFS Management console already creates the objects. You can validate the SCP using the script below. For detailed information about the Device Registration Service, see [Configuring Device Registration](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn614658(v=ws.11)?redirectedfrom=MSDN).
Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script:
> [!TIP]
> Make sure to change the $enrollmentService and $configNC variables before running the script.
```Powershell
```powershell
# Replace this with your Device Registration Service endpoint
$enrollmentService = "enterpriseregistration.contoso.com"
# Replace this with your Active Directory configuration naming context
@ -420,7 +441,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
6. On the **Select server roles** page, click **Next**.
7. Select **Network Load Balancing** on the **Select features** page.
8. Click **Install** to start the feature installation
8. Click **Install** to start the feature installation.
![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png)
### Configure Network Load Balancing for AD FS
@ -457,7 +478,7 @@ Sign-in the domain controller or administrative workstation with domain administ
3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**.
5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**.
6. Close the DNS Management console
6. Close the DNS Management console.
## Configure the Intranet Zone to include the federation service
@ -465,10 +486,10 @@ The Windows Hello provisioning presents web pages from the federation service.
### Create an Intranet Zone Group Policy
Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials
1. Start the **Group Policy Management Console** (gpmc.msc)
Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials:
1. Start the **Group Policy Management Console** (gpmc.msc).
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
3. Right-click **Group Policy object** and select **New**
3. Right-click **Group Policy object** and select **New**.
4. Type **Intranet Zone Settings** in the name box and click **OK**.
5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**.
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
@ -478,7 +499,7 @@ Sign-in the domain controller or administrative workstation with _Domain Admin_
### Deploy the Intranet Zone Group Policy object
1. Start the **Group Policy Management Console** (gpmc.msc)
1. Start the **Group Policy Management Console** (gpmc.msc).
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…**
3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
@ -490,8 +511,8 @@ Before you continue with the deployment, validate your deployment progress by re
* Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance.
* Confirm you properly configured the Windows Hello for Business authentication certificate template—to include:
* Issuance requirements of an authorized signature from a certificate request agent.
* The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe
* The Windows Hello for Business Users group, or equivalent has the allow enroll permissions
* The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe.
* The Windows Hello for Business Users group, or equivalent has the allow enroll permissions.
* Confirm all certificate templates were properly published to the appropriate issuing certificate authorities.
* Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template.
* Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet.
@ -511,7 +532,7 @@ You need to verify the AD FS service has properly enrolled for an enrollment age
### Event Logs
Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show
Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show:
* The account name under which the certificate was enrolled.
* The action, which should read enroll.

21
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -19,11 +19,13 @@ ms.reviewer:
# Configure Windows Hello for Business: Active Directory Federation Services
**Applies to**
- Windows 10, version 1703 or later
- Hybrid deployment
- Certificate trust
## Federation Services
The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
@ -45,7 +47,6 @@ Sign-in the AD FS server with *Domain Admin* equivalent credentials.
>[!NOTE]
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
### Group Memberships for the AD FS Service Account
The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
@ -57,13 +58,27 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
1. Open **Active Directory Users and Computers**.
2. Click the **Users** container in the navigation pane.
3. Right-click **Windows Hello for Business Users** group
4. Click the **Members** tab and click **Add**
3. Right-click **Windows Hello for Business Users** group.
4. Click the **Members** tab and click **Add**.
5. In the **Enter the object names to select** text box, type **adfssvc** or substitute the name of the AD FS service account in your AD FS deployment. Click **OK**.
6. Click **OK** to return to **Active Directory Users and Computers**.
7. Restart the AD FS server.
> [!NOTE]
>For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions".
> 2. Right click "Scope Descriptions" and select "Add Scope Description".
> 3. Under name type "ugs" and Click Apply > OK.
> 4. Launch Powershell as Administrator.
> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier.
> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'.
> 7. Restart the ADFS service.
> 8. On the client: Restart the client. User should be prompted to provision WHFB.
> 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot.
### Section Review
> [!div class="checklist"]
> * Configure the registration authority.
> * Update group memberships for the AD FS service account.

9
windows/security/threat-protection/TOC.md
View File

@ -20,6 +20,13 @@
### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
## [Migration guides]()
### [Migrate from Symantec to Microsoft Defender ATP]()
#### [Get an overview of migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md)
#### [Prepare for your migration](microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md)
#### [Set up Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md)
#### [Onboard to Microsoft Defender ATP](microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md)
## [Security administration]()
### [Threat & Vulnerability Management]()
#### [Overview of Threat & Vulnerability Management](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
@ -575,7 +582,6 @@
###### [Advanced Hunting using PowerShell](microsoft-defender-atp/run-advanced-query-sample-powershell.md)
###### [Using OData Queries](microsoft-defender-atp/exposed-apis-odata-samples.md)
#### [Raw data streaming API]()
##### [Raw data streaming](microsoft-defender-atp/raw-data-export.md)
##### [Stream advanced hunting events to Azure Events hub](microsoft-defender-atp/raw-data-export-event-hub.md)
@ -590,7 +596,6 @@
##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md)
##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md)
#### [Partners & APIs]()
##### [Partner applications](microsoft-defender-atp/partner-applications.md)
##### [Connected applications](microsoft-defender-atp/connected-applications.md)

3
windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
View File

@ -31,7 +31,7 @@ This subcategory contains events about issued TGSs and failed TGS requests.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see our [***Security Monitoring Recommendations***](https://docs.microsoft.com/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events).<br /><br />We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
@ -42,4 +42,3 @@ This subcategory contains events about issued TGSs and failed TGS requests.
- [4770](event-4770.md)(S): A Kerberos service ticket was renewed.
- [4773](event-4773.md)(F): A Kerberos service ticket request failed.

4
windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 06/10/2020
ms.date: 06/29/2020
ms.reviewer:
manager: dansimp
---
@ -38,7 +38,7 @@ On at least two devices that are experiencing the same issue, obtain the .cab di
2. Navigate to the Microsoft Defender directory. By default, this is `C:\Program Files\Windows Defender`.
> [!NOTE]
> If you're running an updated Microsoft Defender Platform version, please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
> If you're running an [updated Microsoft Defender Platform version](https://support.microsoft.com/help/4052623/update-for-microsoft-defender-antimalware-platform), please run `MpCmdRun` from the following location: `C:\ProgramData\Microsoft\Windows Defender\Platform\<version>`.
3. Type the following command, and then press **Enter**

