deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'rs1' of https://github.com/Microsoft/win-cpub-itpro-docs into rs1

Browse Source
This commit is contained in:
Dolcita Montemayor
2016-08-01 15:48:54 +10:00
parent f55c1fae62 77c9f27314
commit c576b6c3b2
98 changed files with 1041 additions and 611 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
windows/keep-secure/TOC.md
View File

@ -709,7 +709,12 @@
### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
#### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
#### [Windows Defender Offline in Windows 10](windows-defender-offline.md)
#### [Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
#### [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
#### [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
#### [Run a Windows Defender scan from the command line](run-cmd-windows-defender-for-windows-10.md)
#### [Detect and block Potentially Unwanted Applications](enable-pua-windows-defender-for-windows-10.md)
#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
#### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)

7
windows/keep-secure/change-history-for-keep-windows-10-secure.md
View File

@ -18,6 +18,13 @@ The topics in this library have been updated for Windows 10, version 1607 (also
- [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
- [Remote Credential Guard](remote-credential-guard.md)
- [Windows Defender Offline in Windows 10](windows-defender-offline.md)
- [Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)
- [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)
- [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)
- [Run a Windows Defender scan from the command line](run-cmd-windows-defender-for-windows-10.md)
- [Detect and block Potentially Unwanted Applications](enable-pua-windows-defender-for-windows-10.md)
## July 2016

6
windows/keep-secure/configure-windows-defender-in-windows-10.md
View File

@ -1,5 +1,5 @@
---
title: Configure Windows Defender in Windows 10 (Windows 10)
title: Configure and use Windows Defender in Windows 10
description: IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
ms.assetid: 22649663-AC7A-40D8-B1F7-5CAD9E49653D
ms.prod: w10
@ -14,7 +14,9 @@ author: jasesso
**Applies to**
- Windows 10
IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
You can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Microsoft Active Directory and Windows Server Update Services (WSUS).
You can also enable and configure the Microsoft Active Protection Service to ensure endpoints are protected by cloud-based protection technologies.
## Configure definition updates

2
windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
View File

@ -43,7 +43,7 @@ If you already have an EFS DRA certificate for your organization, you can skip c
>**Note**<br>
To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
**To verify your data recovery certificate is correctly set up on an WIP client computer**
**To verify your data recovery certificate is correctly set up on a WIP client computer**
1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so its encrypted by WIP.

6
windows/keep-secure/create-wip-policy-using-intune.md
View File

@ -24,10 +24,10 @@ We've received some great feedback from you, our Windows 10 Insider Preview cust
Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list.
## Add an WIP policy
After youve set up Intune for your organization, you must create an WIP-specific policy.
## Add a WIP policy
After youve set up Intune for your organization, you must create a WIP-specific policy.
**To add an WIP policy**
**To add a WIP policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area.
2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.

4
windows/keep-secure/create-wip-policy-using-sccm.md
View File

@ -20,9 +20,9 @@ author: eross-msft
System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
>**Important**<br>
If you previously created an WIP policy using System Center Configuration Manager version 1511 or 1602, youll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies.
If you previously created a WIP policy using System Center Configuration Manager version 1511 or 1602, youll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies.
## Add an WIP policy
## Add a WIP policy
After youve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
**To create a configuration item for WIP**

55
windows/keep-secure/credential-guard.md
View File

@ -143,7 +143,8 @@ If you would like to add Credential Guard to an image, you can do this by adding
### Add the virtualization-based security features
First, you must add the virtualization-based security features. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
> **Note:**  If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
> [!NOTE]
> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
 
**Add the virtualization-based security features by using Programs and Features**
1. Open the Programs and Features control panel.
@ -157,7 +158,8 @@ First, you must add the virtualization-based security features. You can do this
``` syntax
dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
> **Note:**  You can also add these features to an online image by using either DISM or Configuration Manager.
> [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager.
In Windows 10, version 1607, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode:
@ -181,14 +183,30 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it.
4. Close Registry Editor.
> **Note:**  You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
> [!NOTE]
> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
**Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot
```
 
