Date: Wed, 20 Jan 2021 10:58:24 -0800
Subject: [PATCH 120/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index b8a979b127..8122abd1da 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -170,8 +170,12 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
| Indicator type | Prerequisites | Notes |
|----|----|---|
-|Files Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Your organization is using Microsoft Defender Antivirus with cloud-based protection enabled.
Your antimalware client version is must be 4.18.1901.x or later.
Your devices are must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019 | Make sure the [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action
Trusted signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. |
+|Files
Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version must be 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. |
| IP addresses and URLs
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Your antimalware client version must be 4.18.1906.x or later.
Your devices must be running Windows 10, version 1709 or later
Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.
There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) |
+| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Your antimalware client version must be 4.18.1901.x or later.
Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Your virus and threat protection definitions must be up to date. |
+
+
+
From 66c7569f3377716bba0b8e5e9afad6a8308ddb6c Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 20 Jan 2021 10:59:26 -0800
Subject: [PATCH 121/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 8122abd1da..f5ce4cceed 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -172,7 +172,8 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
|----|----|---|
|Files Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version must be 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. |
| IP addresses and URLs
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Your antimalware client version must be 4.18.1906.x or later.
Your devices must be running Windows 10, version 1709 or later
Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.
There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) |
-| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Your antimalware client version must be 4.18.1901.x or later.
Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Your virus and threat protection definitions must be up to date. |
+| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Your antimalware client version must be 4.18.1901.x or later.
Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |
+
From 08442412663eeb9785fb3a9a1d189c1f0b2dd354 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 20 Jan 2021 10:59:58 -0800
Subject: [PATCH 122/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 13 -------------
1 file changed, 13 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index f5ce4cceed..5d51a6f36d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -174,19 +174,6 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
| IP addresses and URLs Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Your antimalware client version must be 4.18.1906.x or later.
Your devices must be running Windows 10, version 1709 or later
Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.
There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) |
| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Your antimalware client version must be 4.18.1901.x or later.
Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |
-
-
-
-
-
-
-
-
-
-
-
-
-
## Classify a false positive or false negative
As alerts are triggered, if you see something that was detected as malicious or suspicious that should not be, you can suppress alerts for that entity and classify alerts as false positives. Managing your alerts and classifying false positives helps to train your threat protection solution. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
From 0b2d7ab3e403ea122bd6e5aa85b23cc645cdb053 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Wed, 20 Jan 2021 16:08:22 -0800
Subject: [PATCH 123/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 5d51a6f36d..2242561c26 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -11,7 +11,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
-ms.date: 01/19/2021
+ms.date: 01/21/2021
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
From f58a1d313db4131878d90d90a046a0bf8977b0d2 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Thu, 21 Jan 2021 19:07:44 +0530
Subject: [PATCH 124/454] changed minutes to seconds
as per user report #8995 , so i changed minutes to seconds
i took help from below site
**https://docs.microsoft.com/en-us/openspecs/exchange_server_protocols/ms-asprov/7dcdd2c3-43ca-4425-b8d4-443b1d2c0638**
---
windows/client-management/mdm/policy-csp-devicelock.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index f68a71f820..b106637736 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -677,7 +677,7 @@ The following list shows the supported values:
-Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
+Specifies the maximum amount of time (in seconds) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
* On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
* On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
From 704a3a87252a456ce34bc8242c86ddec26dbdb1c Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Thu, 21 Jan 2021 21:30:59 +0200
Subject: [PATCH 125/454] add info about network boundary
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8880
---
.../md-app-guard-overview.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 98150e0f15..0c47055df2 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -52,3 +52,4 @@ Application Guard has been created to target several types of devices:
| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
| [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
+|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/en-us/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
From 4d281e31d100e182c94040de6bbde8ee1a8202b9 Mon Sep 17 00:00:00 2001
From: Carmen Forsmann
Date: Thu, 21 Jan 2021 12:54:14 -0800
Subject: [PATCH 126/454] Update waas-delivery-optimization.md
Add Edge browser support to content type table.
---
windows/deployment/update/waas-delivery-optimization.md | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index de5f866595..7337c717c1 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -65,7 +65,7 @@ For information about setting up Delivery Optimization, including tips for the b
- Office installations and updates
- Xbox game pass games
- MSIX apps (HTTP downloads only)
- - Edge browser installations and updates
+ - Edge browser installs and updates
## Requirements
@@ -90,7 +90,8 @@ The following table lists the minimum Windows 10 version that supports Delivery
| Win32 apps for Intune | 1709 |
| Xbox game pass games | 2004 |
| MSIX apps (HTTP downloads only) | 2004 |
-| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 |
+| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 |
+| Edge browser installs and updates | 1809 |
> [!NOTE]
> Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910).
From 1e96248e32a1da6172b1b24587481405dba6c81c Mon Sep 17 00:00:00 2001
From: Carmen Forsmann
Date: Thu, 21 Jan 2021 20:01:51 -0800
Subject: [PATCH 127/454] Update waas-delivery-optimization.md
Add Dynamic updates support
---
windows/deployment/update/waas-delivery-optimization.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index 7337c717c1..599fd37ab1 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -62,10 +62,11 @@ For information about setting up Delivery Optimization, including tips for the b
- DOMaxUploadBandwidth
- Support for new types of downloads:
- - Office installations and updates
+ - Office installs and updates
- Xbox game pass games
- MSIX apps (HTTP downloads only)
- Edge browser installs and updates
+ - Dynamic updates
## Requirements
@@ -92,6 +93,7 @@ The following table lists the minimum Windows 10 version that supports Delivery
| MSIX apps (HTTP downloads only) | 2004 |
| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 |
| Edge browser installs and updates | 1809 |
+| Dynamic updates | 1903 |
> [!NOTE]
> Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910).
From f7b513116952b788788b1856b6fc3ed945558a00 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 20:14:46 -0800
Subject: [PATCH 128/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 2242561c26..1083895ed8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -11,7 +11,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
-ms.date: 01/21/2021
+ms.date: 01/22/2021
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
From cc97ce85b1d8549daebc662e47e134c7f1df2b32 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 20:27:52 -0800
Subject: [PATCH 129/454] Update defender-endpoint-false-positives-negatives.md
---
...nder-endpoint-false-positives-negatives.md | 95 +++++++++++++++++--
1 file changed, 89 insertions(+), 6 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 1083895ed8..0a7de859a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -31,15 +31,98 @@ ms.custom: FPFN
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806)
-In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives can include:
-- [Reviewing your threat protection settings and making adjustments where needed](#review-your-threat-protection-settings);
-- [Defining exclusions, such as for antivirus and other endpoint protection features](#review-or-define-exclusions-for-microsoft-defender-for-endpoint);
-- [Classifying false positives in your endpoint protection solution](#classify-a-false-positive-or-false-negative);
-- [Submitting files for further analysis](#submit-a-file-for-analysis); and
-- [Verifying that the applications your organization is using are properly signed](#confirm-your-software-uses-ev-code-signing).
+In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes:
+
+1. Reviewing and classifying alerts
+2. Reviewing remediation actions that were taken
+3. Reviewing and defining exclusions
+4. Submitting an entity for analysis
+5. Reviewing your threat protection settings
If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment.
+## Review and classify alerts
+
+If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. And, you can classify alerts as false positives as needed.
+
+Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
+
+### Determine whether an alert is accurate
+
+Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign.
+1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in.
+2. In the navigation pane, choose **Alerts queue**.
+3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).)
+4. Take one of the following steps:
+ - If the alert is accurate, assign and investigate the alert further.
+ - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint.
+ - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert.
+
+### Classify an alert as a false positive
+
+Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue.
+
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
+2. Select **Alerts queue**, and then select an alert that is a false positive.
+3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens.
+4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive.
+
+> [!TIP]
+> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too.
+
+### Suppress an alert
+
+If you have alerts that are either false positives or are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center.
+
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
+2. In the navigation pane, select **Alerts queue**.
+3. Select an alert that you want to suppress to open its **Details** pane.
+4. In the **Details** pane, choose the ellipsis (**...**), and then choose **Create a suppression rule**.
+5. Specify all the settings for your suppression rule, and then choose **Save**.
+
+> [!TIP]
+> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule).
+
+## Review remediation actions
+
+[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, can be taken on entities that are detected as threats. Several types of remediation actions can occur automatically through automated investigation and Microsoft Defender Antivirus. Examples of such actions include:
+- Quarantine a file
+- Remove a registry key
+- Kill a process
+- Stop a service
+- Disable a driver
+- Remove a scheduled task
+
+Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone.
+
+### Review completed actions
+
+1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
+2. Select the **History** tab.
+3. Select an item to view more details about the remediation action that was taken.
+
+If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. Remediation actions that you can undo include the following:
+- Isolate device
+- Restrict code execution
+- Quarantine a file
+- Remove a registry key
+- Stop a service
+- Disable a driver
+- Remove a scheduled task
+
+### To undo an action
+
+1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
+2. On the **History** tab, select an action that you want to undo.
+3. In the flyout pane, select **Undo**. (If the action cannot be undone with this method, you will not see an **Undo** button.)
+
+### To undo multiple actions at one time
+
+1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
+2. On the **History** tab, select the actions that you want to undo.
+3. In the pane on the right side of the screen, select **Undo**.
+
+
## Review your threat protection settings
Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular:
From a5c3e6656d506074a70daafa4d2842b74139b586 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 20:29:36 -0800
Subject: [PATCH 130/454] Update defender-endpoint-false-positives-negatives.md
---
...nder-endpoint-false-positives-negatives.md | 130 +++++++++---------
1 file changed, 66 insertions(+), 64 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 0a7de859a9..4f8b62add6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -122,6 +122,72 @@ If you find that a remediation action was taken automatically on an entity that
2. On the **History** tab, select the actions that you want to undo.
3. In the pane on the right side of the screen, select **Undo**.
+## Review or define exclusions for Microsoft Defender for Endpoint
+
+An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
+
+To define exclusions across Microsoft Defender for Endpoint, perform the following tasks:
+- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus)
+- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint)
+
+Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint.
+
+The procedures in this section describe how to define exclusions and indicators.
+
+### Exclusions for Microsoft Defender Antivirus
+
+In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well.
+
+> [!TIP]
+> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus).
+
+#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies)
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)).
+3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**.
+4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions.
+5. Choose **Review + save**, and then choose **Save**.
+
+#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions
+
+1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
+2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**.
+3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**).
+4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**.
+5. Specify a name and description for the profile, and then choose **Next**.
+6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**.
+7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).)
+8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).)
+9. On the **Review + create** tab, review the settings, and then choose **Create**.
+
+### Indicators for Microsoft Defender for Endpoint
+
+[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs.
+
+To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to:
+
+- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
+- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
+- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
+
+Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)):
+
+- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
+- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)
+- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)
+- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)
+
+> [!TIP]
+> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
+
+| Indicator type | Prerequisites | Notes |
+|----|----|---|
+|Files Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version must be 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. |
+| IP addresses and URLs
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Your antimalware client version must be 4.18.1906.x or later.
Your devices must be running Windows 10, version 1709 or later
Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.
There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) |
+| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Your antimalware client version must be 4.18.1901.x or later.
Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |
+
+
## Review your threat protection settings
@@ -192,70 +258,6 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett
8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**.
9. On the **Review + create** tab, review your settings, and, and then choose **Create**.
-## Review or define exclusions for Microsoft Defender for Endpoint
-
-An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
-
-To define exclusions across Microsoft Defender for Endpoint, perform the following tasks:
-- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus)
-- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint)
-
-Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint.
-
-The procedures in this section describe how to define exclusions and indicators.
-
-### Exclusions for Microsoft Defender Antivirus
-
-In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Endpoint Manager to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy as well.
-
-> [!TIP]
-> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus).
-
-#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies)
-
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
-2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)).
-3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**.
-4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions.
-5. Choose **Review + save**, and then choose **Save**.
-
-#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions
-
-1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in.
-2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**.
-3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**).
-4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**.
-5. Specify a name and description for the profile, and then choose **Next**.
-6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**.
-7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).)
-8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).)
-9. On the **Review + create** tab, review the settings, and then choose **Create**.
-
-### Indicators for Microsoft Defender for Endpoint
-
-[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs.
-
-To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to:
-
-- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
-- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
-- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
-
-Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)):
-
-- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
-- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)
-- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)
-- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)
-
-> [!TIP]
-> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
-
-| Indicator type | Prerequisites | Notes |
-|----|----|---|
-|Files
Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version must be 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. |
-| IP addresses and URLs
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Your antimalware client version must be 4.18.1906.x or later.
Your devices must be running Windows 10, version 1709 or later
Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.
There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) |
-| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Your antimalware client version must be 4.18.1901.x or later.
Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |
## Classify a false positive or false negative
From 4cb7b0ff725dc24fdb77c1f92523830eada4333f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 20:49:02 -0800
Subject: [PATCH 131/454] Update defender-endpoint-false-positives-negatives.md
---
...nder-endpoint-false-positives-negatives.md | 111 ++++++++----------
1 file changed, 47 insertions(+), 64 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 4f8b62add6..cb0ee4077d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -33,7 +33,7 @@ ms.custom: FPFN
In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes:
-1. Reviewing and classifying alerts
+1. [Reviewing and classifying alerts](#review-and-classify-alerts)
2. Reviewing remediation actions that were taken
3. Reviewing and defining exclusions
4. Submitting an entity for analysis
@@ -47,10 +47,12 @@ If your security operations team see an alert that was triggered because somethi
Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
+
### Determine whether an alert is accurate
Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign.
-1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in.
+
+1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. In the navigation pane, choose **Alerts queue**.
3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).)
4. Take one of the following steps:
@@ -60,7 +62,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat
### Classify an alert as a false positive
-Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue.
+Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the **Alerts queue**.
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. Select **Alerts queue**, and then select an alert that is a false positive.
@@ -110,13 +112,13 @@ If you find that a remediation action was taken automatically on an entity that
- Disable a driver
- Remove a scheduled task
-### To undo an action
+### Undo an action
1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
2. On the **History** tab, select an action that you want to undo.
3. In the flyout pane, select **Undo**. (If the action cannot be undone with this method, you will not see an **Undo** button.)
-### To undo multiple actions at one time
+### Undo multiple actions at one time
1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
2. On the **History** tab, select the actions that you want to undo.
@@ -163,7 +165,7 @@ In general, you should not need to define exclusions for Microsoft Defender Anti
### Indicators for Microsoft Defender for Endpoint
-[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs.
+[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs.
To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to:
@@ -171,23 +173,52 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu
- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
-Your security team can create indicators for files, IP addresses, URLs, domains, and certificates. Use the following resources to create or manage indicators in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)):
+Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table:
-- [Learn more about indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators)
-- [Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)
-- [Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)
-- [Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)
+| Indicator type | Prerequisites | Notes |
+|----|----|---|
+|Files Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. |
+| IP addresses and URLs
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) |
+| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Virus and threat protection definitions are up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |
> [!TIP]
> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
-| Indicator type | Prerequisites | Notes |
-|----|----|---|
-|Files
Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version must be 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. |
-| IP addresses and URLs
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Your antimalware client version must be 4.18.1906.x or later.
Your devices must be running Windows 10, version 1709 or later
Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.
There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) |
-| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Your antimalware client version must be 4.18.1901.x or later.
Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |
+## Submit a file for analysis
+You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions.