224
windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
View File

@ -54,7 +54,7 @@ You can disable the automatic exclusion lists with Group Policy, PowerShell cmdl
### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure, and then click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
@ -72,18 +72,18 @@ Set-MpPreference -DisableAutoExclusions $true
[Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
[Use PowerShell with Microsoft Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
[Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/).
### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019
Use the **Set** method of the [MSFT_MpPreference](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
Use the **Set** method of the [MSFT_MpPreference](https://docs.microsoft.com/previous-versions/windows/desktop/defender/msft-mppreference) class for the following properties:
```WMI
DisableAutoExclusions
```
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
- [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal)
## List of automatic exclusions
@ -95,110 +95,110 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
#### Windows "temp.edb" files
- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb`
- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
- `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log`
#### Windows Update files or Automatic Update files
- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb`
- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
- `%windir%\SoftwareDistribution\Datastore\*\edb.chk`
- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
- `%windir%\SoftwareDistribution\Datastore\*\edb\*.log`
- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs`
- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
- `%windir%\SoftwareDistribution\Datastore\*\Res\*.log`
#### Windows Security files
- *%windir%*\Security\database\\*.chk
- `%windir%\Security\database\*.chk`
- *%windir%*\Security\database\\*.edb
- `%windir%\Security\database\*.edb`
- *%windir%*\Security\database\\*.jrs
- `%windir%\Security\database\*.jrs`
- *%windir%*\Security\database\\*.log
- `%windir%\Security\database\*.log`
- *%windir%*\Security\database\\*.sdb
- `%windir%\Security\database\*.sdb`
#### Group Policy files
- *%allusersprofile%*\NTUser.pol
- `%allusersprofile%\NTUser.pol`
- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
- `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol`
- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
- `%SystemRoot%\System32\GroupPolicy\User\registry.pol`
#### WINS files
- *%systemroot%*\System32\Wins\\*\\\*.chk
- `%systemroot%\System32\Wins\*\*.chk`
- *%systemroot%*\System32\Wins\\*\\\*.log
- `%systemroot%\System32\Wins\*\*.log`
- *%systemroot%*\System32\Wins\\*\\\*.mdb
- `%systemroot%\System32\Wins\*\*.mdb`
- *%systemroot%*\System32\LogFiles\
- `%systemroot%\System32\LogFiles\`
- *%systemroot%*\SysWow64\LogFiles\
- `%systemroot%\SysWow64\LogFiles\`
#### File Replication Service (FRS) exclusions
- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- *%windir%*\Ntfrs\jet\sys\\*\edb.chk
- `%windir%\Ntfrs\jet\sys\*\edb.chk`
- *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
- `%windir%\Ntfrs\jet\*\Ntfrs.jdb`
- *%windir%*\Ntfrs\jet\log\\*\\\*.log
- `%windir%\Ntfrs\jet\log\*\*.log`
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory`
- *%windir%*\Ntfrs\\*\Edb\*.log
- `%windir%\Ntfrs\*\Edb\*.log`
- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
- `%systemroot%\Sysvol\*\Nntfrs_cmp*\`
- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
- *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
- `%systemroot%\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\*\Ntfrs*\`
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
> [!NOTE]
> For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus#opt-out-of-automatic-exclusions).
> For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions).
- *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
- `%systemdrive%\System Volume Information\DFSR\$db_normal$`
- *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
- `%systemdrive%\System Volume Information\DFSR\FileIDTable_*`
- *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
- `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*`
- *%systemdrive%*\System Volume Information\DFSR\\*.XML
- `%systemdrive%\System Volume Information\DFSR\*.XML`
- *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
- `%systemdrive%\System Volume Information\DFSR\$db_dirty$`
- *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
- `%systemdrive%\System Volume Information\DFSR\$db_clean$`
- *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
- `%systemdrive%\System Volume Information\DFSR\$db_lostl$`
- *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
- `%systemdrive%\System Volume Information\DFSR\Dfsr.db`
- *%systemdrive%*\System Volume Information\DFSR\\*.frx
- `%systemdrive%\System Volume Information\DFSR\*.frx`
- *%systemdrive%*\System Volume Information\DFSR\\*.log
- `%systemdrive%\System Volume Information\DFSR\*.log`
- *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
- `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs`
- *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
- `%systemdrive%\System Volume Information\DFSR\Tmp.edb`
#### Process exclusions
- *%systemroot%*\System32\dfsr.exe
- `%systemroot%\System32\dfsr.exe`
- *%systemroot%*\System32\dfsrs.exe
- `%systemroot%\System32\dfsrs.exe`
#### Hyper-V exclusions
@ -206,59 +206,59 @@ This section lists the file type exclusions, folder exclusions, and process excl
- File type exclusions:
- *.vhd
- `*.vhd`
- *.vhdx
- `*.vhdx`
- *.avhd
- `*.avhd`
- *.avhdx
- `*.avhdx`
- *.vsv
- `*.vsv`
- *.iso
- `*.iso`
- *.rct
- `*.rct`
- *.vmcx
- `*.vmcx`
- *.vmrs
- `*.vmrs`
- Folder exclusions:
- *%ProgramData%*\Microsoft\Windows\Hyper-V
- `%ProgramData%\Microsoft\Windows\Hyper-V`
- *%ProgramFiles%*\Hyper-V
- `%ProgramFiles%\Hyper-V`
- *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
- `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots`
- *%Public%*\Documents\Hyper-V\Virtual Hard Disks
- `%Public%\Documents\Hyper-V\Virtual Hard Disks`
- Process exclusions:
- *%systemroot%*\System32\Vmms.exe
- `%systemroot%\System32\Vmms.exe`
- *%systemroot%*\System32\Vmwp.exe
- `%systemroot%\System32\Vmwp.exe`
#### SYSVOL files
- *%systemroot%*\Sysvol\Domain\\*.adm
- `%systemroot%\Sysvol\Domain\*.adm`
- *%systemroot%*\Sysvol\Domain\\*.admx
- `%systemroot%\Sysvol\Domain\*.admx`
- *%systemroot%*\Sysvol\Domain\\*.adml
- `%systemroot%\Sysvol\Domain\*.adml`
- *%systemroot%*\Sysvol\Domain\Registry.pol
- `%systemroot%\Sysvol\Domain\Registry.pol`
- *%systemroot%*\Sysvol\Domain\\*.aas
- `%systemroot%\Sysvol\Domain\*.aas`
- *%systemroot%*\Sysvol\Domain\\*.inf
- `%systemroot%\Sysvol\Domain\*.inf`
- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
- `%systemroot%\Sysvol\Domain\*.Scripts.ini`
- *%systemroot%*\Sysvol\Domain\\*.ins
- `%systemroot%\Sysvol\Domain\*.ins`
- *%systemroot%*\Sysvol\Domain\Oscfilter.ini
- `%systemroot%\Sysvol\Domain\Oscfilter.ini`
### Active Directory exclusions
@ -268,51 +268,51 @@ This section lists the exclusions that are delivered automatically when you inst
The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- %windir%\Ntds\ntds.dit
- `%windir%\Ntds\ntds.dit`
- %windir%\Ntds\ntds.pat
- `%windir%\Ntds\ntds.pat`
#### The AD DS transaction log files
The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
- %windir%\Ntds\EDB*.log
- `%windir%\Ntds\EDB*.log`
- %windir%\Ntds\Res*.log
- `%windir%\Ntds\Res*.log`
- %windir%\Ntds\Edb*.jrs
- `%windir%\Ntds\Edb*.jrs`
- %windir%\Ntds\Ntds*.pat
- `%windir%\Ntds\Ntds*.pat`
- %windir%\Ntds\TEMP.edb
- `%windir%\Ntds\TEMP.edb`
#### The NTDS working folder
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- %windir%\Ntds\Temp.edb
- `%windir%\Ntds\Temp.edb`
- %windir%\Ntds\Edb.chk
- `%windir%\Ntds\Edb.chk`
#### Process exclusions for AD DS and AD DS-related support files
- %systemroot%\System32\ntfrs.exe
- `%systemroot%\System32\ntfrs.exe`
- %systemroot%\System32\lsass.exe
- `%systemroot%\System32\lsass.exe`
### DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
- *%systemroot%*\System32\DHCP\\*\\\*.mdb
- `%systemroot%\System32\DHCP\*\*.mdb`
- *%systemroot%*\System32\DHCP\\*\\\*.pat
- `%systemroot%\System32\DHCP\*\*.pat`
- *%systemroot%*\System32\DHCP\\*\\\*.log
- `%systemroot%\System32\DHCP\*\*.log`
- *%systemroot%*\System32\DHCP\\*\\\*.chk
- `%systemroot%\System32\DHCP\*\*.chk`
- *%systemroot%*\System32\DHCP\\*\\\*.edb
- `%systemroot%\System32\DHCP\*\*.edb`
### DNS Server exclusions
@ -320,27 +320,27 @@ This section lists the file and folder exclusions and the process exclusions tha
#### File and folder exclusions for the DNS Server role
- *%systemroot%*\System32\Dns\\*\\\*.log
- `%systemroot%\System32\Dns\*\*.log`
- *%systemroot%*\System32\Dns\\*\\\*.dns
- `%systemroot%\System32\Dns\*\*.dns`
- *%systemroot%*\System32\Dns\\*\\\*.scc
- `%systemroot%\System32\Dns\*\*.scc`
- *%systemroot%*\System32\Dns\\*\BOOT
- `%systemroot%\System32\Dns\*\BOOT`
#### Process exclusions for the DNS Server role
- *%systemroot%*\System32\dns.exe
- `%systemroot%\System32\dns.exe`
### File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
- *%SystemDrive%*\ClusterStorage
- `%SystemDrive%\ClusterStorage`
- *%clusterserviceaccount%*\Local Settings\Temp
- `%clusterserviceaccount%\Local Settings\Temp`
- *%SystemDrive%*\mscs
- `%SystemDrive%\mscs`
### Print Server exclusions
@ -348,19 +348,19 @@ This section lists the file type exclusions, folder exclusions, and the process
#### File type exclusions
- *.shd
- `*.shd`
- *.spl
- `*.spl`
#### Folder exclusions
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
- *%system32%*\spool\printers\\*
- `%system32%\spool\printers\*`
#### Process exclusions
- spoolsv.exe
- `spoolsv.exe`
### Web Server exclusions
@ -368,35 +368,35 @@ This section lists the folder exclusions and the process exclusions that are del
#### Folder exclusions
- *%SystemRoot%*\IIS Temporary Compressed Files
- `%SystemRoot%\IIS Temporary Compressed Files`
- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files`
- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
- `%SystemDrive%\inetpub\temp\ASP Compiled Templates`
- *%systemDrive%*\inetpub\logs
- `%systemDrive%\inetpub\logs`
- *%systemDrive%*\inetpub\wwwroot
- `%systemDrive%\inetpub\wwwroot`
#### Process exclusions
- *%SystemRoot%*\system32\inetsrv\w3wp.exe
- `%SystemRoot%\system32\inetsrv\w3wp.exe`
- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe`
- *%SystemDrive%*\PHP5433\php-cgi.exe
- `%SystemDrive%\PHP5433\php-cgi.exe`
### Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
- *%systemroot%*\WSUS\WSUSContent
- `%systemroot%\WSUS\WSUSContent`
- *%systemroot%*\WSUS\UpdateServicesDBFiles
- `%systemroot%\WSUS\UpdateServicesDBFiles`
- *%systemroot%*\SoftwareDistribution\Datastore
- `%systemroot%\SoftwareDistribution\Datastore`
- *%systemroot%*\SoftwareDistribution\Download
- `%systemroot%\SoftwareDistribution\Download`
## Related articles