### Remove Credential Guard
If you have to remove Credential Guard on a PC, you need to do the following:
1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
2. Delete the following registry setting: HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
2. Delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
> [!IMPORTANT]
> If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
3. Delete the Credential Guard EFI variables by using bcdedit.
**Delete the Credential Guard EFI variables**
@ -208,9 +226,18 @@ If you have to remove Credential Guard on a PC, you need to do the following:
3. Accept the prompt to disable Credential Guard.
4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
> **Note:** The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
> [!NOTE]
> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
**Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool**
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot
```
 
### Check that Credential Guard is running
@ -223,6 +250,12 @@ You can use System Information to ensure that Credential Guard is running on a P
Here's an example:
![System Information](images/credguard-msinfo32.png)
You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v2.0.ps1 -Ready
```
## Considerations when using Credential Guard
@ -314,7 +347,8 @@ On devices that are running Credential Guard, enroll the devices using the machi
``` syntax
CertReq -EnrollCredGuardCert MachineAuthentication
```
> **Note:**  You must restart the device after enrolling the machine authentication certificate.
> [!NOTE]
> You must restart the device after enrolling the machine authentication certificate.
 
### Link the issuance policies to a group
@ -353,7 +387,8 @@ Now you can set up an authentication policy to use Credential Guard.
14. Click **OK** to create the authentication policy.
15. Close Active Directory Administrative Center.
> **Note:**  When authentication policies in enforcement mode are deployed with Credential Guard, users will not be able to sign in using devices that do not have the machine authentication certificate provisioned. This applies to both local and remote sign in scenarios.
> [!NOTE]
> When authentication policies in enforcement mode are deployed with Credential Guard, users will not be able to sign in using devices that do not have the machine authentication certificate provisioned. This applies to both local and remote sign in scenarios.
 
### Appendix: Scripts
@ -547,7 +582,8 @@ write-host "There are no issuance policies which are not mapped to groups"
}
}
```
> **Note:**  If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
 
#### <a href="" id="bkmk-setscript"></a>Link an issuance policy to a group
@ -828,7 +864,8 @@ write-host $tmp -Foreground Red
}
```
> **Note:**  If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
 
## Related topics

4
windows/keep-secure/get-started-with-windows-defender-for-windows-10.md
View File

@ -183,7 +183,7 @@ In Endpoint Protection, you can use the advanced scanning options to configure a
## Related topics
[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
- [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
- [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
 
 

BIN
windows/keep-secure/images/defender/client.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 94 KiB

BIN
windows/keep-secure/images/defender/detection-source.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 259 KiB

BIN
windows/keep-secure/images/defender/download-wdo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 94 KiB

BIN
windows/keep-secure/images/defender/enhanced-notifications.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
windows/keep-secure/images/defender/gp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 220 KiB

BIN
windows/keep-secure/images/defender/notification.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 60 KiB

BIN
windows/keep-secure/images/defender/sccm-wdo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 147 KiB

BIN
windows/keep-secure/images/defender/settings-wdo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

BIN
windows/keep-secure/images/defender/ux-config-key.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/keep-secure/images/defender/ux-uilockdown-key.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/keep-secure/images/detection-source.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 259 KiB

8
windows/keep-secure/protect-enterprise-data-using-wip.md
View File

@ -56,19 +56,19 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Manage your enterprise documents, apps, and encryption modes.**
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an WIP-protected device, WIP encrypts the data on the device.
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- **Using allowed apps.** Managed apps (apps that you've included on the Allowed Apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your WIP management-mode.
You dont have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
You dont have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
- **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list.
- **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
- **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isnt on your allowed apps list, employees wont be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your allowed apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.