+### Submit a file for analysis
+
+If you have a file that was either wrongly detected as malicious or was missed, follow these steps to submit the file for analysis.
+
+1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
+2. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s).
+
+### Submit a fileless detection for analysis
+
+If something was detected as malware based on behavior, and you don’t have a file, you can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool.
+
+1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run ** MpCmdRun.exe** as an administrator.
+2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**.
+ A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
+3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
+4. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your .cab files.
+
+### What happens after a file is submitted?
+
+Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. It’s possible that a file might have already been submitted and processed by an analyst. In those cases, a determination is made quickly.
+
+For submissions that were not already processed, they are prioritized for analysis as follows:
+
+- Prevalent files with the potential to impact large numbers of computers are given a higher priority.
+- Authenticated customers, especially enterprise customers with valid [Software Assurance IDs (SAIDs)](https://www.microsoft.com/licensing/licensing-programs/software-assurance-default.aspx), are given a higher priority.
+- Submissions flagged as high priority by SAID holders are given immediate attention.
+
+To check for updates regarding your submission, sign in at the [Microsoft Security Intelligence submission site](https://www.microsoft.com/wdsi/filesubmission).
+
+> [!TIP]
+> To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions).
## Review your threat protection settings
@@ -258,54 +289,6 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett
8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**.
9. On the **Review + create** tab, review your settings, and, and then choose **Create**.
-
-## Classify a false positive or false negative
-
-As alerts are triggered, if you see something that was detected as malicious or suspicious that should not be, you can suppress alerts for that entity and classify alerts as false positives. Managing your alerts and classifying false positives helps to train your threat protection solution. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
-
-### Suppress an alert
-
-You can suppress an alert in the Microsoft Defender Security Center.
-
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-2. In the navigation pane, select **Alerts queue**.
-3. Select an alert that you want to suppress to open its **Details** pane.
-4. In the **Details** pane, choose the ellipsis (`...`), and then choose **Create a suppression rule**.
-5. Specify all the settings for your suppression rule, and then choose **Save**.
-
-> [!TIP]
-> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule).
-
-### Classify an alert as a false positive
-
-Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the Alerts queue.
-
-1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-2. Select **Alerts queue**, and then select an alert that is a false positive.
-3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens.
-4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive.
-
-> [!TIP]
-> - For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts).
-> - If your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too.
-
-## Submit a file for analysis
-
-You can submit files, such as false positives or false negatives, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions.
-
-1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
-
-2. Visit the Microsoft Security Intelligence submission ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s).
-
-## Confirm your software uses EV code signing
-
-As explained in the blog, [Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives), digital signatures help to ensure the software integrity. The reputation of digital certificates also plays a role in whether software is considered suspicious or not a threat. By using a reputable certificate, developers can reduce the chances of their software being detected as malware. Extended validation (EV) code signing is a more advanced version of digital certificates and requires a more rigorous vetting and authentication process.
-
-Want to learn more? See the following resources:
-
-- [Microsoft Security Blog: Partnering with the industry to minimize false positives](https://www.microsoft.com/security/blog/2018/08/16/partnering-with-the-industry-to-minimize-false-positives/)
-- [Get a code signing certificate](https://docs.microsoft.com/windows-hardware/drivers/dashboard/get-a-code-signing-certificate)
-
## Still need help?
If you still need help after working through all the steps in this article, your best bet is to contact technical support.
From 5b04617b295d16a1106326c79c481534acd475fe Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 20:50:56 -0800
Subject: [PATCH 132/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index cb0ee4077d..69d5634efb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -19,7 +19,7 @@ ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
ms.topic: conceptual
-ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree
+ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola
ms.custom: FPFN
---
@@ -34,10 +34,10 @@ ms.custom: FPFN
In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes:
1. [Reviewing and classifying alerts](#review-and-classify-alerts)
-2. Reviewing remediation actions that were taken
-3. Reviewing and defining exclusions
-4. Submitting an entity for analysis
-5. Reviewing your threat protection settings
+2. [Reviewing remediation actions that were taken](#review-remediation-actions)
+3. [Reviewing and defining exclusions](#review-or-define-exclusions-for-microsoft-defender-for-endpoint)
+4. [Submitting an entity for analysis](#submit-a-file-for-analysis)
+5. [Reviewing your threat protection settings](#review-your-threat-protection-settings)
If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment.
From af20c1f8c8f7088cdd22e4c189ab37f64fcfc0f4 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 20:53:42 -0800
Subject: [PATCH 133/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 69d5634efb..dd7dfd3caa 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -103,7 +103,7 @@ Other actions, such as starting an antivirus scan or collecting an investigation
2. Select the **History** tab.
3. Select an item to view more details about the remediation action that was taken.
-If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. Remediation actions that you can undo include the following:
+If you find that a remediation action was taken automatically on an entity that is not actually a threat, you can undo the action. You can undo the following remediation actions:
- Isolate device
- Restrict code execution
- Quarantine a file
@@ -178,7 +178,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
| Indicator type | Prerequisites | Notes |
|----|----|---|
|Files Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. |
-| IP addresses and URLs
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) |
+| IP addresses and URLs
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) |
| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Virus and threat protection definitions are up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |
> [!TIP]
From 5596fcc20ce34f2ef0ec31a0c5f2112e18140cd4 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 20:54:20 -0800
Subject: [PATCH 134/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index dd7dfd3caa..977f0216f7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -4,8 +4,8 @@ description: Learn how to handle false positives or false negatives in Microsoft
keywords: alert, exclusion, defender atp, false positive, false negative
search.product: eADQiWindows 10XVcnh
search.appverid: met150
-ms.prod: w10
-ms.technology: windows
+ms.prod: m365-security
+ms.technology: mde
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
From 384d221117fb45f3da607eb5d2c907d3284f4c6e Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 20:58:11 -0800
Subject: [PATCH 135/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 977f0216f7..820e4412bb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -175,11 +175,11 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu
Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table:
-| Indicator type | Prerequisites | Notes |
-|----|----|---|
-|Files Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. |
-| IP addresses and URLs
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) |
-| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Virus and threat protection definitions are up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |
+| Indicator type | Prerequisites |
+|:----|:----|
+|Files
Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file).
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). |
+| IP addresses and URLs
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
+| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Virus and threat protection definitions are up to date. |
> [!TIP]
> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
From e06f4cba036a2a9599136aff2de740050b8168ac Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 20:59:20 -0800
Subject: [PATCH 136/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 820e4412bb..81d6258ac3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -177,8 +177,8 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
| Indicator type | Prerequisites |
|:----|:----|
-|Files Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file).
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). |
-| IP addresses and URLs
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
+|**Files**
Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). |
+| **IP addresses and URLs**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Virus and threat protection definitions are up to date. |
> [!TIP]
From 5912f7dd084c88e5e4b1af9e08edbecbdb101b71 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 20:59:45 -0800
Subject: [PATCH 137/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 81d6258ac3..9e6d2a7b81 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -179,7 +179,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
|:----|:----|
|**Files** Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). |
| **IP addresses and URLs**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
-| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Virus and threat protection definitions are up to date. |
+| **Certificates**
`.CER` or `.PEM` file extensions are supported.
**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Virus and threat protection definitions are up to date. |
> [!TIP]
> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
From bfee91e04c29c9cb209372e135e9a521d8109666 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 21:00:49 -0800
Subject: [PATCH 138/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 9e6d2a7b81..6f17620125 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -177,7 +177,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
| Indicator type | Prerequisites |
|:----|:----|
-|**Files** Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). |
+|**Files**
Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). |
| **IP addresses and URLs**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
| **Certificates**
`.CER` or `.PEM` file extensions are supported.
**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Virus and threat protection definitions are up to date. |
From da2f03ef717aa23a0e3a86c7f81ee598a4ba9ddf Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 21:04:10 -0800
Subject: [PATCH 139/454] Update defender-endpoint-false-positives-negatives.md
---
...nder-endpoint-false-positives-negatives.md | 21 +++++++++----------
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 6f17620125..2896e64818 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -33,21 +33,20 @@ ms.custom: FPFN
In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes:
-1. [Reviewing and classifying alerts](#review-and-classify-alerts)
-2. [Reviewing remediation actions that were taken](#review-remediation-actions)
-3. [Reviewing and defining exclusions](#review-or-define-exclusions-for-microsoft-defender-for-endpoint)
-4. [Submitting an entity for analysis](#submit-a-file-for-analysis)
-5. [Reviewing your threat protection settings](#review-your-threat-protection-settings)
+1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts)
+2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions)
+3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint)
+4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis)
+5. [Reviewing your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment.
-## Review and classify alerts
+## Part 1: Review and classify alerts
If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. And, you can classify alerts as false positives as needed.
Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
-
### Determine whether an alert is accurate
Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign.
@@ -85,7 +84,7 @@ If you have alerts that are either false positives or are for unimportant events
> [!TIP]
> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule).
-## Review remediation actions
+## Part 2: Review remediation actions
[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, can be taken on entities that are detected as threats. Several types of remediation actions can occur automatically through automated investigation and Microsoft Defender Antivirus. Examples of such actions include:
- Quarantine a file
@@ -124,7 +123,7 @@ If you find that a remediation action was taken automatically on an entity that
2. On the **History** tab, select the actions that you want to undo.
3. In the pane on the right side of the screen, select **Undo**.
-## Review or define exclusions for Microsoft Defender for Endpoint
+## Part 3: Review or define exclusions for Microsoft Defender for Endpoint
An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
@@ -184,7 +183,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
> [!TIP]
> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
-## Submit a file for analysis
+## Part 4: Submit a file for analysis
You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions.
@@ -220,7 +219,7 @@ To check for updates regarding your submission, sign in at the [Microsoft Securi
> [!TIP]
> To learn more, see [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide#how-does-microsoft-prioritize-submissions).
-## Review your threat protection settings
+## Part 5: Review and adjust your threat protection settings
Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular:
From 21b877a8f0c60800a12928292c28c5fb344975d0 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 21:08:15 -0800
Subject: [PATCH 140/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 2896e64818..8061a0af30 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -176,9 +176,9 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
| Indicator type | Prerequisites |
|:----|:----|
-|**Files** Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). |
-| **IP addresses and URLs**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)| Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
-| **Certificates**
`.CER` or `.PEM` file extensions are supported.
**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Virus and threat protection definitions are up to date. |
+|**Files**
Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.
**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). |
+| **IP addresses and URLs**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)
**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
+| **Certificates**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC.
**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Virus and threat protection definitions are up to date. |
> [!TIP]
> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
From 88a45ee671d150a2c6f0450362b878debfd7df74 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 21:09:24 -0800
Subject: [PATCH 141/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 8061a0af30..5b2bb0e35f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -178,7 +178,7 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
|:----|:----|
|**Files** Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.
**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). |
| **IP addresses and URLs**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)
**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
-| **Certificates**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC.
**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Virus and threat protection definitions are up to date. |
+| **Certificates**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC.
**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date. |
> [!TIP]
> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
From 616ad2ad31e4cbb6c8c9511d36dc7a7aff9150b9 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 21 Jan 2021 21:10:00 -0800
Subject: [PATCH 142/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 5b2bb0e35f..b7016cc7ba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -37,7 +37,7 @@ In endpoint protection, a false positive is an entity, such as a file or a proce
2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions)
3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint)
4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis)
-5. [Reviewing your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
+5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment.
From 244dc8bbb5d5464dea2fe6390c906766bc36e622 Mon Sep 17 00:00:00 2001
From: Carmen Forsmann
Date: Fri, 22 Jan 2021 13:09:33 -0800
Subject: [PATCH 143/454] Update waas-delivery-optimization.md
Add link to Dynamic Updates blog post.
---
windows/deployment/update/waas-delivery-optimization.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index 599fd37ab1..bbafcf8b44 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -66,7 +66,7 @@ For information about setting up Delivery Optimization, including tips for the b
- Xbox game pass games
- MSIX apps (HTTP downloads only)
- Edge browser installs and updates
- - Dynamic updates
+ - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847)
## Requirements
@@ -93,7 +93,7 @@ The following table lists the minimum Windows 10 version that supports Delivery
| MSIX apps (HTTP downloads only) | 2004 |
| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 |
| Edge browser installs and updates | 1809 |
-| Dynamic updates | 1903 |
+| [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) | 1903 |
> [!NOTE]
> Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910).
From 99e5ed848cfe0fd4aec8adcd57b8f85e02c0f637 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 13:45:39 -0800
Subject: [PATCH 144/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index b7016cc7ba..0a4832febe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -43,7 +43,7 @@ If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/w
## Part 1: Review and classify alerts
-If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. And, you can classify alerts as false positives as needed.
+If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well.
Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
@@ -54,7 +54,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. In the navigation pane, choose **Alerts queue**.
3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).)
-4. Take one of the following steps:
+4. Take one of the following steps:
- If the alert is accurate, assign and investigate the alert further.
- If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint.
- If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert.
@@ -294,4 +294,9 @@ If you still need help after working through all the steps in this article, your
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**.
-3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request.
\ No newline at end of file
+3. In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request.
+
+## See also
+
+[Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)
+
\ No newline at end of file
From f508a1704b5862d2f228eaeef81762e2134cc59d Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 13:47:49 -0800
Subject: [PATCH 145/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 0a4832febe..a05b00432f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -54,10 +54,10 @@ Before you classify or suppress an alert, determine whether the alert is accurat
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. In the navigation pane, choose **Alerts queue**.
3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).)
-4. Take one of the following steps:
- - If the alert is accurate, assign and investigate the alert further.
- - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint.
- - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert.
+4. Take one of the following steps:
+ - If the alert is accurate, assign and investigate the alert further.
+ - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint.
+ - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert.
### Classify an alert as a false positive
From f143d389fc4fe91e7feccc6d6986f9642b7b5443 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 13:56:42 -0800
Subject: [PATCH 146/454] Update defender-endpoint-false-positives-negatives.md
---
...nder-endpoint-false-positives-negatives.md | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index a05b00432f..e21d65054d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -31,7 +31,7 @@ ms.custom: FPFN
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806)
-In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. The process of addressing false positives/negatives includes:
+In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include:
1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts)
2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions)
@@ -39,7 +39,7 @@ In endpoint protection, a false positive is an entity, such as a file or a proce
4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis)
5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
-If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), use this article as a guide to take action. This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment.
+This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment.
## Part 1: Review and classify alerts
@@ -55,18 +55,21 @@ Before you classify or suppress an alert, determine whether the alert is accurat
2. In the navigation pane, choose **Alerts queue**.
3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).)
4. Take one of the following steps:
- - If the alert is accurate, assign and investigate the alert further.
- - If the alert is a false positive, proceed to classify the alert as a false positive, and then suppress the alert. Also, create an indicator for Microsoft Defender for Endpoint.
- - If the alert is accurate but benign (unimportant), classify the alert as a true positive, and then suppress the alert.
-### Classify an alert as a false positive
+ | Alert status | What to do |
+ |:---|:---|
+ | The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. |
+ | The alert is a false positive | Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert). Also, create an indicator for Microsoft Defender for Endpoint. |
+ | The alert is accurate but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). |
-Your security team can classify an alert as a false positive in the Microsoft Defender Security Center, in the **Alerts queue**.
+### Classify an alert
+
+Your security team can classify an alert as a false positive or a true positive in the Microsoft Defender Security Center, in the **Alerts queue**.