5
windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
View File

@ -13,7 +13,7 @@ author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
audience: ITPro
ms.date: 02/12/2020
ms.date:
ms.reviewer:
manager: dansimp
---
@ -25,6 +25,9 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
- [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge)
> [!NOTE]
> Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might not be be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices.
Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. _PUA_ can also refer to an application that has a poor reputation, as assessed by Microsoft Defender ATP, due to certain kinds of undesirable behavior.
For example:

2
windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
View File

@ -58,7 +58,7 @@ There are five locations where you can specify where an endpoint should obtain u
To ensure the best level of protection, Microsoft Update allows for rapid releases, which means smaller downloads on a frequent basis. The Windows Server Update Service, Microsoft Endpoint Configuration Manager, and Microsoft security intelligence updates sources deliver less frequent updates. Thus, the delta can be larger, resulting in larger downloads.
> [!IMPORTANT]
> If you have set [Microsoft Malware Protection Center Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) (MMPC) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is 14 consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services).
> If you have set [Microsoft Security intelligence page](https://www.microsoft.com/security/portal/definitions/adl.aspx) updates as a fallback source after Windows Server Update Service or Microsoft Update, updates are only downloaded from security intelligence updates when the current update is considered out-of-date. (By default, this is seven consecutive days of not being able to apply updates from the Windows Server Update Service or Microsoft Update services).
> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).<p>
> Starting Monday, October 21, 2019, security intelligence updates will be SHA-2 signed exclusively. Devices must be updated to support SHA-2 in order to get the latest security intelligence updates. To learn more, see [2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus).

2
windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
View File

@ -84,7 +84,7 @@ If you are enrolled in Microsoft Defender ATP and you are using a third party an
When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.
In passive and automatic disabled mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
In passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode.

4
windows/security/threat-protection/microsoft-defender-atp/android-configure.md
View File

@ -29,7 +29,7 @@ Directory enables enforcing Device compliance and Conditional Access policies
based on device risk levels. Microsoft Defender ATP is a Mobile Threat Defense
(MTD) solution that you can deploy to leverage this capability via Intune.
For more infomation on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
For more information on how to setup Microsoft Defender ATP for Android and Conditional Access, see [Microsoft Defender ATP and
Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
@ -43,7 +43,7 @@ Microsoft Defender ATP for Android enables admins to configure custom indicators
## Configure web protection
Microsoft Defender ATP for Android allows IT Administrators the ability to configure the web protection feature. This capability is available within the Microsoft Endpoint Manager Admin center.
For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection).
For more information, see [Configure web protection on devices that run Android](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection#configure-web-protection-on-devices-that-run-android).
## Related topics
- [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp-android.md)

4
windows/security/threat-protection/microsoft-defender-atp/android-intune.md
View File

@ -136,7 +136,7 @@ Options](https://docs.microsoft.com/mem/intune/enrollment/android-enroll) .
As Microsoft Defender ATP for Android is deployed via managed Google Play,
updates to the app are automatic via Google Play.
Currently only Work Profile, Fully Managed devices are supported for deployment.
Currently only Work Profile enrolled devices are supported for deployment.
>[!NOTE]
@ -265,7 +265,7 @@ assignment.
## Complete onboarding and check status
1. Confirm the installation status of Microsoft Defender ATP for Android by
clicking on the **Device Install Status**. Verif that the device is
clicking on the **Device Install Status**. Verify that the device is
displayed here.
![Image of device installation status](images/900c0197aa59f9b7abd762ab2b32e80c.png)