22
windows/keep-secure/run-cmd-scan-windows-defender-for-windows-10.md
View File

@ -1,7 +1,7 @@
---
title: Run a scan from the command line in Windows Defender in Windows 10 (Windows 10)
description: IT professionals can run a scan using the command line in Windows Defender in Windows 10.
keywords: scan, command line, mpcmdrun, defender
title: Learn how to run a scan from command line in Windows Defender (Windows 10)
description: Windows Defender utility enables IT professionals to use command line to run antivirus scans.
keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@ -19,19 +19,19 @@ author: mjcaparas
IT professionals can use a command-line utility to run a Windows Defender scan.
The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_
The utility is available in _%Program Files%\Windows Defender\MpCmdRun.exe_.
This utility can be handy when you want to automate the use of Windows Defender.
**To run a full system scan from the command line**
**To run a quick scan from the command line**
1. Click **Start**, type **cmd**, and press **Enter**.
2. Navigate to _%ProgramFiles%\Windows Defender_ and enter the following command, and press **Enter**:
```
C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 2
C:\Program Files\Windows Defender\mpcmdrun.exe -scan -scantype 1
```
The full scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
The quick scan will start. When the scan completes, you'll see a message indicating that the scan is finished.
The utility also provides other commands that you can run:
@ -43,12 +43,12 @@ MpCmdRun.exe [command] [-options]
Command | Description
:---|:---
\- ? / -h | Displays all available options for the tool
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious softare
\-Scan [-ScanType #] [-File <path> [-DisableRemediation] [-BootSectorScan]][-Timeout <days>] | Scans for malicious software
\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing
\-GetFiles | Collects support information
\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures
\-AddDynamicSignature [-Path] | Loads a dyanmic signature
\-AddDynamicSignature [-Path] | Loads a dynamic signature
\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures
\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature
\-EnableIntegrityServices | Enables integrity services
\-SubmitSamples | Submit all sample requests
The command-line utility provides detailed information on the other commands supported by the tool.

6
windows/keep-secure/testing-scenarios-for-wip.md
View File

@ -25,9 +25,9 @@ You can try any of the processes included in these scenarios, but you should foc
|---------|----------|
|Automatically encrypt files from enterprise apps |<ol><li>Start an unmodified (for example, WIP-unaware) line-of-business app that's on your allowed apps list and then create, edit, write, and save files.</li><li>Make sure that all of the files you worked with from the WIP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon.<p>**Note**<br>Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.</li></ol> |
|Block enterprise data from non-enterprise apps |<ol><li>Start an app that doesn't appear on your allowed apps list, and then try to open an enterprise-encrypted file.<p>The app shouldn't be able to access the file.</li><li>Try double-clicking or tapping on the enterprise-encrypted file.<p>If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message.</li></ol> |
|Copy and paste from enterprise apps to non-enterprise apps |<ol><li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.<p>You should see an WIP-related warning box, asking you to click either **Got it** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't pasted into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Got it**, and try to paste the content again.<p>The content is pasted into the non-enterprise app.</li><li>Try copying and pasting content between apps on your allowed apps list.<p>The content should copy and paste between apps without any warning messages.</li></ol> |
|Drag and drop from enterprise apps to non-enterprise apps |<ol><li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.<p>You should see an WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't dropped into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.<p>The content is dropped into the non-enterprise app.</li><li>Try dragging and dropping content between apps on your allowed apps list.<p>The content should move between the apps without any warning messages.</li></ol> |
|Share between enterprise apps and non-enterprise apps |<ol><li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.<p>You should see an WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't shared into Facebook.</li><li>Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.<p>The content is shared into Facebook.</li><li>Try sharing content between apps on your allowed apps list.<p>The content should share between the apps without any warning messages.</li></ol> |
|Copy and paste from enterprise apps to non-enterprise apps |<ol><li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.<p>You should see a WIP-related warning box, asking you to click either **Got it** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't pasted into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Got it**, and try to paste the content again.<p>The content is pasted into the non-enterprise app.</li><li>Try copying and pasting content between apps on your allowed apps list.<p>The content should copy and paste between apps without any warning messages.</li></ol> |
|Drag and drop from enterprise apps to non-enterprise apps |<ol><li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.<p>You should see a WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't dropped into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.<p>The content is dropped into the non-enterprise app.</li><li>Try dragging and dropping content between apps on your allowed apps list.<p>The content should move between the apps without any warning messages.</li></ol> |
|Share between enterprise apps and non-enterprise apps |<ol><li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.<p>You should see a WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't shared into Facebook.</li><li>Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.<p>The content is shared into Facebook.</li><li>Try sharing content between apps on your allowed apps list.<p>The content should share between the apps without any warning messages.</li></ol> |
|Use the **Encrypt to** functionality |<ol><li>Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.<p>WIP should encrypt the file to your Enterprise Identity.</li><li>Make sure that the newly encrypted file has a **Lock** icon.</li><li>In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.</li><li>Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.<p>The file should be decrypted and the **Lock** icon should disappear.</li></ol> |
|Verify that Windows system components can use WIP |<ol><li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.</li><li>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon</li><li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<p>**Note**<br>Most Windows-signed components like Windows Explorer (when running in the users context), should have access to enterprise data.<p>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.</li></ol> |
|Use WIP on FAT/exFAT systems |<ol><li>Start an app that uses the FAT or exFAT file system and appears on your allowed apps list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |

10
windows/keep-secure/use-powershell-cmdlets-windows-defender-for-windows-10.md
View File

@ -23,7 +23,8 @@ For a list of the cmdlets and their functions and available parameters, see the
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
> **Note:**&nbsp;&nbsp;PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
> [!NOTE]
> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367).
PowerShell is typically installed under the folder _%SystemRoot%\system32\WindowsPowerShell_.
@ -32,7 +33,8 @@ PowerShell is typically installed under the folder _%SystemRoot%\system32\Window
1. Click **Start**, type **powershell**, and press **Enter**.
2. Click **Windows PowerShell** to open the interface.
> **Note:**&nbsp;&nbsp;You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
> [!NOTE]
> You may need to open an administrator-level version of PowerShell. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt.
3. Enter the command and parameters.
To open online help for any of the cmdlets type the following:
@ -41,3 +43,7 @@ To open online help for any of the cmdlets type the following:
Get-Help <cmdlet> -Online
```
Omit the `-online` parameter to get locally cached help.
## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)

113
windows/keep-secure/windows-defender-block-at-first-sight.md Normal file
View File

@ -0,0 +1,113 @@
---
title: Enable the Block at First Sight feature to detect malware within seconds
description: In Windows 10 the Block at First Sight feature determines and blocks new malware variants in seconds. You can enable the feature with Group Policy.
keywords: scan, BAFS, malware, first seen, first sight, cloud, MAPS, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: iaanw
---
# Enable the Block at First Sight feature in Windows 10
**Applies to**
- Windows 10, version 1607
Block at First Sight is a feature of Windows Defender cloud protection that provides a way to detect and block new malware within seconds.
You can enable Block at First Sight with Group Policy or individually on endpoints.
## Backend procesing and near-instant determinations
When a Windows Defender client encounters a suspicious but previously undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
If the cloud backend is unable to make a determination, a copy of the file is requested for additional processing and analysis in the cloud.
If the Block at First Sight feature is enabled on the client, the file will be locked by Windows Defender while a copy is uploaded to the cloud, processed, and a verdict returned to the client. Only after a determination is returned from the cloud will Windows Defender release the lock and let the file run.
The file-based determination typically takes 1 to 4 seconds.
> [!NOTE]
> Suspicious file downloads requiring additional backend processing to reach a determination will be locked by Windows Defender on the first machine where the file is encountered, until it is finished uploading to the backend. Users will see a longer "Running security scan" message in the browser while the file is being uploaded. This might result in what appear to be slower download times for some files.
## Enable Block at First Sight
### Use Group Policy to configure Block at First Sight
You can use Group Policy to control whether Windows Defender will continue to lock a suspicious file until it is uploaded to the backend.
This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
Block at First Sight requires a number of Group Policy settings to be configured correctly or it will not work.
**Configure pre-requisite cloud protection Group Policy settings:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > MAPS** and configure the following Group Policies:
1. Double-click the **Join Microsoft MAPS** setting and set the option to **Enabled**. Click **OK**.
1. Double-click the **Send file samples when further analysis is required** setting and set the option as **Enabled** and the additional options as either of the following:
1. Send safe samples (1)
1. Send all samples (3)
> [!NOTE]
> Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the "Block at First Sight" feature will not function.
1. Click OK after both Group Policies have been set.
1. In the **Group Policy Management Editor**, expand the tree to **Windows components > Windows Defender > Real-time Protection**:
1. Double-click the **Scan all downloaded files and attachments** setting and set the option to **Enabled**. Click **OK**.
1. Double-click the **Turn off real-time protection** setting and set the option to **Disabled**. Click **OK**.
**Enable Block at First Sight with Group Policy**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree through **Windows components > Windows Defender > MAPS**.
1. Double-click the **Configure the <20>Block at First Sight<68> feature** setting and set the option to **Enabled**.
> [!NOTE]
> The Block at First Sight feature will not function if the pre-requisite group policies have not been correctly set.
### Manually enable Block at First Sight on Individual clients
To configure un-managed clients that are running Windows 10, Block at First Sight is automatically enabled as long as **Cloud-based protection** and **Automatic sample submission** are both turned on.
**Enable Block at First Sight on invididual clients**
1. Open Windows Defender settings:
a. Open the Windows Defender app and click **Settings**.
b. On the main Windows Settings page, click **Update & Security** and then **Windows Defender**.
2. Switch **Cloud-based Protection** and **Automatic sample submission** to **On**.
> [!NOTE]
> These settings will be overridden if the network administrator has configured their associated Group Policies. The settings will appear grayed out and you will not be able to modify them if they are being managed by Group Policy.
## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)

43
windows/keep-secure/windows-defender-enhanced-notifications.md Normal file
View File

@ -0,0 +1,43 @@
---
title: Configure enhanced notifications for Windows Defender
description: In Windows 10, you can enable advanced notifications for endpoints throughout your enterprise network.
keywords: notifications, defender, endpoint, management, admin
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: iaanw
---
# Configure enhanced notifications for Windows Defender in Windows 10
**Applies to:**
- Windows 10, version 1607