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. Select **Alerts queue**, and then select an alert that is a false positive.
3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens.
-4. In the **Manage alert** section, select **True alert** or **False alert**. Use **False alert** to classify a false positive.
+4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.)
> [!TIP]
> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too.
From 87cbe724737cf5cd54d6bb7393c150d0ef345b2e Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 13:59:31 -0800
Subject: [PATCH 147/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index e21d65054d..ebf9e149f7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -179,9 +179,9 @@ Your security team can create indicators for files, IP addresses, URLs, domains,
| Indicator type | Prerequisites |
|:----|:----|
-|**Files** Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.
**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). |
-| **IP addresses and URLs**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)
**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
-| **Certificates**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC.
**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date. |
+|**Files**
Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.
**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) |
+| **IP addresses and URLs**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)
**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
+| **Certificates**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC.
**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date |
> [!TIP]
> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
From 7117e088936828f936875166dc99f7d0e6ee140b Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 14:02:08 -0800
Subject: [PATCH 148/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index ebf9e149f7..5d5c8cd439 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -177,11 +177,11 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu
Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table:
-| Indicator type | Prerequisites |
+| Indicator | Prerequisites |
|:----|:----|
-|**Files** Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.
**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) |
-| **IP addresses and URLs**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)
**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
-| **Certificates**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC.
**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date |
+|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**
Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) |
+| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
+| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date |
> [!TIP]
> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
From 313ba03c26e01250398b81e165f00a3eace1f715 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 14:02:39 -0800
Subject: [PATCH 149/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 5d5c8cd439..68985360e9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -178,7 +178,7 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu
Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table:
| Indicator | Prerequisites |
-|:----|:----|
+|:----:|:----:|
|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) |
| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date |
From 5fe58051f530f67580c42bea28161217a1c1387e Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 14:07:15 -0800
Subject: [PATCH 150/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 68985360e9..cecea25f5e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -76,7 +76,7 @@ Your security team can classify an alert as a false positive or a true positive
### Suppress an alert
-If you have alerts that are either false positives or are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center.
+If you have alerts that are either false positives or that are true positives but are for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard.
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. In the navigation pane, select **Alerts queue**.
From 8960bc4e9c0b881a801a4e8f8ecb19e442b5494f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 14:07:51 -0800
Subject: [PATCH 151/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index cecea25f5e..d5976bd76c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -178,7 +178,7 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, your secu
Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table:
| Indicator | Prerequisites |
-|:----:|:----:|
+|:----|:----|
|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) |
| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date |
From f386ac4af4d8b6e9ae82cd3a12dd8112b92ccfb8 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 14:10:31 -0800
Subject: [PATCH 152/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index d5976bd76c..3342692fc9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -302,4 +302,5 @@ If you still need help after working through all the steps in this article, your
## See also
[Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)
-
\ No newline at end of file
+
+[Overview of Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use)
\ No newline at end of file
From 28794addaf76195c266a81fbc9f42834482621b8 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 14:17:17 -0800
Subject: [PATCH 153/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 3342692fc9..56ef4f1e45 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -59,8 +59,8 @@ Before you classify or suppress an alert, determine whether the alert is accurat
| Alert status | What to do |
|:---|:---|
| The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. |
- | The alert is a false positive | Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert). Also, create an indicator for Microsoft Defender for Endpoint. |
- | The alert is accurate but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). |
+ | The alert is a false positive | 1. Proceed to [classify the alert](#classify-an-alert) as a false positive, and then [suppress the alert](#suppress-an-alert).
2. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint.
3. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). |
+ | The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). |
### Classify an alert
From aabbcc4e3710334f83029829595e8bbd8d3f0749 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 14:18:46 -0800
Subject: [PATCH 154/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 56ef4f1e45..4cc8fd34a3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -45,7 +45,7 @@ This article also includes information about [what to do if you still need help]
If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well.
-Managing your alerts and classifying false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
+Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
### Determine whether an alert is accurate
From 223f0f72df48f4d2163e19aa778a881ea8767469 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 14:21:00 -0800
Subject: [PATCH 155/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 4cc8fd34a3..48f1a3208e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -54,7 +54,7 @@ Before you classify or suppress an alert, determine whether the alert is accurat
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. In the navigation pane, choose **Alerts queue**.
3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).)
-4. Take one of the following steps:
+4. Depending on the alert status, take the steps described in the following table:
| Alert status | What to do |
|:---|:---|
From e4a721f0618a51e419046ab3d179b42160e08574 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 14:26:14 -0800
Subject: [PATCH 156/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 48f1a3208e..20fe6f78d4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -227,7 +227,7 @@ To check for updates regarding your submission, sign in at the [Microsoft Securi
Microsoft Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you’re getting numerous false positives, make sure to review your organization’s threat protection settings. You might need to make some adjustments to the following settings in particular:
- [Cloud-delivered protection](#cloud-delivered-protection)
-- [Remediation for potentially unwanted apps](#remediation-for-potentially-unwanted-applications-pua) (PUA)
+- [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications)
### Cloud-delivered protection
From 9dafcb23f50b744dbc973442916eb7e335bbb52f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 22 Jan 2021 14:32:47 -0800
Subject: [PATCH 157/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 20fe6f78d4..195c784c4e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -201,7 +201,7 @@ If you have a file that was either wrongly detected as malicious or was missed,
If something was detected as malware based on behavior, and you don’t have a file, you can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool.
-1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run ** MpCmdRun.exe** as an administrator.
+1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator.
2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**.
A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is `C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab`.
3. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide).
From f22675ab6af56193c9f671f3963ecee865bf57c4 Mon Sep 17 00:00:00 2001
From: Matthew Palko
Date: Fri, 22 Jan 2021 17:29:45 -0800
Subject: [PATCH 158/454] Restructuring Windows Hello for Business Docks
---
windows/security/identity-protection/TOC.md | 2 +-
.../feature-multifactor-unlock.md | 4 +-
.../hello-deployment-guide.md | 43 ++++---
.../hello-for-business/hello-features.md | 57 ---------
.../hello-how-it-works-tech-deep-dive.md | 49 --------
.../hello-for-business/hello-how-it-works.md | 31 +++--
.../hello-identity-verification.md | 33 ++---
.../hello-planning-guide.md | 28 +++--
.../hello-for-business/index.yml | 113 ++++++++++++++++++
.../hello-for-business/toc.md | 4 +-
.../hello-for-business/toc.yml | 18 +++
windows/security/identity-protection/index.md | 2 +-
12 files changed, 213 insertions(+), 171 deletions(-)
delete mode 100644 windows/security/identity-protection/hello-for-business/hello-features.md
delete mode 100644 windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
create mode 100644 windows/security/identity-protection/hello-for-business/index.yml
create mode 100644 windows/security/identity-protection/hello-for-business/toc.yml
diff --git a/windows/security/identity-protection/TOC.md b/windows/security/identity-protection/TOC.md
index 7f7f58c2b8..16e55efb95 100644
--- a/windows/security/identity-protection/TOC.md
+++ b/windows/security/identity-protection/TOC.md
@@ -18,7 +18,7 @@
#### [User Account Control security policy settings](user-account-control\user-account-control-security-policy-settings.md)
#### [User Account Control Group Policy and registry key settings](user-account-control\user-account-control-group-policy-and-registry-key-settings.md)
-## [Windows Hello for Business](hello-for-business/hello-identity-verification.md)
+## [Windows Hello for Business](hello-for-business/index.yml)
## [Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md)
### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 215c86beea..da9b1c7c1e 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,5 +1,5 @@
---
-title: Multifactor Unlock
+title: Multi-factor Unlock
description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: w10
@@ -16,7 +16,7 @@ localizationpriority: medium
ms.date: 03/20/2018
ms.reviewer:
---
-# Multifactor Unlock
+# Multi-factor Unlock
**Applies to:**
- Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index f3f064b1d1..95b07dfe0d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -1,5 +1,5 @@
---
-title: Windows Hello for Business Deployment Guide
+title: Windows Hello for Business Deployment Overview
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
@@ -13,28 +13,35 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 08/29/2018
+ms.date: 01/21/2021
ms.reviewer:
---
-# Windows Hello for Business Deployment Guide
+# Windows Hello for Business Deployment Overview
**Applies to**
-- Windows 10, version 1703 or later
+
+- Windows 10, version 1703 or later
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
-This deployment guide is to guide you through deploying Windows Hello for Business, based on the planning decisions made using the Planning a Windows Hello for Business Deployment Guide. It provides you with the information needed to successfully deploy Windows Hello for Business in an existing environment.
+This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
+
+Once you've chosen a deployment model, the deployment guide for the that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment.
+
+> [!NOTE]
+> Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
## Assumptions
-This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
-* A well-connected, working network
-* Internet access
-* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning
-* Proper name resolution, both internal and external names
-* Active Directory and an adequate number of domain controllers per site to support authentication
-* Active Directory Certificate Services 2012 or later
-* One or more workstation computers running Windows 10, version 1703
+This guide assumes that baseline infrastructure exists which meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have:
+
+- A well-connected, working network
+- Internet access
+- Multi-factor Authentication Server to support MFA during Windows Hello for Business provisioning
+- Proper name resolution, both internal and external names
+- Active Directory and an adequate number of domain controllers per site to support authentication
+- Active Directory Certificate Services 2012 or later
+- One or more workstation computers running Windows 10, version 1703
If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
@@ -46,15 +53,17 @@ Windows Hello for Business has three deployment models: Cloud, hybrid, and on-pr
Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
-The trust model determines how you want users to authenticate to the on-premises Active Directory:
-* The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
-* The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
-* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
+The trust model determines how you want users to authenticate to the on-premises Active Directory:
+
+- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
+- The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
+- The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
> [!NOTE]
> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
Following are the various deployment guides and models included in this topic:
+
- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
deleted file mode 100644
index d35d4dea64..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ /dev/null
@@ -1,57 +0,0 @@
----
-title: Windows Hello for Business Features
-description: Consider additional features you can use after your organization deploys Windows Hello for Business.
-ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
-ms.reviewer:
-keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, PIN Reset, Dynamic Lock, Multifactor Unlock, Forgot PIN, Privileged credentials
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 11/27/2019
----
-# Windows Hello for Business Features
-
-**Applies to:**
-
-- Windows 10
-
-Consider these additional features you can use after your organization deploys Windows Hello for Business.
-
-## Conditional access
-
-Azure Active Directory provides a wide set of options for protecting access to corporate resources. Conditional access provides more fine grained control over who can access certain resources and under what conditions. For more information see [Conditional Access](hello-feature-conditional-access.md).
-
-## Dynamic lock
-
-Dynamic lock uses a paired Bluetooth device to determine user presence and locks the device if a user is not present. For more information and configuration steps see [Dynamic Lock](hello-feature-dynamic-lock.md).
-
-## PIN reset
-
-Windows Hello for Business supports user self-management of their PIN. If a user forgets their PIN, they have the ability to reset it from Settings or the lock screen. The Microsoft PIN reset service can be used for completing this reset without the user needing to enroll a new Windows Hello for Business credential. For more information and configuration steps see [Pin Reset](hello-feature-pin-reset.md).
-
-## Dual Enrollment
-
-This feature enables provisioning of administrator Windows Hello for Business credentials that can be used by non-privileged accounts to perform administrative actions. These credentials can be used from the non-privileged accounts using **Run as different user** or **Run as administrator**. For more information and configuration steps see [Dual Enrollment](hello-feature-dual-enrollment.md).
-
-## Remote Desktop
-
-Users with Windows Hello for Business certificate trust can use their credential to authenticate to remote desktop sessions over RDP. When authenticating to the session, biometric gestures can be used if they are enrolled. For more information and configuration steps see [Remote Desktop](hello-feature-remote-desktop.md).
-
-## Related topics
-
-- [Windows Hello for Business](hello-identity-verification.md)
-- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
deleted file mode 100644
index 0e03beb9e3..0000000000
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: How Windows Hello for Business works - Technical Deep Dive
-description: Deeply explore how Windows Hello for Business works, and how it can help your users authenticate to services.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
-author: mapalko
-ms.author: mapalko
-manager: dansimp
-ms.collection: M365-identity-device-management
-ms.topic: article
-localizationpriority: medium
-ms.date: 08/19/2018
-ms.reviewer:
----
-# Technical Deep Dive
-
-**Applies to:**
-- Windows 10
-
-Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories:
-- [Registration](#registration)
-- [Provisioning](#provisioning)
-- [Authentication](#authentication)
-
-## Registration
-
-Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
-
-[How Device Registration Works](hello-how-it-works-device-registration.md)
-
-
-## Provisioning
-
-Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
-After successfully completing the second factor of authentication, the user is asked to enroll biometrics (if available on the device) and create PIN as a backup gesture. Windows then registers the public version of the Windows Hello for Business credential with the identity provider.
-For cloud and hybrid deployments, the identity provider is Azure Active Directory and the user registers their key with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the user registers their key with the enterprise device registration service hosted on the federation servers.
-Provision can occur automatically through the out-of-box-experience (OOBE) on Azure Active Directory joined devices, or on hybrid Azure Active Directory joined devices where the user or device is influenced by Windows Hello for Business policy settings. Users can start provisioning through **Add PIN** from Windows Settings. Watch the [Windows Hello for Business enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) from our [Videos](hello-videos.md) page.
-
-[How Windows Hello for Business provisioning works](hello-how-it-works-provisioning.md)
-
-## Authentication
-
-Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
-
-[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 528c1b6fe8..60d7c90219 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -19,7 +19,7 @@ ms.reviewer:
**Applies to**
-- Windows 10
+- Windows 10
Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
@@ -28,20 +28,37 @@ Watch this quick video where Pieter Wigleven gives a simple explanation of how W
## Technical Deep Dive
-Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business.
+Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business.
-Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work.
+### Device Registration
+
+Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
+
+For more information read [how device registration works](hello-how-it-works-device-registration.md).
+
+### Provisioning
+
+Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
+
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works.
> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
+
+For more information read [how provisioning works](hello-how-it-works-provisioning.md).
+
+### Authentication
+
+Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
+
+Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
+
> [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek]
-- [Technology and Terminology](hello-how-it-works-technology.md)
-- [Device Registration](hello-how-it-works-device-registration.md)
-- [Provisioning](hello-how-it-works-provisioning.md)
-- [Authentication](hello-how-it-works-authentication.md)
+For more information read [how authentication works](hello-how-it-works-authentication.md).
## Related topics
+- [Technology and Terminology](hello-how-it-works-technology.md)
- [Windows Hello for Business](hello-identity-verification.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 4d3512719a..d53a57bff1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,6 +1,6 @@
---
-title: Windows Hello for Business (Windows 10)
-description: Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices.
+title: Windows Hello for Business Deployment Prerequisite Overview
+description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
ms.reviewer:
keywords: identity, PIN, biometric, Hello, passport
@@ -15,29 +15,14 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 05/05/2018
+ms.date: 1/22/2021
---
-# Windows Hello for Business
+# Windows Hello for Business Deployment Prerequisite Overview
-In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
-Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account.
+This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business.
-Windows Hello addresses the following problems with passwords:
-
-- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
-- Server breaches can expose symmetric network credentials (passwords).
-- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
-- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing).