BIN
windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/security/threat-protection/microsoft-defender-atp/images/SymantecMigration-DefenderATP-phase3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

80
windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md
View File

@ -35,14 +35,15 @@ This topic describes how to deploy Microsoft Defender ATP for Linux using Ansibl
Before you get started, please see [the main Microsoft Defender ATP for Linux page](microsoft-defender-atp-linux.md) for a description of prerequisites and system requirements for the current software version.
In addition, for Ansible deployment, you need to be familiar with Ansible administration tasks, have Ansible configured, and know how to deploy playbooks and tasks. Ansible has many ways to complete the same task. These instructions assume availability of supported Ansible modules, such as *apt* and *unarchive* to help deploy the package. Your organization might use a different workflow. Please refer to the [Ansible documentation](https://docs.ansible.com/) for details.
- Ansible needs to be installed on at least on one computer (we will call it the master).
- SSH must be configured for an administrator account between the master and all clients, and it is recommended be configured with public key authentication.
- The following software must be installed on all clients:
- curl
- python-apt
- unzip
- All hosts must be listed in the following format in the `/etc/ansible/hosts` file:
- All hosts must be listed in the following format in the `/etc/ansible/hosts` or relevant file:
```bash
[servers]
@ -79,55 +80,32 @@ Download the onboarding package from Microsoft Defender Security Center:
## Create Ansible YAML files
Create subtask or role files that contribute to an actual task. First create the `download_copy_blob.yml` file under the `/etc/ansible/roles` directory:
Create a subtask or role files that contribute to an playbook or task.
- Copy the onboarding package to all client devices:
- Create the onboarding task, `onboarding_setup.yml`:
```bash
- name: Copy the zip file
copy:
src: /root/WindowsDefenderATPOnboardingPackage.zip
dest: /root/WindowsDefenderATPOnboardingPackage.zip
- name: Create MDATP directories
file:
path: /etc/opt/microsoft/mdatp/
recurse: true
state: directory
mode: 0755
owner: root
group: root
mode: '0644'
- name: Add Microsoft apt signing key
apt_key:
url: https://packages.microsoft.com/keys/microsoft.asc
state: present
when: ansible_os_family == "Debian"
```
- Create the `setup.sh` script that operates on the onboarding file, in this example located in the `/root` directory:
```bash
#!/bin/bash
# We assume WindowsDefenderATPOnboardingPackage.zip is stored in /root
cd /root || exit 1
# Unzip the archive and create the onboarding file
mkdir -p /etc/opt/microsoft/mdatp/
unzip WindowsDefenderATPOnboardingPackage.zip
cp mdatp_onboard.json /etc/opt/microsoft/mdatp/mdatp_onboard.json
```
- Create the onboarding task, `onboarding_setup.yml`, under the `/etc/ansible/roles` directory:
```bash
- name: Register mdatp_onboard.json
stat: path=/etc/opt/microsoft/mdatp/mdatp_onboard.json
stat:
path: /etc/opt/microsoft/mdatp/mdatp_onboard.json
register: mdatp_onboard
- name: Copy the setup script file
copy:
src: /root/setup.sh
dest: /root/setup.sh
- name: Extract WindowsDefenderATPOnboardingPackage.zip into /etc/opt/microsoft/mdatp
unarchive:
src: WindowsDefenderATPOnboardingPackage.zip
dest: /etc/opt/microsoft/mdatp
mode: 0600
owner: root
group: root
mode: '0744'
- name: Run a script to create the onboarding file
script: /root/setup.sh
when: not mdatp_onboard.stat.exists
```
@ -150,6 +128,12 @@ Create subtask or role files that contribute to an actual task. First create the
> In case of Oracle Linux, replace *[distro]* with “rhel”.
```bash
- name: Add Microsoft APT key
apt_key:
keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229CF
when: ansible_os_family == "Debian"
- name: Add Microsoft apt repository for MDATP
apt_repository:
repo: deb [arch=arm64,armhf,amd64] https://packages.microsoft.com/[distro]/[version]/prod [channel] main
@ -158,12 +142,6 @@ Create subtask or role files that contribute to an actual task. First create the
filename: microsoft-[channel].list
when: ansible_os_family == "Debian"
- name: Add Microsoft APT key
apt_key:
keyserver: https://packages.microsoft.com/
id: BC528686B50D79E339D3721CEB3E94ADBE1229CF
when: ansible_os_family == "Debian"
- name: Add Microsoft yum repository for MDATP
yum_repository:
name: packages-microsoft-com-prod-[channel]
@ -175,7 +153,7 @@ Create subtask or role files that contribute to an actual task. First create the
when: ansible_os_family == "RedHat"
```
- Create the actual install/uninstall YAML files under `/etc/ansible/playbooks`.
- Create the Ansible install and uninstall YAML files.
- For apt-based distributions use the following YAML file:
@ -183,8 +161,7 @@ Create subtask or role files that contribute to an actual task. First create the
$ cat install_mdatp.yml
- hosts: servers
tasks:
- include: ../roles/download_copy_blob.yml
- include: ../roles/setup_blob.yml
- include: ../roles/onboarding_setup.yml
- include: ../roles/add_apt_repo.yml
- apt:
name: mdatp
@ -207,8 +184,7 @@ Create subtask or role files that contribute to an actual task. First create the
$ cat install_mdatp_yum.yml
- hosts: servers
tasks:
- include: ../roles/download_copy_blob.yml
- include: ../roles/setup_blob.yml
- include: ../roles/onboarding_setup.yml
- include: ../roles/add_yum_repo.yml
- yum:
name: mdatp
@ -227,7 +203,7 @@ Create subtask or role files that contribute to an actual task. First create the
## Deployment
Now run the tasks files under `/etc/ansible/playbooks/`.
Now run the tasks files under `/etc/ansible/playbooks/` or relevant directory.
- Installation:

41
windows/security/threat-protection/microsoft-defender-atp/linux-resources.md
View File

@ -69,18 +69,31 @@ There are several ways to uninstall Microsoft Defender ATP for Linux. If you are
## Configure from the command line
Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line.
### Global options
By default, the command-line tool outputs the result in human-readable format. In addition to this, the tool also supports outputting the result as JSON, which is useful for automation scenarios. To change the output to JSON, pass `--output json` to any of the below commands.
### Supported commands
The following table lists commands for some of the most common scenarios. Run `mdatp help` from the Terminal to view the full list of supported commands.
|Group |Scenario |Command |
|-------------|-------------------------------------------|-----------------------------------------------------------------------|
|Configuration|Turn on/off real-time protection |`mdatp config real_time_protection --value [enabled|disabled]` |
|Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled|disabled]` |
|Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled|disabled]` |
|Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled|disabled]` |
|Configuration|Turn on/off AV passive mode |`mdatp config passive-mode [enabled|disabled]` |
|Configuration|Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action block` |
|Configuration|Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` |
|Configuration|Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` |
|----------------------|--------------------------------------------------------|-----------------------------------------------------------------------|
|Configuration |Turn on/off real-time protection |`mdatp config real-time-protection --value [enabled|disabled]` |
|Configuration |Turn on/off cloud protection |`mdatp config cloud --value [enabled|disabled]` |
|Configuration |Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled|disabled]` |
|Configuration |Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission [enabled|disabled]` |
|Configuration |Turn on/off AV passive mode |`mdatp config passive-mode [enabled|disabled]` |
|Configuration |Add/remove an antivirus exclusion for a file extension |`mdatp exclusion extension [add|remove] --name <extension>` |
|Configuration |Add/remove an antivirus exclusion for a file |`mdatp exclusion file [add|remove] --path <path-to-file>` |
|Configuration |Add/remove an antivirus exclusion for a directory |`mdatp exclusion folder [add|remove] --path <path-to-directory>` |
|Configuration |Add/remove an antivirus exclusion for a process |`mdatp exclusion process [add|remove] --path <path-to-process>`<br/>`mdatp exclusion process [add|remove] --name <process-name>` |
|Configuration |List all antivirus exclusions |`mdatp exclusion list` |
|Configuration |Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action block` |
|Configuration |Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action off` |
|Configuration |Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application --action audit` |
|Diagnostics |Change the log level |`mdatp log level set --level verbose [error|warning|info|verbose]` |
|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` |
|Health |Check the product's health |`mdatp health` |
@ -89,6 +102,13 @@ Important tasks, such as controlling product settings and triggering on-demand s
|Protection |Do a full scan |`mdatp scan full` |
|Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` |
|Protection |Request a security intelligence update |`mdatp definitions update` |
|Protection history |Print the full protection history |`mdatp threat list` |
|Protection history |Get threat details |`mdatp threat get --id <threat-id>` |
|Quarantine management |List all quarantined files |`mdatp threat quarantine list` |