In Windows 10, application notifications about malware detection and remediation by Windows Defender are more robust, consistent, and concise.
Notifications will appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications will also be seen in the **Notification Center**, and a summary of scans and threat detections will also appear at regular time intervals.
You can enable and disable enhanced notifications with the registry or in Windows Settings.
## Configure enhanced notifications
You can disable enhanced notifications on individual endpoints in Windows Settings.
**Use Windows Settings to disable enhanced notifications on individual endpoints**
1. Open the **Start** menu and click or type **Settings**.
1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Enhanced notifications** section.
1. Toggle the setting between **On** and **Off**.
![Windows Defender enhanced notifications](images/defender/enhanced-notifications.png)
## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)

160
windows/keep-secure/windows-defender-in-windows-10.md
View File

@ -1,84 +1,76 @@
---
title: Windows Defender in Windows 10 (Windows 10)
description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: jasesso
---
# Windows Defender in Windows 10
**Applies to**
- Windows 10
Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This topic provides an overview of Windows Defender, including a list of system requirements and new features.
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
Take advantage of Windows Defender by configuring settings and definitions using the following tools:
- Microsoft Active Directory *Group Policy* for settings
- Windows Server Update Services (WSUS) for definitions
Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md).
> **Note:**  System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
- Settings management
- Definition update management
- Alerts and alert management
- Reports and report management
When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
 
### Minimum system requirements
Windows Defender has the same hardware requirements as Windows 10. For more information, see:
- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
### New and changed functionality
- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise.
- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed.
- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices.
For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website.
## In this section
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Topic</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)</p></td>
<td align="left"><p>IT professionals can manage Windows Defender on Windows 10 endpoints in their organization using Active Directory or WSUS, apply updates to endpoints, and manage scans using:</p>
<ul>
<li>Group Policy Settings</li>
<li>Windows Management Instrumentation (WMI)</li>
<li>PowerShell</li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>[Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)</p></td>
<td align="left"><p>IT professionals can configure definition updates and cloud-based protection in Windows Defender in Windows 10 through Active Directory and WSUS.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)</p></td>
<td align="left"><p>IT professionals can review information about <em>event IDs</em> in Windows Defender for Windows 10 and see any relevant action they can take.</p></td>
</tr>
</tbody>
</table>
 
 
 
---
title: Windows Defender in Windows 10 (Windows 10)
description: This topic provides an overview of Windows Defender, including a list of system requirements and new features.
ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: jasesso
---
# Windows Defender in Windows 10
**Applies to**
- Windows 10
Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
This topic provides an overview of Windows Defender, including a list of system requirements and new features.
For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx).
Take advantage of Windows Defender by configuring settings and definitions using the following tools:
- Microsoft Active Directory *Group Policy* for settings
- Windows Server Update Services (WSUS) for definitions
Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md).
> **Note:**  System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including:
- Settings management
- Definition update management
- Alerts and alert management
- Reports and report management
When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed.
### Compatibility with Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network.
See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service.
If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode.
In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans wont run, and Windows Defender will not provide real-time protection from malware.
You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode.
 
### Minimum system requirements
Windows Defender has the same hardware requirements as Windows 10. For more information, see:
- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx)
- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx)
### New and changed functionality
- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise.
- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed.
- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices.
For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website.
## In this section
Topic | Description
:---|:---
[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans.
[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services.
[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media.
[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10.
[Enable the Black at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud.
[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal.
[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions.

181
windows/keep-secure/windows-defender-offline.md Normal file
View File

@ -0,0 +1,181 @@
---
title: Windows Defender Offline in Windows 10
description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network.
keywords: scan, defender, offline
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
author: iaanw
---
# Windows Defender Offline in Windows 10
**Applies to:**
- Windows 10, version 1607
Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
## Pre-requisites and requirements
Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10.
For more information about Windows 10 requirements, see the following topics:
- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx)
> [!NOTE]
> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units.
To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges.
## Windows Defender Offline updates
Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
> [!NOTE]
> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx).
For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic.
## Usage scenarios
In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints.
The prompt can occur via a notification, similar to the following:
![Windows notification showing the requirement to run Windows Defender Offline](images/defender/notification.png)
The user will also be notified within the Windows Defender client:
![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png)
In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**.
![System Center Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png)
## Manage notifications
<a name="manage-notifications"></a>
You can suppress Windows Defender Offline notifications with Group Policy.
> [!NOTE]
> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required.
**Use Group Policy to suppress Windows Defender notifications:**
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
4. Click **Policies** then **Administrative templates**.
5. Expand the tree to **Windows components > Windows Defender > Client Interface**.
1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client.
## Configure Windows Defender Offline settings
You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications.
For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx)
For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic.
## Run a scan
Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings.
> [!NOTE]
> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete.
You can set up a Windows Defender Offline scan with the following:
- Windows Update and Security settings
- Windows Defender
- Windows Management Instrumentation
- Windows PowerShell
- Group Policy
> [!NOTE]
> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally.
**Run Windows Defender Offline from Windows Settings:**
1. Open the **Start** menu and click or type **Settings**.
1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section.
1. Click **Scan offline**.
![Windows Defender Offline setting](images/defender/settings-wdo.png)
1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
**Run Windows Defender Offline from Windows Defender:**
1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
1. On the **Home** tab click **Download and Run**.
![Windows Defender home tab showing the Download and run button](images/defender/download-wdo.png)
1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart.
**Use Windows Management Instrumentation to configure and run Windows Defender Offline:**
Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan.
The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows.
```WMI
wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start
```
For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx)
- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx)
**Run Windows Defender Offline using PowerShell:**
Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan.
For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic.
## Review scan results
Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan.
1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client.
1. Go to the **History** tab.
1. Select **All detected items**.
1. Click **View details**.
Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**:
![Windows Defender detection source showing as Offline](images/defender/detection-source.png)
## Related topics
- [Windows Defender in Windows 10](windows-defender-in-windows-10.md)

12
windows/keep-secure/windows-security-baselines.md
View File

@ -12,7 +12,10 @@ author: brianlic-msft
Microsoft is dedicated to provide our customers with a secure operating system, such as Windows 10 and Windows Server, as well as secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control of your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, a large number of organizations still want more granular control of their security configurations. To navigate these large number of controls, organizations need guidance for configuring various security features. Microsoft provides this guidance in the form of security baselines.
We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
We recommend implementing an industry-standard configuration that is broadly known and well-tested, such as a Microsoft security baseline, as opposed to creating one yourself. This helps increase flexibility and reduce costs.
> [!NOTE]
> Microsoft Security Compliance Manager 4.0 is available from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=53353).
## What are security baselines?
@ -31,18 +34,19 @@ In modern organizations, the security threat landscape is constantly evolving. I
To help faster deployments and increase the ease of managing Windows, Microsoft provides customers with security baselines that are available in formats that can be consumed, such as Group Policy Objects backups.
## How can you use security baselines?
## How can you use security baselines?
You can use security baselines to:
- Ensure that user and device configuration settings are compliant with the baseline.
- Set configuration settings. For example, you can use Group Policy, System Center Configuration Manager, or Microsoft Intune to configure a device with the setting values specified in the baseline.
## Where can I get the security baselines?
## Where can I get the security baselines?
Here's a list of security baselines that are currently available.
> **Note:** If you want to know what has changed with each security baseline, or if you want to stay up-to-date on whats happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
> [!NOTE]
> If you want to know what has changed with each security baseline, or if you want to stay up-to-date on whats happening with them, check out the [Microsoft Security Guidance](http://blogs.technet.microsoft.com/secguide) blog.
### Windows 10 security baselines