-
-> | | | |
-> | :---: | :---: | :---: |
-> | [](hello-overview.md)[Overview](hello-overview.md) | [](hello-why-pin-is-better-than-password.md)[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [](hello-manage-in-organization.md)[Manage Windows Hello in your Organization](hello-manage-in-organization.md) |
-
-
-## Prerequisites
-
-### Cloud Only Deployment
+## Cloud Only Deployment
* Windows 10, version 1511 or later
* Microsoft Azure Account
@@ -46,9 +31,9 @@ Windows Hello addresses the following problems with passwords:
* Modern Management (Intune or supported third-party MDM), *optional*
* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
-### Hybrid Deployments
+## Hybrid Deployments
-The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
+The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
| Key trustGroup Policy managed | Certificate trustMixed managed | Key trustModern managed | Certificate trustModern managed |
| --- | --- | --- | --- |
@@ -76,7 +61,7 @@ The table shows the minimum requirements for each deployment. For key trust in a
> Reset above lock screen - Windows 10, version 1709, Professional
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903
-### On-premises Deployments
+## On-premises Deployments
The table shows the minimum requirements for each deployment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 265aa7219d..22519b0b31 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -19,13 +19,15 @@ ms.reviewer:
# Planning a Windows Hello for Business Deployment
**Applies to**
-- Windows 10
+
+- Windows 10
Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs.
-If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
+> [!Note]
+>If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup).
## Using this guide
@@ -38,12 +40,13 @@ This guide removes the appearance of complexity by helping you make decisions on
Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment.
There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are:
-* Deployment Options
-* Client
-* Management
-* Active Directory
-* Public Key Infrastructure
-* Cloud
+
+- Deployment Options
+- Client
+- Management
+- Active Directory
+-Public Key Infrastructure
+- Cloud
### Baseline Prerequisites
@@ -58,13 +61,16 @@ The goal of Windows Hello for Business is to enable deployments for all organiza
There are three deployment models from which you can choose: cloud only, hybrid, and on-premises.
##### Cloud only
+
The cloud only deployment model is for organizations who only have cloud identities and do not access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users do not use on-premises resources, they do not need certificates for things like VPN because everything they need is hosted in Azure.
##### Hybrid
+
The hybrid deployment model is for organizations that:
-* Are federated with Azure Active Directory
-* Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
-* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
+
+- Are federated with Azure Active Directory
+- Have identities synchronized to Azure Active Directory using Azure Active Directory Connect
+- Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
> [!Important]
> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
new file mode 100644
index 0000000000..98c1dc8fc0
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -0,0 +1,113 @@
+### YamlMime:Landing
+
+title: Windows Hello for Business documentation
+summary: Learn how to manage and deploy Windows Hello for Business.
+
+metadata:
+ title: Windows Hello for Business documentation
+ description: Learn how to manage and deploy Windows Hello for Business.
+ ms.prod: w10
+ ms.topic: landing-page
+ author: mapalko
+ manager: dansimp
+ ms.author: mapalko
+ ms.date: 01/22/2021
+ ms.collection: M365-identity-device-management
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+ # Card
+ - title: About Windows Hello For Business
+ linkLists:
+ - linkListType: overview
+ links:
+ - text: Windows Hello for Business Overview
+ url: hello-overview.md
+ - linkListType: concept
+ links:
+ - text: Passwordless Strategy
+ url: passwordless-strategy.md
+ - text: Why a PIN is better than a password
+ url: hello-why-pin-is-better-than-password.md
+ - text: Windows Hello biometrics in the enterprise
+ url: hello-biometrics-in-enterprise.md
+ - text: How Windows Hello for Business works
+ url: hello-how-it-works.md
+ -linkListType: learn
+ links:
+ - text: Technical Deep Dive - Device Registration
+ url: hello-how-it-works-device-registration.md
+ - text: Technical Deep Dive - Provisioning
+ url: hello-how-it-works-provisioning.md
+ - text: Technical Deep Dive - Authentication
+ url: hello-how-it-works-authentication.md
+ - text: Technology and Terminology
+ url: hello-how-it-works-technology.md
+ - text: Frequently Asked Questions (FAQ)
+ url: hello-faq.yml
+
+ # Card
+ - title: Configure and manage Windows Hello for Business
+ linkLists:
+ - linkListType: concept
+ links:
+ - text: Windows Hello for Business Deployment Overview
+ url: hello-deployment-guide.md
+ - text: Planning a Windows Hello for Business Deployment
+ url: hello-planning-guide.md
+ - text: Deployment Prerequisite Overview
+ url: hello-identity-verification.md
+ - linkListType: how-to-guide
+ links:
+ - text: Hybrid Azure AD Joined Key Trust Deployment
+ url: hello-hybrid-key-trust.md
+ - text: Hybrid Azure AD Joined Certificate Trust Deployment
+ url: hello-hybrid-cert-trust.md
+ - text: On-premises SSO for Azure AD Joined Devices
+ url: hello-hybrid-aadj-sso.md
+ - text: On-premises Key Trust Deployment
+ url: hello-deployment-key-trust.md
+ - text: On-premises Certificate Trust Deployment
+ url: hello-deployment-cert-trust.md
+ - linkListType: learn
+ links:
+ - text: Manage Windows Hello for Business in your organization
+ url: hello-manage-in-organization.md
+ - text: Windows Hello and password changes
+ url: hello-and-password-changes.md
+ - text: Prepare people to use Windows Hello
+ url: hello-prepare-people-to-use.md
+
+ # Card
+ - title: Windows Hello for Business Features
+ linkLists:
+ - linkListType: how-to-guide
+ links:
+ - text: Conditional Access
+ url: hello-feature-conditional-access.md
+ - text: PIN Reset
+ url: hello-feature-pin-reset.m
+ - text: Dual Enrollment
+ url: hello-feature-dual-enrollment.md
+ - text: Dynamic Lock
+ url: hello-feature-dynamic-lock.md
+ - text: Multi-factor Unlock
+ url: feature-multifactor-unlock.md
+ - text: Remote Desktop
+ url: hello-feature-remote-desktop.md
+
+ # Card
+ - title: Windows Hello for Business Troubleshooting
+ linkLists:
+ - linkListType: concept
+ links:
+ - text: Known Deployment Issues
+ url: hello-deployment-issues.md
+ - text: Errors During PIN Creation
+ url: hello-errors-during-pin-creation.md
+
+
+
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md
index b046ac97ee..77e08dfd22 100644
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ b/windows/security/identity-protection/hello-for-business/toc.md
@@ -1,6 +1,6 @@
# [Windows Hello for Business](hello-identity-verification.md)
-## [Password-less Strategy](passwordless-strategy.md)
+## [Passwordless Strategy](passwordless-strategy.md)
## [Windows Hello for Business Overview](hello-overview.md)
## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
@@ -10,7 +10,7 @@
### [Conditional Access](hello-feature-conditional-access.md)
### [Dual Enrollment](hello-feature-dual-enrollment.md)
### [Dynamic Lock](hello-feature-dynamic-lock.md)
-### [Multifactor Unlock](feature-multifactor-unlock.md)
+### [Multi-factor Unlock](feature-multifactor-unlock.md)
### [PIN Reset](hello-feature-pin-reset.md)
### [Remote Desktop](hello-feature-remote-desktop.md)
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
new file mode 100644
index 0000000000..dd48cc97b4
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -0,0 +1,18 @@
+- name: Windows Hello for Business documentation
+ href: index.yml
+- name: Overview
+ items:
+ - name: Windows Hello for Business Overview
+ href: hello-overview.md
+- name: Concepts
+ items:
+ - name:
+ href:
+- name: How-to Guides
+ items:
+ - name:
+ href:
+- name: Reference
+ items:
+ - name:
+ href:
\ No newline at end of file
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index f57abc302f..dd87cded73 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -31,5 +31,5 @@ Learn more about identity and access management technologies in Windows 10 and
| [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. |
| [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. |
| [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. |
-| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
+| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. |
| [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. |
From 7a3c2bf326fd2ee9fb14527cac612e996625ad1e Mon Sep 17 00:00:00 2001
From: Matthew Palko
Date: Fri, 22 Jan 2021 17:32:22 -0800
Subject: [PATCH 159/454] fixing new line
---
.../security/identity-protection/hello-for-business/index.yml | 3 ---
.../security/identity-protection/hello-for-business/toc.yml | 3 ++-
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
index 98c1dc8fc0..c26699645a 100644
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -108,6 +108,3 @@ landingContent:
url: hello-deployment-issues.md
- text: Errors During PIN Creation
url: hello-errors-during-pin-creation.md
-
-
-
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index dd48cc97b4..2c20b2052d 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -15,4 +15,5 @@
- name: Reference
items:
- name:
- href:
\ No newline at end of file
+ href:
+
\ No newline at end of file
From 56837ef515082a92bd6802b9fc828a86251c2d06 Mon Sep 17 00:00:00 2001
From: Karl Wester-Ebbinghaus <45657752+Karl-WE@users.noreply.github.com>
Date: Sat, 23 Jan 2021 19:07:52 +0100
Subject: [PATCH 160/454] Update install-vamt.md
adding link to ADK, removing specific version to ease maintenance of this page as we would have to update it at least once a year.
---
windows/deployment/volume-activation/install-vamt.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 6b18acd8ae..c2737b30a4 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -49,8 +49,8 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
### Install VAMT using the ADK
-1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package.
-Reminder: There won't be new ADK release for 1909.
+1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install)
+It is recommended to uninstall and install the latest version of ADK if you use a previous version. Existing data of VAMT is maintained in the respective VAMT database.
2. Enter an install location or use the default path, and then select **Next**.
3. Select a privacy setting, and then select **Next**.
4. Accept the license terms.
From 539a6ec83a1a5072f7482874fc5bf4a27fb51021 Mon Sep 17 00:00:00 2001
From: Karl Wester-Ebbinghaus <45657752+Karl-WE@users.noreply.github.com>
Date: Sat, 23 Jan 2021 19:29:08 +0100
Subject: [PATCH 161/454] Update install-vamt.md
spellings / corrections
---
windows/deployment/volume-activation/install-vamt.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index c2737b30a4..3c482e49b3 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -49,8 +49,8 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
### Install VAMT using the ADK
-1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install)
-It is recommended to uninstall and install the latest version of ADK if you use a previous version. Existing data of VAMT is maintained in the respective VAMT database.
+1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install).
+It is recommended to uninstall ADK and install the latest version, if you use a previous version. Existing data of VAMT is maintained in the respective VAMT database.
2. Enter an install location or use the default path, and then select **Next**.
3. Select a privacy setting, and then select **Next**.
4. Accept the license terms.
From b7ac564fd79b1e104204a9c2155adb1968e9e98e Mon Sep 17 00:00:00 2001
From: Ben Alfasi
Date: Sun, 24 Jan 2021 14:30:32 +0200
Subject: [PATCH 162/454] 1
---
.../microsoft-defender-atp/find-machines-by-tag.md | 13 ++++++++++---
.../get-discovered-vulnerabilities.md | 4 ++++
.../microsoft-defender-atp/get-domain-statistics.md | 7 ++++++-
.../microsoft-defender-atp/get-file-statistics.md | 7 ++++++-
.../microsoft-defender-atp/get-ip-statistics.md | 7 ++++++-
.../get-missing-kbs-machine.md | 6 +++++-
.../get-security-recommendations.md | 4 ++++
.../microsoft-defender-atp/import-ti-indicators.md | 2 +-
8 files changed, 42 insertions(+), 8 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
index c077f850b8..e34e5962d8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
@@ -32,7 +32,7 @@ ms.topic: article
## API description
Find [Machines](machine.md) by [Tag](machine-tags.md).
-
+
```startswith``` query is supported.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
@@ -56,7 +56,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
## HTTP request
```
-GET /api/machines/findbytag(tag='{tag}')
+GET /api/machines/findbytag?tag={tag}&useStartsWithFilter={true/false}
```
## Request headers
@@ -65,6 +65,13 @@ Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
+## Request URI parameters
+
+Name | Type | Description
+:---|:---|:---
+tag | String | The tag name. **Required**.
+useStartsWithFilter | Boolean | When set to true, the search will find all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**.
+
## Request body
Empty
@@ -78,5 +85,5 @@ If successful - 200 OK with list of the machines in the response body.
Here is an example of the request.
```
-GET https://api.securitycenter.microsoft.com/api/machines/findbytag(tag='testTag')
+GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true
```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
index 773a35d073..258209f10d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
@@ -30,8 +30,12 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
+## API description
Retrieves a collection of discovered vulnerabilities related to a given device ID.
+## Limitations
+1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
+
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
index dda241406d..3720025ad9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
@@ -62,6 +62,11 @@ Header | Value
:---|:---
Authorization | Bearer {token}. **Required**.
+## Request URI parameters
+
+Name | Type | Description
+:---|:---|:---
+lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
## Request body
Empty
@@ -77,7 +82,7 @@ If successful and domain exists - 200 OK, with statistics object in the response
Here is an example of the request.
```
-GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats
+GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48
```
**Response**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
index 45c0c7f97f..ac9da34d73 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
@@ -62,6 +62,11 @@ Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
+## Request URI parameters
+
+Name | Type | Description
+:---|:---|:---
+lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
## Request body
Empty
@@ -77,7 +82,7 @@ If successful and file exists - 200 OK with statistical data in the body. If fil
Here is an example of the request.
```
-GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats
+GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48
```
**Response**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
index e720d2f338..5ba7c77cd7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@@ -63,6 +63,11 @@ Name | Type | Description
:---|:---|:---
Authorization | String | Bearer {token}. **Required**.
+## Request URI parameters
+
+Name | Type | Description
+:---|:---|:---
+lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**.
## Request body
Empty
@@ -78,7 +83,7 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no
Here is an example of the request.
```http
-GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats
+GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48
```
**Response**
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
index 9ac01f22cf..abb4bd89f5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
@@ -30,7 +30,11 @@ ms.technology: mde
[!include[Improve request performance](../../includes/improve-request-performance.md)]
-Retrieves missing KBs (security updates) by device ID
+## API description
+Retrieves missing KBs (security updates) by device ID.
+
+## Limitations
+1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
## HTTP request
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
index 1d2dfe41dd..f08ce4f926 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
@@ -31,8 +31,12 @@ ms.technology: mde
[!include[Prerelease information](../../includes/prerelease.md)]
+## API description
Retrieves a collection of security recommendations related to a given device ID.
+## Limitations
+1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour.
+
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
index 822e0f9985..8e33f2ae5c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
@@ -37,7 +37,7 @@ Submits or Updates batch of [Indicator](ti-indicator.md) entities.
## Limitations
1. Rate limitations for this API are 30 calls per minute.
2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant.