|Quarantine management |Remove all files from the quarantine |`mdatp threat quarantine remove-all` |
|Quarantine management |Add a file detected as a threat to the quarantine |`mdatp threat quarantine add --id <threat-id>` |
|Quarantine management |Remove a file detected as a threat from the quarantine |`mdatp threat quarantine add --id <threat-id>` |
|Quarantine management |Restore a file from the quarantine |`mdatp threat quarantine add --id <threat-id>` |
## Microsoft Defender ATP portal information
@ -113,6 +133,7 @@ In the Microsoft Defender ATP portal, you'll see two categories of information:
### Known issues
- You might see "No sensor data, impaired communications" in the machine information page of the Microsoft Defender Security Center portal, even though the product is working as expected. We are working on addressing this issue.
- Logged on users do not appear in the Microsoft Defender Security Center portal.
- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:

2
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
View File

@ -39,7 +39,7 @@ There are several methods and deployment tools that you can use to install and c
In general you need to take the following steps:
- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the Microsoft Defender ATP portal.
- Ensure that you have a Microsoft Defender ATP subscription, and that you have access to the [Microsoft Defender ATP portal](microsoft-defender-security-center.md).
- Deploy Microsoft Defender ATP for Linux using one of the following deployment methods:
- The command-line tool:
- [Manual deployment](linux-install-manually.md)

14
windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md
View File

@ -93,6 +93,18 @@ Ensure that your devices:
- Have at least one security recommendation that can be viewed in the device page
- Are tagged or marked as co-managed
## APIs
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
See the following topics for related APIs:
- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- [Machine APIs](machine.md)
- [Recommendation APIs](vulnerability.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)
## Related topics
- [Supported operating systems and platforms](tvm-supported-os.md)
@ -104,6 +116,6 @@ Ensure that your devices:
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [BLOG: Microsoft's Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time](https://www.microsoft.com/security/blog/2019/07/02/microsofts-threat-vulnerability-management-now-helps-thousands-of-customers-to-discover-prioritize-and-remediate-vulnerabilities-in-real-time/)

55
windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md Normal file
View File

@ -0,0 +1,55 @@
---
title: Migrate from Symantec to Microsoft Defender ATP
description: Make the switch from Symantec to Microsoft Defender ATP
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Migrate from Symantec to Microsoft Defender Advanced Threat Protection
If you are planning to switch from Symantec Endpoint Protection (Symantec) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP), you're in the right place. Use this article as a guide to plan your migration.
## The migration process
When you switch from Symantec to Microsoft Defender ATP, you follow a process that can be divided into three phases, as depicted in the following image:
:::image type="content" source="images/SymantecMigration-DefenderATP-overview.png" alt-text="Phase 1 - Prepare. Phase 2 - Setup. Phase 3 - Onboard":::
- During the [**Prepare** phase](symantec-to-microsoft-defender-atp-prepare.md), you get Microsoft Defender ATP, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender ATP.
- During the [**Setup** phase](symantec-to-microsoft-defender-atp-setup.md), you configure settings and exclusions for Microsoft Defender Antivirus, Microsoft Defender ATP, and Symantec Endpoint Protection. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.
- During the [**Onboard** phase](symantec-to-microsoft-defender-atp-onboard.md), you onboard your devices to Microsoft Defender ATP and verify that those devices are communicating with Microsoft Defender ATP. Last, you uninstall Symantec and make sure protection through Microsoft Defender ATP is in place.
## What's included in Microsoft Defender ATP?
In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender ATP. However, Microsoft Defender ATP includes much more than antivirus and endpoint protection. Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender ATP.
| Feature/Capability | Description |
|---|---|
| [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & Vulnerability Management capabilities helps identify, assess, and remediate weaknesses across your endpoints (such as devices). |
| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. |
| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. |
| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. |
| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. |
| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. |
| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. |
| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. |
**Want to learn more? See [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection).**
## Next step
- Proceed to [Prepare for your migration](symantec-to-microsoft-defender-atp-prepare.md).

100
windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md Normal file
View File

@ -0,0 +1,100 @@
---
title: Phase 3 - Onboard to Microsoft Defender ATP
description: Make the switch from Symantec to Microsoft Defender ATP
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Migrate from Symantec - Phase 3: Onboard to Microsoft Defender ATP
:::image type="content" source="images/SymantecMigration-DefenderATP-phase3.png" alt-text="Phase 3: Onboard":::
**Welcome to Phase 3 of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This migration phase includes the following steps:
1. [Onboard devices to Microsoft Defender ATP](#onboard-devices-to-microsoft-defender-atp).
2. [Run a detection test](#run-a-detection-test).
3. [Uninstall Symantec](#uninstall-symantec).
4. [Make sure Microsoft Defender ATP is in active mode](#make-sure-microsoft-defender-atp-is-in-active-mode).
## Onboard devices to Microsoft Defender ATP
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
2. Choose **Settings** > **Device management** > **Onboarding**.
3. In the **Select operating system to start onboarding process** list, select an operating system.
4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods).
### Onboarding methods
Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding.
|Operating system |Method |
|---------|---------|
|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)<br/>- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)<br/>- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)<br/>- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script) <br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
|Windows 8.1 Enterprise <br/>Windows 8.1 Pro <br/>Windows 7 SP1 Enterprise <br/>Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)<br/><br/>**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). |
|Windows Server 2019 and later <br/>Windows Server 2019 core edition <br/>Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script) <br/>- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp) <br/>- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) <br/>- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-machines-using-earlier-versions-of-system-center-configuration-manager) <br/>- [VDI onboarding scripts for non-persistent machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi) <br/><br/>**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. |
|Windows Server 2016 <br/>Windows Server 2012 R2 <br/>Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)<br/>- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) |
|macOS<br/>iOS<br/>Linux |[Onboard non-Windows machines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) |
## Run a detection test
To verify that your onboarded devices are properly connected to Microsoft Defender ATP, you can run a detection test.
|Operating system |Guidance |
|---------|---------|
|- Windows 10 <br/>- Windows Server 2019 <br/>- Windows Server, version 1803 <br/>- Windows Server 2016 <br/>- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test). <br/><br/>Visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. |
|macOS<br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave)<br/>- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy). <br/><br/>For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). |
|Linux:<br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**: <br/>`mdatp health --field real_time_protection_enabled`. <br/><br/>2. Open a Terminal window, and run the following command: <br/>`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`. <br/><br/>3. Run the following command to list any detected threats: <br/>`mdatp threat list`. <br/><br/>For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). |
## Uninstall Symantec
Now that you have onboarded your organization's devices to Microsoft Defender ATP, your next step is to uninstall Symantec.
1. [Disable Tamper Protection](https://knowledge.broadcom.com/external/article?legacyId=tech192023) in Symantec.
2. Delete the uninstall password for Symantec:
1. On your Windows devices, open Registry Editor as an administrator.
2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC`.
3. Look for an entry named **SmcInstData**. Right-click the item, and then choose **Delete**.