-
+3. Maximum batch size for one API call is 500.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md)
From b54bd97a85d313c549533a537de4f5dcc35b61ea Mon Sep 17 00:00:00 2001
From: Ben Alfasi
Date: Sun, 24 Jan 2021 14:57:21 +0200
Subject: [PATCH 163/454] 2
---
.../add-or-remove-machine-tags.md | 6 ++++--
.../collect-investigation-package.md | 4 +++-
.../get-alert-related-domain-info.md | 4 +---
.../get-alert-related-files-info.md | 4 +---
.../get-alert-related-ip-info.md | 4 +---
.../get-alert-related-machine-info.md | 4 +---
.../get-alert-related-user-info.md | 4 +---
.../microsoft-defender-atp/get-domain-statistics.md | 4 +---
.../microsoft-defender-atp/get-file-information.md | 4 +---
.../microsoft-defender-atp/get-file-statistics.md | 4 +---
.../get-investigation-collection.md | 4 +---
.../microsoft-defender-atp/get-ip-statistics.md | 4 +---
.../microsoft-defender-atp/get-kbinfo-collection.md | 7 ++-----
.../microsoft-defender-atp/get-machine-by-id.md | 4 +---
.../get-machine-log-on-users.md | 4 +---
.../get-machineaction-object.md | 6 ++----
.../get-machineactions-collection.md | 6 ++----
.../microsoft-defender-atp/get-machines.md | 4 +---
.../get-machinesecuritystates-collection.md | 7 ++-----
.../microsoft-defender-atp/get-package-sas-uri.md | 8 ++------
.../get-ti-indicators-collection.md | 12 ++++--------
.../microsoft-defender-atp/get-user-information.md | 7 ++-----
.../initiate-autoir-investigation.md | 8 +++++---
.../microsoft-defender-atp/isolate-machine.md | 10 ++++++----
.../microsoft-defender-atp/offboard-machine-api.md | 6 ++++--
.../restrict-code-execution.md | 9 +++++----
.../microsoft-defender-atp/run-advanced-query-api.md | 12 +++++++-----
.../microsoft-defender-atp/run-av-scan.md | 6 ++++--
.../stop-and-quarantine-file.md | 6 ++++--
.../microsoft-defender-atp/unisolate-machine.md | 6 ++++--
.../unrestrict-code-execution.md | 6 ++++--
.../microsoft-defender-atp/update-alert.md | 5 +++--
32 files changed, 82 insertions(+), 107 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
index c9987f3a99..2a992e5e4f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
@@ -90,9 +90,11 @@ If successful, this method returns 200 - Ok response code and the updated Machin
Here is an example of a request that adds machine tag.
-```http
+```
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
-Content-type: application/json
+```
+
+```json
{
"Value" : "test Tag 2",
"Action": "Add"
diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
index ee50396e37..7c823acfd6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
@@ -83,7 +83,9 @@ Here is an example of the request.
```
POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
-Content-type: application/json
+```
+
+```json
{
"Comment": "Collect forensics due to alert 1234"
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
index 9347365103..aaa3ab921d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
@@ -85,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Domains",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
index 80dfa7de59..705b9284db 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
@@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
index b241dd2b72..02701c84db 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
@@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Ips",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
index e4850f8d55..a5e59345c3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
@@ -88,9 +88,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines/$entity",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
index ea89e7158c..a256a1f597 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
@@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity",
"id": "contoso\\user1",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
index 3720025ad9..dd3331b476 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
@@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookB
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats",
"host": "example.com",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
index 736c3298e2..019f1385c7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
@@ -85,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity",
"sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
index ac9da34d73..cf1898803a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
@@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats",
"sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
index 47662456ae..cca2597b98 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md
@@ -90,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/investigations
Here is an example of the response:
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Investigations",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
index 5ba7c77cd7..bc04301ab1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md
@@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBac
Here is an example of the response.
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats",
"ipAddress": "10.209.67.177",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
index f108cdfbf6..0eeced010e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md
@@ -61,18 +61,15 @@ If successful - 200 OK.
Here is an example of the request.
-```
+```http
GET https://graph.microsoft.com/testwdatppreview/KbInfo
-Content-type: application/json
```
**Response**
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo",
"@odata.count": 271,
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
index ceac9cc0ed..0a6ff20f30 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md
@@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29
Here is an example of the response.
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine",
"id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
index f4730dce02..3e9b901fac 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md
@@ -87,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29
Here is an example of the response.
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
index 35d7343116..9520bd1379 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md
@@ -77,7 +77,7 @@ If successful, this method returns 200, Ok response code with a [Machine Action]
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba
```
@@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-42
Here is an example of the response.
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity",
"id": "5382f7ea-7557-4ab7-9782-d50480024a4e",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
index 11bd89fa3b..d910d3beda 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md
@@ -82,7 +82,7 @@ If successful, this method returns 200, Ok response code with a collection of [m
Here is an example of the request on an organization that has three MachineActions.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machineactions
```
@@ -91,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions
Here is an example of the response.
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
index ad2331e5ab..42a179a64f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md
@@ -92,9 +92,7 @@ GET https://api.securitycenter.microsoft.com/api/machines
Here is an example of the response.
-```http
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
index 9565ba0014..9d1e0ef235 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md
@@ -60,9 +60,8 @@ If successful - 200 OK.
Here is an example of the request.
-```
+```http
GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates
-Content-type: application/json
```
**Response**
@@ -70,9 +69,7 @@ Content-type: application/json
Here is an example of the response.
Field *id* contains device id and equal to the field *id** in devices info.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates",
"@odata.count":444,
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
index ccd17fea22..2683556f81 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md
@@ -73,19 +73,15 @@ If successful, this method returns 200, Ok response code with object that holds
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri
-
```
**Response**
Here is an example of the response.
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
-
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String",
"value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\""
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
index 58cb3f78a5..5a5ea5a354 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md
@@ -78,7 +78,7 @@ If successful, this method returns 200, Ok response code with a collection of [I
Here is an example of a request that gets all Indicators
-```
+```http
GET https://api.securitycenter.microsoft.com/api/indicators
```
@@ -86,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators
Here is an example of the response.
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
"value": [
@@ -141,7 +139,7 @@ Content-type: application/json
Here is an example of a request that gets all Indicators with 'AlertAndBlock' action
-```
+```http
GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock'
```
@@ -149,9 +147,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'A
Here is an example of the response.
-```
-HTTP/1.1 200 Ok
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
index 7a7e85e081..d4d47fa618 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md
@@ -64,9 +64,8 @@ If successful and user exists - 200 OK with [user](user.md) entity in the body.
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/users/user1
-Content-type: application/json
```
**Response**
@@ -74,9 +73,7 @@ Content-type: application/json
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity",
"id": "user1",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
index dfb9ea34c6..caa8fb231b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
@@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Investigatio
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation
-Content-type: application/json
+```
+
+```json
{
- "Comment": "Test investigation",
+ "Comment": "Test investigation"
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
index 00d02c3bfe..67f0760774 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
@@ -90,13 +90,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```console
+```
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
-Content-type: application/json
+```
+
+```json
{
"Comment": "Isolate machine due to alert 1234",
- “IsolationType”: “Full”
+ "IsolationType": "Full"
}
```
-- To unisolate a device, see [Release device from isolation](unisolate-machine.md).
+- To release a device from isolation, see [Release device from isolation](unisolate-machine.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
index 8eef870362..df8552d5a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md
@@ -87,9 +87,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard
-Content-type: application/json
+```
+
+```json
{
"Comment": "Offboard machine by automation"
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
index fb99be0444..a78424ca79 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md
@@ -83,14 +83,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution
-Content-type: application/json
+```
+
+```json
{
"Comment": "Restrict code execution due to alert 1234"
}
```
-- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md).
-
+- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index 88fddcc27b..195101b45a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -35,10 +35,10 @@ ms.technology: mde
1. You can only run a query on data from the last 30 days.
2. The results will include a maximum of 100,000 rows.
3. The number of executions is limited per tenant:
- - API calls: Up to 15 calls per minute
- - Execution time: 10 minutes of running time every hour and 4 hours of running time a day
+ - API calls: Up to 45 calls per minute.
+ - Execution time: 10 minutes of running time every hour and 4 hours of running time a day.
4. The maximal execution time of a single request is 10 minutes.
-5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed.
+5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached.
## Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md)
@@ -82,9 +82,11 @@ Request
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/advancedqueries/run
-Content-type: application/json
+```
+
+```json
{
"Query":"DeviceProcessEvents
| where InitiatingProcessFileName =~ 'powershell.exe'
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
index dda698fd60..aac2826f29 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
@@ -91,9 +91,11 @@ If successful, this method returns 201, Created response code and _MachineAction
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan
-Content-type: application/json
+```
+
+```json
{
"Comment": "Check machine for viruses due to alert 3212",
“ScanType”: “Full”
diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
index 26a77dc157..6ab096b9f7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md
@@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile
-Content-type: application/json
+```
+
+```json
{
"Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
index 2ddc0fa5f4..9d41281585 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md
@@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate
-Content-type: application/json
+```
+
+```json
{
"Comment": "Unisolate machine since it was clean and validated"
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
index c8b9276441..41934f0380 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md
@@ -82,9 +82,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution
-Content-type: application/json
+```
+
+```json
{
"Comment": "Unrestrict code execution since machine was cleaned and validated"
}
diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
index 4f6423b15e..d2f3515f96 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
@@ -91,10 +91,11 @@ If successful, this method returns 200 OK, and the [alert](alerts.md) entity in
Here is an example of the request.
-```
+```http
PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_2136280442
-Content-Type: application/json
+```
+```json
{
"status": "Resolved",
"assignedTo": "secop2@contoso.com",
From f803e252caab050a81ec70c30fd0ae8fb48684ef Mon Sep 17 00:00:00 2001
From: Ben Alfasi
Date: Sun, 24 Jan 2021 15:46:51 +0200
Subject: [PATCH 164/454] 1
---
.../collect-investigation-package.md | 2 +-
.../microsoft-defender-atp/create-alert-by-reference.md | 3 ++-
.../microsoft-defender-atp/delete-ti-indicator-by-id.md | 2 +-
.../microsoft-defender-atp/find-machines-by-ip.md | 2 +-
.../microsoft-defender-atp/find-machines-by-tag.md | 2 +-
.../get-alert-related-domain-info.md | 2 +-
.../microsoft-defender-atp/get-alert-related-files-info.md | 2 +-
.../microsoft-defender-atp/get-alert-related-ip-info.md | 2 +-
.../get-alert-related-machine-info.md | 2 +-
.../microsoft-defender-atp/get-alert-related-user-info.md | 2 +-
.../threat-protection/microsoft-defender-atp/get-alerts.md | 4 ++--
.../microsoft-defender-atp/get-all-recommendations.md | 2 +-
.../get-all-vulnerabilities-by-machines.md | 2 +-
.../microsoft-defender-atp/get-all-vulnerabilities.md | 2 +-
.../microsoft-defender-atp/get-cvekbmap-collection.md | 7 ++-----
.../microsoft-defender-atp/get-device-secure-score.md | 2 +-
.../get-discovered-vulnerabilities.md | 4 ++--
.../microsoft-defender-atp/get-domain-statistics.md | 2 +-
.../microsoft-defender-atp/get-exposure-score.md | 2 +-
.../microsoft-defender-atp/get-file-information.md | 2 +-
.../microsoft-defender-atp/get-file-related-alerts.md | 2 +-
.../microsoft-defender-atp/get-file-related-machines.md | 2 +-
.../microsoft-defender-atp/get-file-statistics.md | 2 +-
.../microsoft-defender-atp/get-installed-software.md | 2 +-
.../microsoft-defender-atp/get-ip-related-alerts.md | 2 +-
.../get-machine-group-exposure-score.md | 2 +-
.../microsoft-defender-atp/get-machines-by-software.md | 3 +--
.../get-machines-by-vulnerability.md | 2 +-
.../microsoft-defender-atp/get-missing-kbs-machine.md | 2 +-
.../microsoft-defender-atp/get-missing-kbs-software.md | 2 +-
.../microsoft-defender-atp/get-recommendation-by-id.md | 2 +-
.../microsoft-defender-atp/get-recommendation-machines.md | 2 +-
.../microsoft-defender-atp/get-recommendation-software.md | 2 +-
.../get-recommendation-vulnerabilities.md | 2 +-
.../microsoft-defender-atp/get-security-recommendations.md | 4 ++--
.../microsoft-defender-atp/get-software-by-id.md | 3 +--
.../get-software-ver-distribution.md | 3 +--
.../microsoft-defender-atp/get-software.md | 2 +-
.../microsoft-defender-atp/get-user-related-alerts.md | 2 +-
.../microsoft-defender-atp/get-user-related-machines.md | 2 +-
.../microsoft-defender-atp/get-vuln-by-software.md | 3 +--
.../microsoft-defender-atp/get-vulnerability-by-id.md | 2 +-
.../microsoft-defender-atp/import-ti-indicators.md | 3 ++-
.../microsoft-defender-atp/isolate-machine.md | 2 +-
.../microsoft-defender-atp/post-ti-indicator.md | 3 ++-
.../microsoft-defender-atp/run-av-scan.md | 2 +-
.../microsoft-defender-atp/update-alert.md | 2 +-
47 files changed, 54 insertions(+), 58 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
index 7c823acfd6..dea6142742 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md
@@ -81,7 +81,7 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
index ac6a1ed6be..91a38d3f42 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md
@@ -96,9 +96,10 @@ If successful, this method returns 200 OK, and a new [alert](alerts.md) object i
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference
```
+
```json
{
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
index c4921c50f4..127f52cd7a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/delete-ti-indicator-by-id.md
@@ -73,6 +73,6 @@ If Indicator with the specified id was not found - 404 Not Found.
Here is an example of the request.
-```
+```http
DELETE https://api.securitycenter.microsoft.com/api/indicators/995
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
index 5a461d731b..d9ebb6559c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
@@ -80,6 +80,6 @@ If the timestamp is not in the past 30 days - 400 Bad Request.
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z)
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
index e34e5962d8..5bb4e7756f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md
@@ -84,6 +84,6 @@ If successful - 200 OK with list of the machines in the response body.
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true
```
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
index aaa3ab921d..c84308bef0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md
@@ -77,7 +77,7 @@ If successful and alert and domain exist - 200 OK. If alert not found - 404 Not
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/domains
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
index 705b9284db..015b98dba0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md
@@ -77,7 +77,7 @@ If successful and alert and files exist - 200 OK. If alert not found - 404 Not F
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/files
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
index 02701c84db..602a1fd1c4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md
@@ -78,7 +78,7 @@ If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not F
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/ips
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
index a5e59345c3..60d47669c1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md
@@ -79,7 +79,7 @@ If successful and alert and device exist - 200 OK. If alert not found or device
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/machine
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
index a256a1f597..2afbe73739 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md
@@ -78,7 +78,7 @@ If successful and alert and a user exists - 200 OK with user in the body. If ale
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/user
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
index 918af17cc7..eb0067b2ba 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md
@@ -88,7 +88,7 @@ If successful, this method returns 200 OK, and a list of [alert](alerts.md) obje
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/alerts
```
@@ -152,7 +152,7 @@ Here is an example of the response.
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
index 9be5af6b31..6548493ea9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of security recommendati
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
index 73cc542fda..0126da149d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md
@@ -72,7 +72,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/vulnerabilities/machinesVulnerabilities
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
index 17f9e97ef1..00ade14700 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Vulnerabilities
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
index 41df827074..3264cc7d76 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md
@@ -61,18 +61,15 @@ If successful and map exists - 200 OK.
Here is an example of the request.
-```
+```http
GET https://graph.microsoft.com/testwdatppreview/CveKbMap
-Content-type: application/json
```
**Response**
Here is an example of the response.
-```
-HTTP/1.1 200 OK
-Content-type: application/json
+```json
{
"@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap",
"@odata.count": 4168,
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
index b18413a57e..2edded89ae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md
@@ -68,7 +68,7 @@ If successful, this method returns 200 OK, with the device secure score data in
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/configurationScore
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
index 258209f10d..760ce4ddb9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md
@@ -71,7 +71,7 @@ If successful, this method returns 200 OK with the discovered vulnerability info
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities
```
@@ -79,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4
Here is an example of the response.
-```
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
index dd3331b476..13a3f3f28f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md
@@ -81,7 +81,7 @@ If successful and domain exists - 200 OK, with statistics object in the response
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
index c06627a36f..0288816bb4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md
@@ -70,7 +70,7 @@ If successful, this method returns 200 OK, with the exposure data in the respons
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/exposureScore
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
index 019f1385c7..37b4c39da7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md
@@ -76,7 +76,7 @@ If successful and file exists - 200 OK with the [file](files.md) entity in the b
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
index dd23bde922..1ef694df96 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md
@@ -79,6 +79,6 @@ If successful and file exists - 200 OK with list of [alert](alerts.md) entities
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
index 981b5352e4..c0de4442c2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md
@@ -79,6 +79,6 @@ If successful and file exists - 200 OK with list of [machine](machine.md) entiti
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
index cf1898803a..ab8b12267d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md
@@ -81,7 +81,7 @@ If successful and file exists - 200 OK with statistical data in the body. If fil
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
index 1d74c52f25..9effa5d7a6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md
@@ -66,7 +66,7 @@ If successful, this method returns 200 OK with the installed software informatio
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
index ec0bd5533a..d4f66c71d6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md
@@ -79,6 +79,6 @@ If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/alerts
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
index f7ea61feb1..6f54986e33 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md
@@ -70,7 +70,7 @@ If successful, this method returns 200 OK, with a list of exposure score per dev
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
index cbcb0e0b06..b2f9da0734 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK and a list of devices with the softwar
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machineReferences
```
@@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machi
Here is an example of the response.
```json
-
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
index 35a821c812..bf4208cd36 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-0608/machineReferences
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
index abb4bd89f5..d3c13ddae1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md
@@ -62,7 +62,7 @@ If successful, this method returns 200 OK, with the specified device missing kb
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
index 4c037b678e..3b53dabe02 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md
@@ -68,7 +68,7 @@ If successful, this method returns 200 OK, with the specified software missing k
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/getmissingkbs
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
index d752962405..5548416186 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the security recommendations in t
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
index 7d46d6e6fe..fa448849b7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the list of devices associated wi
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/machineReferences
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
index 4f144b37e3..0fcdc3e55a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the software associated with the
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
index 6c606f3bfc..e4a52ff2a7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK, with the list of vulnerabilities asso
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/vulnerabilities
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
index f08ce4f926..2581a14cb0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md
@@ -70,7 +70,7 @@ If successful, this method returns 200 OK with the security recommendations in t
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations
```
@@ -79,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4
Here is an example of the response.
-```
+```json
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
index da3f09fb2d..58ff771315 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the specified software data in th
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge
```
@@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge
Here is an example of the response.
```json
-
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity",
"id": "microsoft-_-edge",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
index c707f59ef2..897e0c91a7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with a list of software distributions
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distributions
```
@@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distr
Here is an example of the response.
```json
-
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Distributions",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
index 95e59d134f..b070207ed0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md
@@ -66,7 +66,7 @@ If successful, this method returns 200 OK with the software inventory in the bod
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
index 7705c00e4b..341e56d35d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md
@@ -81,6 +81,6 @@ If successful and user exists - 200 OK. If the user does not exist - 404 Not Fou
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/users/user1/alerts
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
index 7cab2321b4..b91c080c8e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md
@@ -82,6 +82,6 @@ If successful and user exists - 200 OK with list of [machine](machine.md) entiti
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/users/user1/machines
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
index c60ff31fdb..762572746a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with a a list of vulnerabilities expos
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities
```
@@ -76,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulne
Here is an example of the response.
```json
-
{
"@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)",
"value": [
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
index e8cc9c8257..441ac6bf08 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md
@@ -67,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in
Here is an example of the request.
-```
+```http
GET https://api.securitycenter.microsoft.com/api/Vulnerabilities/CVE-2019-0608
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
index 8e33f2ae5c..ae63ad7d4b 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md
@@ -79,9 +79,10 @@ Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indica
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/indicators/import
```
+
```json
{
"Indicators":
diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
index 67f0760774..15f0c9b691 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md
@@ -90,7 +90,7 @@ If successful, this method returns 201 - Created response code and [Machine Acti
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index c5bedda425..f019e3a9d3 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -89,9 +89,10 @@ rbacGroupNames | String | Comma-separated list of RBAC group names the indicator
Here is an example of the request.
-```
+```http
POST https://api.securitycenter.microsoft.com/api/indicators
```
+
```json
{
"indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f",
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
index aac2826f29..68a10a5e99 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md
@@ -98,7 +98,7 @@ POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2
```json
{
"Comment": "Check machine for viruses due to alert 3212",
- “ScanType”: “Full”
+ "ScanType": "Full"
}
```
diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
index d2f3515f96..a19d0d51e1 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md
@@ -103,4 +103,4 @@ PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_213
"determination": "Malware",
"comment": "Resolve my alert and assign to secop2"
}
-```
+```
\ No newline at end of file
From c8dde0220a6429f0e4fa375709c1b642f5ec4a98 Mon Sep 17 00:00:00 2001
From: Ben Alfasi
Date: Sun, 24 Jan 2021 16:17:49 +0200
Subject: [PATCH 165/454] 5
---
.../threat-protection/microsoft-defender-atp/investigation.md | 2 +-
.../threat-protection/microsoft-defender-atp/machine.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
index 6afbbec900..64b309d544 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md
@@ -40,7 +40,7 @@ Represent an Automated Investigation entity in Defender for Endpoint.
Method|Return Type |Description
:---|:---|:---
[List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation
-[Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity.
+[Get single Investigation](get-investigation-object.md) | Investigation entity | Gets single Investigation entity.
[Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine.md b/windows/security/threat-protection/microsoft-defender-atp/machine.md
index c0cfd906a5..896f5ca654 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/machine.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/machine.md
@@ -62,7 +62,7 @@ version | String | Operating system Version.
osBuild | Nullable long | Operating system build number.
lastIpAddress | String | Last IP on local NIC on the [machine](machine.md).
lastExternalIpAddress | String | Last IP through which the [machine](machine.md) accessed the internet.
-healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication"
+healthStatus | Enum | [machine](machine.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData", "NoSensorDataImpairedCommunication" and "Unknown".
rbacGroupName | String | Machine group Name.
rbacGroupId | Int | Machine group unique ID.
riskScore | Nullable Enum | Risk score as evaluated by Microsoft Defender for Endpoint. Possible values are: 'None', 'Informational', 'Low', 'Medium' and 'High'.
From 5823e24e7ac6d543273fdbf8963a454ad921f8d6 Mon Sep 17 00:00:00 2001
From: Ben Alfasi
Date: Sun, 24 Jan 2021 16:50:27 +0200
Subject: [PATCH 166/454] 3
---
.../microsoft-defender-atp/run-advanced-query-api.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
index 195101b45a..1f52029bfe 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md
@@ -36,7 +36,7 @@ ms.technology: mde
2. The results will include a maximum of 100,000 rows.
3. The number of executions is limited per tenant:
- API calls: Up to 45 calls per minute.
- - Execution time: 10 minutes of running time every hour and 4 hours of running time a day.
+ - Execution time: 10 minutes of running time every hour and 3 hours of running time a day.
4. The maximal execution time of a single request is 10 minutes.
5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached.
From 963bbb8f93de94590c0ed5948d0a965dd92d304e Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Mon, 25 Jan 2021 21:09:14 +0500
Subject: [PATCH 167/454] Update TOC.md
---
windows/security/threat-protection/TOC.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index af35c57f47..122083cfeb 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -114,6 +114,7 @@
##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md)
##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md)
##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md)
+##### [Troubleshoot exploit protection mitigations](microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md)
##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md )
#### [Network protection]()
From 463b8b0f8cf8d6b1066728d21cb4b34138608a98 Mon Sep 17 00:00:00 2001
From: Rick Munck <33725928+jmunck@users.noreply.github.com>
Date: Mon, 25 Jan 2021 10:13:26 -0600
Subject: [PATCH 168/454] Update security-compliance-toolkit-10.md
Removed 1709 as we dont support it any longer and pulled it from the DLC
---
.../security/threat-protection/security-compliance-toolkit-10.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index fd8ba1f7f9..509869f9e5 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -34,7 +34,6 @@ The Security Compliance Toolkit consists of:
- Windows 10 Version 1903 (May 2019 Update)
- Windows 10 Version 1809 (October 2018 Update)
- Windows 10 Version 1803 (April 2018 Update)
- - Windows 10 Version 1709 (Fall Creators Update)
- Windows 10 Version 1607 (Anniversary Update)
- Windows 10 Version 1507
From f8e3f311ae43ba2b3c195b8c4a5c48b54c9c4869 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Mon, 25 Jan 2021 21:17:00 +0500
Subject: [PATCH 169/454] Update mandatory-settings-for-wip.md
---
.../mandatory-settings-for-wip.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index eb25f0556d..bf2e926154 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -28,7 +28,7 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.|
-|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
+|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
From b9cae92b5b8afb1f57771f5120df16ddfed3079a Mon Sep 17 00:00:00 2001
From: Matthew Palko
Date: Mon, 25 Jan 2021 10:57:53 -0800
Subject: [PATCH 170/454] updating toc to toc.yml and updating nesting to match
restructuring of documentation
---
.../hello-for-business/index.yml | 4 +-
.../hello-for-business/toc.md | 72 ----------
.../hello-for-business/toc.yml | 132 +++++++++++++++++-
3 files changed, 127 insertions(+), 81 deletions(-)
delete mode 100644 windows/security/identity-protection/hello-for-business/toc.md
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
index c26699645a..4035fa1cd7 100644
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -89,7 +89,7 @@ landingContent:
- text: Conditional Access
url: hello-feature-conditional-access.md
- text: PIN Reset
- url: hello-feature-pin-reset.m
+ url: hello-feature-pin-reset.md
- text: Dual Enrollment
url: hello-feature-dual-enrollment.md
- text: Dynamic Lock
@@ -102,7 +102,7 @@ landingContent:
# Card
- title: Windows Hello for Business Troubleshooting
linkLists:
- - linkListType: concept
+ - linkListType: how-to-guide
links:
- text: Known Deployment Issues
url: hello-deployment-issues.md
diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md
deleted file mode 100644
index 77e08dfd22..0000000000
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ /dev/null
@@ -1,72 +0,0 @@
-# [Windows Hello for Business](hello-identity-verification.md)
-
-## [Passwordless Strategy](passwordless-strategy.md)
-
-## [Windows Hello for Business Overview](hello-overview.md)
-## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
-## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-
-## [Windows Hello for Business Features](hello-features.md)
-### [Conditional Access](hello-feature-conditional-access.md)
-### [Dual Enrollment](hello-feature-dual-enrollment.md)
-### [Dynamic Lock](hello-feature-dynamic-lock.md)
-### [Multi-factor Unlock](feature-multifactor-unlock.md)
-### [PIN Reset](hello-feature-pin-reset.md)
-### [Remote Desktop](hello-feature-remote-desktop.md)
-
-## [How Windows Hello for Business works](hello-how-it-works.md)
-### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive)
-#### [Device Registration](hello-how-it-works-device-registration.md)
-#### [Provisioning](hello-how-it-works-provisioning.md)
-#### [Authentication](hello-how-it-works-authentication.md)
-#### [Technology and Terminology](hello-how-it-works-technology.md)
-
-## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md)
-
-## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
-
-## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md)
-
-### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
-#### [Prerequisites](hello-hybrid-key-trust-prereqs.md)
-#### [New Installation Baseline](hello-hybrid-key-new-install.md)
-#### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
-#### [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
-#### [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-#### [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
-
-### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
-#### [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
-#### [New Installation Baseline](hello-hybrid-cert-new-install.md)
-#### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
-#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md)
-#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
-
-### [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
-#### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md)
-#### [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md)
-
-### [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
-#### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
-#### [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
-#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
-##### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md)
-#### [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md)
-
-### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
-#### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md)
-#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md)
-#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md)
-#### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md)
-#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
-
-## [Windows Hello and password changes](hello-and-password-changes.md)
-## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
-
-## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.yml)
-### [Windows Hello for Business Videos](hello-videos.md)
-
-## Windows Hello for Business Troubleshooting
-### [Known Deployment Issues](hello-deployment-issues.md)
-### [Errors during PIN creation](hello-errors-during-pin-creation.md)
-### [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 2c20b2052d..65d8c83904 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -5,15 +5,133 @@
- name: Windows Hello for Business Overview
href: hello-overview.md
- name: Concepts
+ expanded: true
items:
- - name:
- href:
+ - name: Passwordless Strategy
+ href: passwordless-strategy.md
+ - name: Why a PIN is better than a password
+ href: hello-why-pin-is-better-than-password.md
+ - name: Windows Hello biometrics in the enterprise
+ href: hello-biometrics-in-enterprise.md
+ - name: How Windows Hello for Business works
+ href: hello-how-it-works.md
+ - name: Technical Deep Dive
+ items:
+ - name: Device Registration
+ href: hello-how-it-works-device-registration.md
+ - name: Provisioning
+ href: hello-how-it-works-provisioning.md
+ - name: Authentication
+ href: hello-how-it-works-authentication.md
- name: How-to Guides
items:
- - name:
- href:
+ - name: Windows Hello for Business Deployment Overview
+ href: hello-deployment-guide.md
+ - name: Planning a Windows Hello for Business Deployment
+ href: hello-planning-guide.md
+ - name: Deployment Prerequisite Overview
+ href: hello-identity-verification.md
+ - name: Prepare people to use Windows Hello
+ href: hello-prepare-people-to-use.md
+ - name: Deployment Guides
+ items:
+ - name: Hybrid Azure AD Joined Key Trust
+ items:
+ - name: Hybrid Azure AD Joined Key Trust Deployment
+ href: hello-hybrid-key-trust.md
+ - name: Prerequisites
+ href: hello-hybrid-key-trust-prereqs.md
+ - name: New Installation Baseline
+ href: hello-hybrid-key-new-install.md
+ - name: Configure Directory Synchronization
+ href: hello-hybrid-key-trust-dirsync.md
+ - name: Configure Azure Device Registration
+ href: hello-hybrid-key-trust-devreg.md
+ - name: Configure Windows Hello for Business settings
+ href: hello-hybrid-key-whfb-settings.md
+ - name: Sign-in and Provisioning
+ href: hello-hybrid-key-whfb-provision.md
+ - name: Hybrid Azure AD Joined Certificate Trust
+ items:
+ - name: Hybrid Azure AD Joined Certificate Trust Deployment
+ href: hello-hybrid-cert-trust.md
+ - name: Prerequisites
+ href: hello-hybrid-cert-trust-prereqs.md
+ - name: New Installation Baseline
+ href: hello-hybrid-cert-new-install.md
+ - name: Configure Azure Device Registration
+ href: hello-hybrid-cert-trust-devreg.md
+ - name: Configure Windows Hello for Business settings
+ href: hello-hybrid-cert-whfb-settings.md
+ - name: Sign-in and Provisioning
+ href: hello-hybrid-cert-whfb-provision.md
+ - name: On-premises SSO for Azure AD Joined Devices
+ items:
+ - name: On-premises SSO for Azure AD Joined Devices Deployment
+ href: hello-hybrid-aadj-sso.md
+ - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+ href: hello-hybrid-aadj-sso-base.md
+ - name: Using Certificates for AADJ On-premises Single-sign On
+ href: hello-hybrid-aadj-sso-cert.md
+ - name: On-premises Key Trust
+ items:
+ - name: On-premises Key Trust Deployment