3. Remove Symantec from your devices. You can use SEP Manager to perform this task. See [Configuring client packages to uninstall existing security software](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Managing-a-custom-installation/preparing-for-client-installation-v16742985-d21e7/configuring-client-packages-to-uninstall-existing-v73569396-d21e2634.html).
> [!TIP]
> Need help? See the following Broadcom resources:
> - [Uninstall Symantec Endpoint Protection](https://knowledge.broadcom.com/external/article/156148/uninstall-symantec-endpoint-protection.html).
> - Windows devices: [Manually uninstall Endpoint Protection 14 clients on Windows](https://knowledge.broadcom.com/external/article?articleId=170040).
> - macOS computers: [Remove Symantec software for Mac using RemoveSymantecMacFiles](https://knowledge.broadcom.com/external/article?articleId=151387).
> - Linux devices: [Frequently Asked Questions for Endpoint Protection for Linux](https://knowledge.broadcom.com/external/article?articleId=162054).
## Make sure Microsoft Defender ATP is in active mode
Now that you have uninstalled Symantec, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode.
To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following:
- Cloud-delivered protection
- Potentially Unwanted Applications (PUA)
- Network Protection (NP)
## Next steps
**Congratulations**! You have completed your [migration from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
- To learn more about Microsoft Defender ATP and how to configure or adjust various features and capabilities, see [Microsoft Defender ATP documentation](https://docs.microsoft.com/windows/security/threat-protection).

82
windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Phase 1 - Prepare for your migration to Microsoft Defender ATP
description: Phase 1 of "Make the switch from Symantec to Microsoft Defender ATP". Prepare for your migration.
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Migrate from Symantec - Phase 1: Prepare for your migration
:::image type="content" source="images/SymantecMigration-DefenderATP-phase1.png" alt-text="Prepare to migrate":::
**Welcome to the Prepare phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**.
This migration phase includes the following steps:
1. [Get Microsoft Defender ATP](#get-microsoft-defender-atp).
2. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center).
3. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings).
## Get Microsoft Defender ATP
To get started, you must have Microsoft Defender ATP, with licenses assigned and provisioned.
1. Buy or try Microsoft Defender ATP today. [Visit Microsoft Defender ATP to start a free trial or request a quote](https://aka.ms/mdatp).
2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state).
3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender ATP. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration).
4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration).
At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
> [!NOTE]
> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal.
## Grant access to the Microsoft Defender Security Center
The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use).
Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions.
1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control).
2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control).
If your organization requires a method other than Intune, choose one of the following options:
- [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration)
- [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm)
- [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview)
3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)).
## Configure device proxy and internet connectivity settings
To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities:
|Capabilities | Operating System | Resources |
|--|--|--|
|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information) <br/>- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) |
|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016) <br/>- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) |
|EDR |macOS: <br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) <br/>- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information) <br/>- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) <br/>- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)<br/> |
|Antivirus |macOS: <br/>- 10.15 (Catalina)<br/>- 10.14 (Mojave) <br/>- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) |
|Antivirus |Linux: <br/>- RHEL 7.2+<br/>- CentOS Linux 7.2+<br/>- Ubuntu 16 LTS, or higher LTS<br/>- SLES 12+<br/>- Debian 9+<br/>- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections)
## Next step
**Congratulations**! You have completed the **Prepare** phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
- [Proceed to set up Microsoft Defender ATP](symantec-to-microsoft-defender-atp-setup.md).

204
windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md Normal file
View File

@ -0,0 +1,204 @@
---
title: Phase 2 - Set up Microsoft Defender ATP
description: Phase 2 - Set up Microsoft Defender ATP
keywords: migration, windows defender advanced threat protection, atp, edr
search.product: eADQiWindows 10XVcnh
search.appverid: met150
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
# Migrate from Symantec - Phase 2: Set up Microsoft Defender ATP
:::image type="content" source="images/SymantecMigration-DefenderATP-phase2.png" alt-text="Phase 2 - Setup":::
**Welcome to the Setup phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)**. This phase includes the following steps:
1. [Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)](#enable-or-reinstall-microsoft-defender-antivirus-for-certain-versions-of-windows).
2. [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
3. [Add Microsoft Defender ATP to the exclusion list for Symantec](#add-microsoft-defender-atp-to-the-exclusion-list-for-symantec).
4. [Add Symantec to the exclusion list for Microsoft Defender Antivirus](#add-symantec-to-the-exclusion-list-for-microsoft-defender-antivirus).
5. [Add Symantec to the exclusion list for Microsoft Defender ATP](#add-symantec-to-the-exclusion-list-for-microsoft-defender-atp).
6. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units).
7. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection).
## Enable or reinstall Microsoft Defender Antivirus (for certain versions of Windows)
> [!TIP]
> If you're running Windows 10, you do not need to perform this task. Proceed to **[Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus)**.
On certain versions of Windows, Microsoft Defender Antivirus might have been uninstalled or disabled. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as Symantec. To learn more, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
Now that you're moving from Symantec to Microsoft Defender ATP, you'll need to enable or reinstall Microsoft Defender Antivirus, and set it to passive mode.
### Reinstall Microsoft Defender Antivirus on Windows Server
> [!NOTE]
> The following procedure applies only to endpoints or devices that are running the following versions of Windows:
> - Windows Server 2019
> - Windows Server, version 1803 (core-only mode)
> - Windows Server 2016
>
> Microsoft Defender Antivirus is built into Windows 10, but it might be disabled. In this case, proceed to [Enable Microsoft Defender Antivirus](#enable-microsoft-defender-antivirus).
1. As a local administrator on the endpoint or device, open Windows PowerShell.
2. Run the following PowerShell cmdlets: <br/>
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features` <br/>
`Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender` <br/>
3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet: <br/>
`Get-Service -Name windefend`
> [!TIP]
> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016).
### Set Microsoft Defender Antivirus to passive mode on Windows Server
Because your organization is still using Symantec, you must set Microsoft Defender Antivirus to passive mode. That way, Symantec and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP.
1. Open Registry Editor, and then navigate to <br/>
`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`.
2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings:
- Set the DWORD's value to **1**.
- Under **Base**, select **Hexadecimal**.
> [!NOTE]
> You can use other methods to set the registry key, such as the following:
>- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11))
>- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool)
>- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs)
## Enable Microsoft Defender Antivirus
Because your organization has been using Symantec as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus.
To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table:
|Method |What to do |
|---------|---------|
|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/><br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).<br/><br/>3. Select **Properties**, and then select **Configuration settings: Edit**.<br/><br/>4. Expand **Microsoft Defender Antivirus**. <br/><br/>5. Enable **Cloud-delivered protection**.<br/><br/>6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.<br/><br/>7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.<br/><br/>8. Select **Review + save**, and then choose **Save**.<br/><br/>For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).|
|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows). <br/><br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/) <br/>or<br/>[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`. <br/><br/>2. Look for a policy called **Turn off Microsoft Defender Antivirus**.<br/> <br/>3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus. <br/><br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. |
### Verify that Microsoft Defender Antivirus is in passive mode
Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table:
|Method |What to do |
|---------|---------|
|Command Prompt |1. On a Windows device, open Command Prompt as an administrator. <br/><br/>2. Type `sc query windefend`, and then press Enter.<br/><br/>3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. |
|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.<br/><br/>2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus?view=win10-ps) cmdlet. <br/><br/>3. In the list of results, look for **AntivirusEnabled: True**. |
> [!NOTE]
> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
## Add Microsoft Defender ATP to the exclusion list for Symantec
This step of the setup process involves adding Microsoft Defender ATP to the exclusion list for Symantec and any other security products your organization is using. The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table:
|OS |Exclusions |
|--|--|
|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))<br/>- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed <br/>- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)<br/>- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`<br/><br/>`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`<br/> |
|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2) <br/>- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)<br/>- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)<br/>- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)<br/>- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`<br/><br/>**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`<br/><br/>`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` |
## Add Symantec to the exclusion list for Microsoft Defender Antivirus
During this step of the setup process, you add Symantec and your other security solutions to the Microsoft Defender Antivirus exclusion list.
When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind:
- Path exclusions exclude specific files and whatever those files access.
- Process exclusions exclude whatever a process touches, but does not exclude the process itself.
- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded.
- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.)
You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table:
|Method | What to do|
|--|--|
|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) <br/><br/>**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.<br/><br/>2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.<br/><br/>3. Under **Manage**, select **Properties**. <br/><br/>4. Select **Configuration settings: Edit**.<br/><br/>5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.<br/><br/>6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).<br/><br/>7. Choose **Review + save**, and then choose **Save**. |
|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify. <br/><br/>2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. |
|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.<br/><br/>2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.<br/><br/>3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.<br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/><br/>4. Double-click the **Path Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Specify each folder on its own line under the **Value name** column.<br/>- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.<br/><br/>5. Click **OK**.<br/><br/>6. Double-click the **Extension Exclusions** setting and add the exclusions.<br/>- Set the option to **Enabled**.<br/>- Under the **Options** section, click **Show...**.<br/>- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.<br/><br/>7. Click **OK**. |
|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor. <br/><br/>2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**. <br/>**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.<br/><br/>3. Specify your path and process exclusions. |
|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.<br/><br/>2. Import the registry key. Here are two examples:<br/>- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg` <br/>- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` |
## Add Symantec to the exclusion list for Microsoft Defender ATP
To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files).
1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in.
2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**.
3. On the **File hashes** tab, choose **Add indicator**.
3. On the **Indicator** tab, specify the following settings:
- File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.)
- Under **Expires on (UTC)**, choose **Never**.
4. On the **Action** tab, specify the following settings:
- **Response Action**: **Allow**
- Title and description
5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**.
6. On the **Summary** tab, review the settings, and then click **Save**.
### Find a file hash using CMPivot
CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview).
To use CMPivot to get your file hash, follow these steps:
1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites).
2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot).
3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`).
4. Select the **Query** tab.
5. In the **Device Collection** list, and choose **All Systems (default)**.
6. In the query box, type the following query:<br/>
```kusto
File(c:\\windows\\notepad.exe)
| project Hash
```
> [!NOTE]
> In the query above, replace *notepad.exe* with the your third-party security product process name.
## Set up your device groups, device collections, and organizational units
| Collection type | What to do |
|--|--|
|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.<br/><br/> Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed. <br/><br/>Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).<br/><br/>2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**. <br/><br/>3. Choose **+ Add device group**.<br/><br/>4. Specify a name and description for the device group.<br/><br/>5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).<br/><br/>6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags). <br/><br/>7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group. <br/><br/>8. Choose **Done**. |
|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization. <br/><br/>Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). |
|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.<br/><br/> Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). |
## Configure antimalware policies and real-time protection
Using Configuration Manager and your device collection(s), configure your antimalware policies.
- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies).
- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus).
> [!TIP]
> You can deploy the policies before your organization's devices on onboarded.
## Next step
**Congratulations**! You have completed the Setup phase of [migrating from Symantec to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md#the-migration-process)!
- [Proceed to Phase 3: Onboard to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-onboard.md)

49
windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md
View File

@ -27,18 +27,6 @@ ms.topic: article
[!include[Prerelease information](../../includes/prerelease.md)]
## APIs
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and device vulnerability inventory, software version distribution, device vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).
See the following topics for related APIs:
- [Supported Microsoft Defender ATP APIs](exposed-apis-list.md)
- [Machine APIs](machine.md)
- [Recommendation APIs](vulnerability.md)
- [Score APIs](score.md)
- [Software APIs](software.md)
- [Vulnerability APIs](vulnerability.md)
## Use advanced hunting query to search for devices with High active alerts or critical CVE public exploit
1. Go to **Advanced hunting** from the left-hand navigation pane of the Microsoft Defender Security Center.
@ -62,41 +50,6 @@ DeviceName=any(DeviceName) by DeviceId, AlertId
```
## Find and remediate software or software versions which have reached end-of-support (EOS)
End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates.
To find software or software versions which have reached end-of-support:
1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**.
2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**.
![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png)
3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png)
### List of versions and dates
To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps:
1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected.
![Screenshot of version distribution link](images/eos-upcoming-eos.png)
2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.
![Screenshot of version distribution link](images/software-drilldown-eos.png)
3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date.
![Screenshot of version distribution link](images/version-eos-date.png)
After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats. See [Remediation and exception](tvm-remediation.md) for details.
## Related topics
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
@ -108,7 +61,7 @@ After you have identified which software and software versions are vulnerable du
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)
- [Advanced hunting overview](overview-hunting.md)
- [All advanced hunting tables](advanced-hunting-reference.md)