+ href: hello-deployment-key-trust.md
+ - name: Validate Active Directory Prerequisites
+ href: hello-key-trust-validate-ad-prereq.md
+ - name: Validate and Configure Public Key Infrastructure
+ href: hello-key-trust-validate-pki.md
+ - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ href: hello-key-trust-adfs.md
+ - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ href: hello-key-trust-validate-deploy-mfa.md
+ - name: Configure Windows Hello for Business policy settings
+ href: hello-key-trust-policy-settings.md
+ - name: On-premises Certificate Trust
+ items:
+ - name: On-premises Certificate Trust Deployment
+ href: hello-deployment-cert-trust.md
+ - name: Validate Active Directory Prerequisites
+ href: hello-cert-trust-validate-ad-prereq.md
+ - name: Validate and Configure Public Key Infrastructure
+ href: hello-cert-trust-validate-pki.md
+ - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+ href: hello-cert-trust-adfs.md
+ - name: Validate and Deploy Multi-factor Authentication (MFA) Services
+ href: hello-cert-trust-validate-deploy-mfa.md
+ - name: Configure Windows Hello for Business policy settings
+ href: hello-cert-trust-policy-settings.md
+ - name: Managing Windows Hello for Business in your organization
+ href: hello-manage-in-organization.md
+ - name: Windows Hello for Business Features
+ items:
+ - name: Conditional Access
+ href: hello-feature-conditional-access.md
+ - name: PIN Reset
+ href: hello-feature-pin-reset.md
+ - name: Dual Enrollment
+ href: hello-feature-dual-enrollment.md
+ - name: Dynamic Lock
+ href: hello-feature-dynamic-lock.md
+ - name: Multi-factor Unlock
+ href: feature-multifactor-unlock.md
+ - name: Remote Desktop
+ href: hello-feature-remote-desktop.md
+ - name: Troubleshooting
+ items:
+ - name: Known Deployment Issues
+ href: hello-deployment-issues.md
+ - name: Errors During PIN Creation
+ href: hello-errors-during-pin-creation.md
+ - name: Event ID 300 - Windows Hello successfully created
+ href: hello-event-300.md
+ - name: Windows Hello and password changes
+ href: hello-and-password-changes.md
- name: Reference
items:
- - name:
- href:
-
\ No newline at end of file
+ - name: Technology and Terminology
+ href: hello-how-it-works-technology.md
+ - name: Frequently Asked Questions (FAQ)
+ href: hello-faq.yml
+ - name: Windows Hello for Business videos
+ href: hello-videos.md
From 9d7d199078b9917f52ea02e07840f65cb861b886 Mon Sep 17 00:00:00 2001
From: Matthew Palko
Date: Mon, 25 Jan 2021 11:18:44 -0800
Subject: [PATCH 171/454] fixing issues with toc.yml and index.yml
---
.../security/identity-protection/hello-for-business/index.yml | 2 +-
windows/security/identity-protection/hello-for-business/toc.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml
index 4035fa1cd7..4282b8e701 100644
--- a/windows/security/identity-protection/hello-for-business/index.yml
+++ b/windows/security/identity-protection/hello-for-business/index.yml
@@ -36,7 +36,7 @@ landingContent:
url: hello-biometrics-in-enterprise.md
- text: How Windows Hello for Business works
url: hello-how-it-works.md
- -linkListType: learn
+ - linkListType: learn
links:
- text: Technical Deep Dive - Device Registration
url: hello-how-it-works-device-registration.md
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index 65d8c83904..8a29bb7d81 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -102,7 +102,7 @@
- name: Configure Windows Hello for Business policy settings
href: hello-cert-trust-policy-settings.md
- name: Managing Windows Hello for Business in your organization
- href: hello-manage-in-organization.md
+ href: hello-manage-in-organization.md
- name: Windows Hello for Business Features
items:
- name: Conditional Access
From 28dedc57f594e67d556975d66849129bc3307241 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 25 Jan 2021 12:35:49 -0800
Subject: [PATCH 172/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 195c784c4e..85158c1cb2 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -11,7 +11,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
-ms.date: 01/22/2021
+ms.date: 01/25/2021
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -38,12 +38,14 @@ In endpoint protection, a false positive is an entity, such as a file or a proce
3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint)
4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis)
5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
+6. [Getting help if you still have issues with false positives/negatives](#still-need-help)
-This article also includes information about [what to do if you still need help](#still-need-help) after taking the recommended steps to address false positives/negatives in your environment.
+> [!IMPORTANT]
+> This article is intended for security operators and administrators.
## Part 1: Review and classify alerts
-If your security operations team see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well.
+If you see an alert that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well.
Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items.
From 4562ca67bd6db40e1773e49f74f9839efde54300 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 25 Jan 2021 12:39:33 -0800
Subject: [PATCH 173/454] Update defender-endpoint-false-positives-negatives.md
---
...defender-endpoint-false-positives-negatives.md | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 85158c1cb2..8e5c202978 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -136,7 +136,8 @@ To define exclusions across Microsoft Defender for Endpoint, perform the followi
- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus)
- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint)
-Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint.
+> [!NOTE]
+> Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), and [controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/controlled-folders). Files that you exclude using the methods described in this article can still trigger alerts and other detections. To exclude files broadly, use [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators), such as "allow" indicators for Microsoft Defender for Endpoint.
The procedures in this section describe how to define exclusions and indicators.
@@ -169,20 +170,20 @@ In general, you should not need to define exclusions for Microsoft Defender Anti
### Indicators for Microsoft Defender for Endpoint
-[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, your security operations team can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs.
+[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs.
-To specify entities as exclusions for Microsoft Defender for Endpoint, your security team can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to:
+To specify entities as exclusions for Microsoft Defender for Endpoint, you can create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to:
- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10)
- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
-Your security team can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table:
+You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table:
-| Indicator | Prerequisites |
+| Indicator type and considerations | Prerequisites |
|:----|:----|
-|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) |
-| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
+|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**
Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) |
+| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.
For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date |
> [!TIP]
From 5928b1b0cfbd5d7b5630ea698680f7f63aeaa643 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 25 Jan 2021 12:42:43 -0800
Subject: [PATCH 174/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 8e5c202978..084f8103db 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -183,15 +183,15 @@ You can create indicators for files, IP addresses, URLs, domains, and certificat
| Indicator type and considerations | Prerequisites |
|:----|:----|
|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) |
-| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.
For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
-| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date |
+| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.
For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
+| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**
`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date |
> [!TIP]
> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
## Part 4: Submit a file for analysis
-You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. After you sign in at the submission site, you can track your submissions.
+You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions. When you sign in at the submission site, you can track your submissions.
### Submit a file for analysis
@@ -202,7 +202,7 @@ If you have a file that was either wrongly detected as malicious or was missed,
### Submit a fileless detection for analysis
-If something was detected as malware based on behavior, and you don’t have a file, you can submit your Mpsupport.cab file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool.
+If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool.
1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator.
2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**.
@@ -294,6 +294,10 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett
8. On the **Applicability Rules** tab, specify the OS editions or versions to include or exclude from the policy. For example, you can set the policy to be applied to all devices certain editions of Windows 10. Then choose **Next**.
9. On the **Review + create** tab, review your settings, and, and then choose **Create**.
+### Automated investigation and remediation
+
+
+
## Still need help?
If you still need help after working through all the steps in this article, your best bet is to contact technical support.
From 2309a9407d18e11647f246145b695b5374280108 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 25 Jan 2021 13:14:30 -0800
Subject: [PATCH 175/454] Update defender-endpoint-false-positives-negatives.md
---
...nder-endpoint-false-positives-negatives.md | 32 +++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 084f8103db..f8d93d2f54 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -296,7 +296,39 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett
### Automated investigation and remediation
+[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
+Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions).)
+
+All remediation actions, whether pending or completed, can be viewed in the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). If necessary, your security operations team can undo a remediation action. And, you can set or change your level of automation.
+
+### Review actions that were taken
+
+1. Go to the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
+2. Select the **History** tab.
+3. Select an item to view more details about that remediation action.
+
+### Undo remediation actions
+
+If you’ve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. You can undo actions, such as isolating a device, restricting code execution, quarantining a file, removing a registry key, stopping a service, and more.
+
+1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
+2. Select the **History** tab.
+3. Select the actions that you want to undo.
+4. In the pane on the right side of the screen, select **Undo**.
+
+> [!TIP]
+> To learn more about remediation actions, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions).
+
+### Review and if needed, edit your automation level
+
+AIR capabilities in Defender for Endpoint are configured to one of several [levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels).
+
+- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious.
+- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken.
+- *No automated response* (not recommended) means automated investigations do not run on your organization's devices, and no remediation actions are taken or pending as a result of automated investigation.
+
+To review your AIR configuration and learn more about automation levels, see [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) and the [Levels of automation table](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation).
## Still need help?
From 27efc5c2bc073c2823d0882dc57c7c9f1f0b8cf6 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 25 Jan 2021 13:16:18 -0800
Subject: [PATCH 176/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index f8d93d2f54..24e9fbf78e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -328,11 +328,13 @@ AIR capabilities in Defender for Endpoint are configured to one of several [leve
- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken.
- *No automated response* (not recommended) means automated investigations do not run on your organization's devices, and no remediation actions are taken or pending as a result of automated investigation.
-To review your AIR configuration and learn more about automation levels, see [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation) and the [Levels of automation table](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation).
+To review your AIR configuration and learn more about automation levels, see:
+- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation)
+- [Levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation)
## Still need help?
-If you still need help after working through all the steps in this article, your best bet is to contact technical support.
+If you have worked through all the steps in this article and still need help, your best bet is to contact technical support.
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
2. In the upper right corner, select the question mark (**?**), and then select **Microsoft support**.
From 708066fb3779d7e195bc664c7dd7ee24cab311e9 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 25 Jan 2021 13:21:09 -0800
Subject: [PATCH 177/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 24e9fbf78e..695656e24e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -231,6 +231,7 @@ Microsoft Defender for Endpoint offers a wide variety of options, including the
- [Cloud-delivered protection](#cloud-delivered-protection)
- [Remediation for potentially unwanted applications](#remediation-for-potentially-unwanted-applications)
+- [Automated investigation and remediation](#automated-investigation-and-remediation)
### Cloud-delivered protection
From dd563409f25933ff6510d5d4c2a062857ced65e4 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 25 Jan 2021 13:29:24 -0800
Subject: [PATCH 178/454] Update defender-endpoint-false-positives-negatives.md
---
...nder-endpoint-false-positives-negatives.md | 34 ++-----------------
1 file changed, 3 insertions(+), 31 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 695656e24e..d201884712 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -299,39 +299,11 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett
[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
-Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team. Examples of remediation actions include sending a file to quarantine, stopping a service, removing a scheduled task, and more. (See [Remediation actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions).)
+Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team.
-All remediation actions, whether pending or completed, can be viewed in the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)). If necessary, your security operations team can undo a remediation action. And, you can set or change your level of automation.
-
-### Review actions that were taken
-
-1. Go to the Action Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
-2. Select the **History** tab.
-3. Select an item to view more details about that remediation action.
-
-### Undo remediation actions
-
-If you’ve determined that a device or a file is not a threat, you can undo remediation actions that were taken, whether those actions were taken automatically or manually. You can undo actions, such as isolating a device, restricting code execution, quarantining a file, removing a registry key, stopping a service, and more.
-
-1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
-2. Select the **History** tab.
-3. Select the actions that you want to undo.
-4. In the pane on the right side of the screen, select **Undo**.
-
-> [!TIP]
-> To learn more about remediation actions, see [Review and approve remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#remediation-actions).
-
-### Review and if needed, edit your automation level
-
-AIR capabilities in Defender for Endpoint are configured to one of several [levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels).
-
-- *Full automation* (recommended) means remediation actions are taken automatically on artifacts determined to be malicious.
-- *Semi-automation* means some remediation actions are taken automatically, but other remediation actions await approval before being taken.
-- *No automated response* (not recommended) means automated investigations do not run on your organization's devices, and no remediation actions are taken or pending as a result of automated investigation.
-
-To review your AIR configuration and learn more about automation levels, see:
+- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels)
- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation)
-- [Levels of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels#levels-of-automation)
+
## Still need help?
From 995a3ed9aa6c99a38ad8714908adb25b3b8e16c0 Mon Sep 17 00:00:00 2001
From: jcaparas
Date: Mon, 25 Jan 2021 13:38:04 -0800
Subject: [PATCH 179/454] Update initiate-autoir-investigation.md
---
.../microsoft-defender-atp/initiate-autoir-investigation.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
index caa8fb231b..5617ebcae7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md
@@ -92,3 +92,4 @@ POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2
{
"Comment": "Test investigation"
}
+```
From 3abff941ef1a32cac37e1abe0cf9fee91dc35f7f Mon Sep 17 00:00:00 2001
From: jcaparas
Date: Mon, 25 Jan 2021 13:39:46 -0800
Subject: [PATCH 180/454] Update get-software-by-id.md
---
.../microsoft-defender-atp/get-software-by-id.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
index 58ff771315..43ed0055bf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md
@@ -1,6 +1,6 @@
---
title: Get software by Id
-description: Retrieves a list of exposure scores by device group.
+description: Retrieves a list of sofware by ID.
keywords: apis, graph api, supported apis, get, software, mdatp tvm api
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
From 68d2209f6732092de9cfbad01bf0e1686feb07f3 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 25 Jan 2021 13:55:09 -0800
Subject: [PATCH 181/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index d201884712..9707bf3e13 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -101,6 +101,9 @@ If you have alerts that are either false positives or that are true positives bu
Other actions, such as starting an antivirus scan or collecting an investigation package, can occur through [Live Response](live-response.md). Those actions cannot be undone.
+> [!TIP]
+> See [Review remediation actions following an automated investigation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation).
+
### Review completed actions
1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in.
@@ -301,8 +304,8 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett
Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team.
-- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels)
-- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation)
+- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then
+- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation).
## Still need help?
From 2c2052341de9a76ccc675be197d8f9e4b88a4cec Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 25 Jan 2021 14:01:18 -0800
Subject: [PATCH 182/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 9707bf3e13..573ce0cf3f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -302,7 +302,7 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett
[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
-Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions can occur automatically or only upon approval by your security operations team.
+Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team.
- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then
- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation).
From 18bbbe6262a11c530e44a23e596395aaa921f787 Mon Sep 17 00:00:00 2001
From: Jeff Gilbert
Date: Mon, 25 Jan 2021 17:58:10 -0500
Subject: [PATCH 183/454] Update create-wip-policy-using-intune-azure.md
Updated per request from PM (dereka).