2
windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md
View File

@ -86,5 +86,5 @@ See [Microsoft Defender ATP icons](portal-overview.md#microsoft-defender-atp-ico
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

2
windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md
View File

@ -62,5 +62,5 @@ Lower your threat and vulnerability exposure by remediating [security recommenda
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

2
windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md
View File

@ -91,5 +91,5 @@ You can improve your security configuration when you remediate issues from the s
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

2
windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md
View File

@ -104,5 +104,5 @@ Select **Show exceptions** at the bottom of the **Top security recommendations**
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

42
windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md
View File

@ -90,9 +90,9 @@ From the flyout, you can do any of the following:
- **Open software page** - Open the software page to get more context on the software and how it is distributed. The information can include threat context, associated recommendations, weaknesses discovered, number of exposed devices, discovered vulnerabilities, names and detailed of devices with the software installed, and version distribution.
- **Remediation options** - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
- [**Remediation options**](tvm-security-recommendation.md#request-remediation) - Submit a remediation request to open a ticket in Microsoft Intune for your IT Administrator to pick up and address.
- **Exception options** - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet.
- [**Exception options**](tvm-security-recommendation.md#file-for-exception) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue just yet.
>[!NOTE]
>When a change is made on a device, it may take up to two hours for the data to be reflected in the Microsoft Defender Security Center.
@ -161,6 +161,42 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
4. Select **Submit**. Your feedback is immediately sent to the Threat & Vulnerability Management experts.
## Find and remediate software or software versions which have reached end-of-support (EOS)
End-of-support (otherwise known as end-of-life) for software or software versions means that they will no longer be supported or serviced, and will not receive security updates. When you use software or software versions which have reached end-of-support, you're exposing your organization to security vulnerabilities, legal, and financial risks.
It is crucial for Security and IT Administrators to work together and ensure that the organization's software inventory is configured for optimal results, compliance, and a healthy network ecosystem. They should examine the options to remove or replace apps that have reached end of support, and update versions that have reached end of support. It is best to create and implement a plan **before** the end of support dates.
To find software or software versions which have reached end-of-support:
1. From the Threat & Vulnerability Management menu, navigate to **Security recommendations**.
2. Go to the **Filters** panel and look for the tags section. Select one or more of the EOS tag options. Then **Apply**.
![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tag.png)
3. You will see a list recommendations related to software that is end of support, software versions that are end of support, or upcoming end of support versions. These tags are also visible in the [software inventory](tvm-software-inventory.md) page.
![Screenshot tags that say EOS software, EOS versions, and Upcoming EOS versions](images/tvm-eos-tags-column.png)
### List of versions and dates
To view a list of version that have reached end of support, or end or support soon, and those dates, follow the below steps:
1. For software that has versions which have reached end of support, or will reach end of support soon, a message will appear in the flyout once the security recommendation is selected.
![Screenshot of version distribution link](images/eos-upcoming-eos.png)
2. Select the **version distribution** link to go to the software drill down page. There, you can see a filtered list of versions with tags identifying them as end of support, or upcoming end of support.
![Screenshot of version distribution link](images/software-drilldown-eos.png)
3. Select one of the versions in the table to open. For example, version 10.0.18362.1. A flyout will appear with the end of support date.
![Screenshot of version distribution link](images/version-eos-date.png)
After you have identified which software and software versions are vulnerable due to its end-of-support status, remediate them to lower your organizations exposure to vulnerabilities and advanced persistent threats.
## Related topics
- [Threat & Vulnerability Management overview](next-gen-threat-and-vuln-mgt.md)
@ -172,5 +208,5 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

2
windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md
View File

@ -85,5 +85,5 @@ You can report a false positive when you see any vague, inaccurate version, inco
- [Remediation and exception](tvm-remediation.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

2
windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md
View File

@ -52,5 +52,5 @@ Some of the above prerequisites might be different from the [Minimum requirement
- [Software inventory](tvm-software-inventory.md)
- [Weaknesses](tvm-weaknesses.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

2
windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md
View File

@ -132,5 +132,5 @@ You can report a false positive when you see any vague, inaccurate, incomplete,
- [Remediation and exception](tvm-remediation.md)
- [Software inventory](tvm-software-inventory.md)
- [Scenarios](threat-and-vuln-mgt-scenarios.md)
- [APIs](threat-and-vuln-mgt-scenarios.md#apis)
- [APIs](next-gen-threat-and-vuln-mgt.md#apis)
- [Configure data access for Threat & Vulnerability Management roles](user-roles.md#create-roles-and-assign-the-role-to-an-azure-active-directory-group)

12
windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
View File

@ -33,27 +33,29 @@ SmartScreen uses registry-based Administrative Template policy settings. For mor
<th align="left">Description</th>
</tr>
<tr>
<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p>
<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen<p><strong>Windows 10, Version 1607 and earlier:</strong><br>Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen</td>
<td>At least Windows Server 2012, Windows 8 or Windows RT</td>
<td>This policy setting turns on Microsoft Defender SmartScreen.<p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.<p>If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.</td>
</tr>
<tr>
<td>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
<td>Windows 10, version 1703</td>
<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control</td>
<td><strong>Windows 10, version 1703</td>
<td>This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.</br></br>This setting does not protect against malicious content from USB devices, network shares or other non-internet sources.</p><p><strong>Important:</strong> Using a trustworthy browser helps ensure that these protections work as expected.</p></td>
</tr>
<tr>
<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><strong>Windows 10, Version 1607 and earlier:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td>
<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen<p><strong>Windows 10, Version 1607 and earlier:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen</td>
<td>Microsoft Edge on Windows 10 or later</td>
<td>This policy setting turns on Microsoft Defender SmartScreen.<p>If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.<p>If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.<p>If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.</td>
</tr>
<tr>
<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files<p><strong>Windows 10, Version 1511 and 1607:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files</td>
<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files<p><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files<p><strong>Windows 10, Version 1511 and 1607:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files</td>
<td>Microsoft Edge on Windows 10, version 1511 or later</td>
<td>This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.<p>If you enable this setting, it stops employees from bypassing the warning, stopping the file download.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.</td>
</tr>
<tr>
<td><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites<p><strong>Windows 10, Version 1511 and 1607:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites</td>
<td><strong>Windows 10, version 2004:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites<p><strong>Windows 10, version 1703:</strong><br>Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites<p><strong>Windows 10, Version 1511 and 1607:</strong><br>Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites</td>
<td>Microsoft Edge on Windows 10, version 1511 or later</td>
<td>This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.<p>If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.<p>If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.</td>
</tr>

5
windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md
View File

@ -22,7 +22,10 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
Describes the best practices, location, values, policy management and security considerations for the **Interactive logon: Require smart card** security policy setting.
Describes the best practices, location, values, policy management, and security considerations for the **Interactive logon: Require smart card** security policy setting.
> [!NOTE]
> You may need to download the ADMX template for your version of Windows to enable this policy to be applied.
## Reference

2
windows/whats-new/whats-new-windows-10-version-2004.md
View File

@ -150,7 +150,7 @@ Windows Sandbox also has improved accessibility in this release, including:
With this release, memory that is no longer in use in a Linux VM will be freed back to Windows. Previously, a WSL VM's memory could grow, but would not shrink when no longer needed.
[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support is has been added for ARM64 devices if your device supports virtualization.
[WSL2](https://docs.microsoft.com/windows/wsl/wsl2-index) support has been added for ARM64 devices if your device supports virtualization.
For a full list of updates to WSL, see the [WSL release notes](https://docs.microsoft.com/windows/wsl/release-notes).