---
.../create-wip-policy-using-intune-azure.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index f36275b6ba..19f213f47f 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -444,7 +444,7 @@ To stop Windows from automatically blocking these connections, you can add the `
For example:
```console
-URL <,proxy>|URL <,proxy>/*AppCompat*/
+URL <,proxy>|URL <,proxy>|/*AppCompat*/
```
When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
From 2e2653dbb8763aa1004865b394c8bbae887b2adf Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 25 Jan 2021 15:13:56 -0800
Subject: [PATCH 184/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 573ce0cf3f..9e49265a2f 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -205,7 +205,7 @@ If you have a file that was either wrongly detected as malicious or was missed,
### Submit a fileless detection for analysis
-If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool.
+If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10.
1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\`, and then run `MpCmdRun.exe` as an administrator.
2. Type `mpcmdrun.exe -GetFiles`, and then press **Enter**.
From 285c15d89bcdbc854e1d7bd5fe8c1de59454cf6a Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Mon, 25 Jan 2021 17:12:21 -0800
Subject: [PATCH 185/454] Update
windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../microsoft-defender-atp/web-content-filtering.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
index b6d259a0f2..87f0151c05 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md
@@ -54,7 +54,7 @@ Before trying out this feature, make sure you have the following requirements:
- Access to Microsoft Defender Security Center portal
- Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update.
-If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave and Opera are currently 3rd party browsers in which the feature is enabled.
+If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave, and Opera are currently 3rd party browsers in which this feature is enabled.
## Data handling
From a053a44b874e6005f1de3527aa9602cb8990fd0c Mon Sep 17 00:00:00 2001
From: Ben Alfasi
Date: Tue, 26 Jan 2021 10:31:42 +0200
Subject: [PATCH 186/454] 1
---
windows/security/threat-protection/TOC.md | 1 +
.../api-release-notes.md | 35 +++++++++++++++++++
2 files changed, 36 insertions(+)
create mode 100644 windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index de8090f455..3b1c804e62 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -526,6 +526,7 @@
##### [Microsoft Defender for Endpoint APIs Schema]()
###### [Supported Microsoft Defender for Endpoint APIs](microsoft-defender-atp/exposed-apis-list.md)
+###### [Release Notes](microsoft-defender-atp/api-release-notes.md)
###### [Common REST API error codes](microsoft-defender-atp/common-errors.md)
###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
new file mode 100644
index 0000000000..4a650a2e4d
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md
@@ -0,0 +1,35 @@
+---
+title: API release notes
+description: Release notes for anything that is new in the API.
+keywords: apis, mdatp api, updates, notes, release
+search.product: eADQiWindows 10XVcnh
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance
+ms.topic: article
+ms.technology: mde
+---
+
+# Release Notes
+
+## 2.2.4
+
+- test 1
+
+## 2.2.3
+
+- test2
+- test3
+
+## 2.1.58
+
+- fix: test4
+- fix: test5
+- add: test6
From 3745db7676eb331faffe66aeb76d1fe77c4eb107 Mon Sep 17 00:00:00 2001
From: Guillaume Aubert <44520046+gaubert-ms@users.noreply.github.com>
Date: Tue, 26 Jan 2021 10:55:11 +0100
Subject: [PATCH 187/454] Update passwordless-strategy.md
Missing "System" in GPO path
---
.../hello-for-business/passwordless-strategy.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index dd1b6b18e0..87e71bc747 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -216,7 +216,7 @@ The policy name for these operating systems is **Interactive logon: Require Wind
When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
#### Excluding the password credential provider
-You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > Logon**
+You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**
The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**.
From 7d9fbb1011a636246f5b8ee1eeda47b309177d71 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Tue, 26 Jan 2021 17:28:49 +0500
Subject: [PATCH 188/454] Update network-protection.md
---
.../microsoft-defender-atp/network-protection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index 7fd98bd981..0cf3df8758 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -45,7 +45,7 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network
## Requirements
-Network protection requires Windows 10 Pro, Enterprise E3, E5, and Microsoft Defender AV real-time protection.
+Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender AV real-time protection.
Windows 10 version | Microsoft Defender Antivirus
-|-
From 930fc4dc29b48afbc9db8b7dc0d2a7c8eb9cd62b Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Tue, 26 Jan 2021 17:32:17 +0500
Subject: [PATCH 189/454] Update troubleshoot-np.md
---
.../threat-protection/microsoft-defender-atp/troubleshoot-np.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index 4bfdccfe50..82fcbb7ca7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -45,7 +45,7 @@ There are four steps to troubleshooting these problems:
Network protection will only work on devices with the following conditions:
>[!div class="checklist"]
-> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
+> * Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher.
> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled.
From 74cb283b850d34b520e224c3427a835072f062bd Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 08:56:15 -0800
Subject: [PATCH 190/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 9e49265a2f..d895dbaa84 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -11,7 +11,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: deniseb
author: denisebmsft
-ms.date: 01/25/2021
+ms.date: 01/26/2021
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
@@ -35,7 +35,7 @@ In endpoint protection, a false positive is an entity, such as a file or a proce
1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts)
2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions)
-3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions-for-microsoft-defender-for-endpoint)
+3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions)
4. [Submitting an entity for analysis](#part-4-submit-a-file-for-analysis)
5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
6. [Getting help if you still have issues with false positives/negatives](#still-need-help)
@@ -131,7 +131,7 @@ If you find that a remediation action was taken automatically on an entity that
2. On the **History** tab, select the actions that you want to undo.
3. In the pane on the right side of the screen, select **Undo**.
-## Part 3: Review or define exclusions for Microsoft Defender for Endpoint
+## Part 3: Review or define exclusions
An exclusion is an entity that you specify as an exception to remediation actions. The excluded entity might still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
From 9570f49f975fab39c28c729a2aaa0ecef3cfe3d6 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 09:08:43 -0800
Subject: [PATCH 191/454] crosslinking
---
.../antivirus-false-positives-negatives.md | 7 ++++++-
.../microsoft-defender-antivirus-compatibility.md | 1 +
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
index 099dbc450f..e99e915192 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/antivirus-false-positives-negatives.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
-ms.date: 06/08/2020
+ms.date: 01/26/2021
ms.reviewer: shwetaj
manager: dansimp
audience: ITPro
@@ -35,6 +35,9 @@ What if something gets detected wrongly as malware, or something is missed? We c
- [Create an "Allow" indicator to prevent a false positive from recurring](#create-an-allow-indicator-to-prevent-a-false-positive-from-recurring)
- [Define an exclusion on an individual Windows device to prevent an item from being scanned](#define-an-exclusion-on-an-individual-windows-device-to-prevent-an-item-from-being-scanned)
+> [!TIP]
+> This article focuses on false positives in Microsoft Defender Antivirus. If you want guidance for Microsoft Defender for Endpoint, which includes next-generation protection, endpoint detection and response, automated investigation and remediation, and more, see [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md).
+
## Submit a file to Microsoft for analysis
1. Review the [submission guidelines](../intelligence/submission-guide.md).
@@ -76,3 +79,5 @@ To learn more, see:
[What is Microsoft Defender for Endpoint?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
+
+[Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
index 7a74769372..ad505f776b 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@@ -122,4 +122,5 @@ The table in this section summarizes the functionality and features that are ava
- [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md)
- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md)
- [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure)
+- [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md)
- [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about)
From 79733d6899e099c607c3c2cfac9b538d7ed473e0 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 09:10:21 -0800
Subject: [PATCH 192/454] Update automated-investigations.md
---
.../microsoft-defender-atp/automated-investigations.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
index 4233bcca90..93e3809c2a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md
@@ -93,5 +93,6 @@ All remediation actions, whether pending or completed, can be viewed in the [Act
## See also
- [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)
+- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
- [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air)
- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
From c067a53cca66b8ef72f63d94c56a31f155531c38 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 09:11:50 -0800
Subject: [PATCH 193/454] Update helpful-resources.md
---
.../helpful-resources.md | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
index 7d275ab90b..fd973e1a2a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
@@ -29,31 +29,31 @@ ms.technology: mde
Access helpful resources such as links to blogs and other resources related to Microsoft Defender for Endpoint.
## Endpoint protection platform
-- [Top scoring in industry
+- [Top scoring in industry
tests](https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests)
-- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/)
+- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/)
-- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341)
+- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341)
-- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571)
+- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571)
## Endpoint Detection Response
-- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894)
+- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894)
## Threat Vulnerability Management
-- [Defender for Endpoint Threat & Vulnerability Management now publicly
+- [Defender for Endpoint Threat & Vulnerability Management now publicly
available!](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/MDATP-Threat-amp-Vulnerability-Management-now-publicly-available/ba-p/460977)
## Operational
-- [The Golden Hour remake - Defining metrics for a successful security
+- [The Golden Hour remake - Defining metrics for a successful security
operations](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/The-Golden-Hour-remake-Defining-metrics-for-a-successful/ba-p/782014)
-- [Defender for Endpoint Evaluation lab is now available in public preview
+- [Defender for Endpoint Evaluation lab is now available in public preview
](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271)
-- [How automation brings value to your security
+- [How automation brings value to your security
teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297)
From 8c381211d597a1727bfdf4afcb05e1874ec85404 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 09:13:01 -0800
Subject: [PATCH 194/454] Update helpful-resources.md
---
.../microsoft-defender-atp/helpful-resources.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
index fd973e1a2a..88e26c2252 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md
@@ -57,3 +57,5 @@ Access helpful resources such as links to blogs and other resources related to
- [How automation brings value to your security
teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297)
+
+- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
\ No newline at end of file
From e3fb119c6451ff8e454050d406126460f245ef88 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 09:14:47 -0800
Subject: [PATCH 195/454] Update manage-atp-post-migration.md
---
.../microsoft-defender-atp/manage-atp-post-migration.md | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
index 2cb0d3548e..efb39aa306 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md
@@ -18,7 +18,7 @@ ms.collection:
- M365-security-compliance
- m365solution-scenario
ms.topic: conceptual
-ms.date: 09/22/2020
+ms.date: 01/26/2021
ms.reviewer: chventou
---
@@ -43,3 +43,6 @@ The following table lists various tools/methods you can use, with links to learn
|**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs).
See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). |
|**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.*
You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell).
You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi).
You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). |
+## See also
+
+- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
\ No newline at end of file
From 92f0b61c0674ae8e52cab1d67873b1ad9594da14 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 09:23:40 -0800
Subject: [PATCH 196/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index d895dbaa84..217c0ca4ff 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -307,6 +307,9 @@ Depending on the [level of automation](https://docs.microsoft.com/windows/securi
- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then
- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation).
+> [!TIP]
+> We recommend using *Full automation* for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use ["allow" indicators to define exceptions](#indicators-for-microsoft-defender-for-endpoint), and keep automated investigation and remediation set to take appropriate actions automatically. Following [this guidance](automation-levels.md#levels-of-automation) helps reduce the number of alerts your security operations team must handle.
+
## Still need help?
From 66e207e995f7d51a6d0f8f2e0301d2c609cfc185 Mon Sep 17 00:00:00 2001
From: Peter Lewis
Date: Tue, 26 Jan 2021 17:28:04 +0000
Subject: [PATCH 197/454] fix title
fix title which omitted full wording (replace "Set up Microsoft c for macOS device groups in Jamf Pro" with "Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro")
---
.../microsoft-defender-atp/mac-jamfpro-device-groups.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
index 3b011e3606..73dc882a2c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md
@@ -20,7 +20,7 @@ ms.topic: conceptual
ms.technology: mde
---
-# Set up Microsoft c for macOS device groups in Jamf Pro
+# Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro
[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
From 99ddcfab0a6114688c9433efb418c6f987d0a1c8 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 09:31:20 -0800
Subject: [PATCH 198/454] Update auto-investigation-action-center.md
---
.../microsoft-defender-atp/auto-investigation-action-center.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
index e929d6e210..0fb359840a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md
@@ -170,3 +170,6 @@ When you click on the pending actions link, you'll be taken to the Action center
- [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide)
+## See also
+
+- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md)
\ No newline at end of file
From cf5684d08b22e3cc90316984028b006030ded975 Mon Sep 17 00:00:00 2001
From: Karl Wester-Ebbinghaus <45657752+Karl-WE@users.noreply.github.com>
Date: Tue, 26 Jan 2021 19:07:58 +0100
Subject: [PATCH 199/454] Update
windows/deployment/volume-activation/install-vamt.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
windows/deployment/volume-activation/install-vamt.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 3c482e49b3..8fc4fde224 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -50,7 +50,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
### Install VAMT using the ADK
1. Download the latest version of [Windows 10 ADK](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install).
-It is recommended to uninstall ADK and install the latest version, if you use a previous version. Existing data of VAMT is maintained in the respective VAMT database.
+ If an older version is already installed, it is recommended to uninstall the older ADK and install the latest version. Existing VAMT data is maintained in the VAMT database.
2. Enter an install location or use the default path, and then select **Next**.
3. Select a privacy setting, and then select **Next**.
4. Accept the license terms.
From 0ee619b4fcec0cb7011e5cf4f1e882a75be2b3b0 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 10:22:42 -0800
Subject: [PATCH 200/454] Update edr-in-block-mode.md
---
.../microsoft-defender-atp/edr-in-block-mode.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
index 0304cdd397..75f4bba554 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
@@ -15,7 +15,7 @@ ms.localizationpriority: medium
ms.custom:
- next-gen
- edr
-ms.date: 01/07/2021
+ms.date: 01/26/2021
ms.collection:
- m365-security-compliance
- m365initiative-defender-endpoint
@@ -70,7 +70,7 @@ The following image shows an instance of unwanted software that was detected and
|Requirement |Details |
|---------|---------|
|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). |
-|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later |
+|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server, version 1803 or newer
- Windows Server 2019 |
|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). |
|Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). |
|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). |
From 2b73b1d9c583dce0361b9cf4c9f953519d6b4f79 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 12:00:16 -0800
Subject: [PATCH 201/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 217c0ca4ff..9c411725bb 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -31,7 +31,9 @@ ms.custom: FPFN
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806)
-In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include:
+In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution.
+
+If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include:
1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts)
2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions)
@@ -40,8 +42,8 @@ In endpoint protection, a false positive is an entity, such as a file or a proce
5. [Reviewing and adjusting your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings)
6. [Getting help if you still have issues with false positives/negatives](#still-need-help)
-> [!IMPORTANT]
-> This article is intended for security operators and administrators.
+> [!NOTE]
+> This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md).
## Part 1: Review and classify alerts
From 17d43cfd5707c0b32a5c96b5370503a93beed655 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 12:10:26 -0800
Subject: [PATCH 202/454] Update network-protection.md
---
.../microsoft-defender-atp/network-protection.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index 0cf3df8758..2a2ebcab64 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -45,13 +45,13 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network
## Requirements
-Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender AV real-time protection.
+Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender Antivirus real-time protection.
-Windows 10 version | Microsoft Defender Antivirus
--|-
-Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled
+| Windows 10 version | Microsoft Defender Antivirus |
+|:---|:---|
+| Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled |
-After you have enabled the services, you may need to configure your network or firewall to allow the connections between the services and your endpoints.
+After you have enabled the services, you might need to configure your network or firewall to allow the connections between the services and your endpoints.
- .smartscreen.microsoft.com
- .smartscreen-prod.microsoft.com
From 8bfa5fd4bf9e6d15aea12d0cd09f0628b01bac3a Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 12:14:51 -0800
Subject: [PATCH 203/454] Update troubleshoot-np.md
---
.../microsoft-defender-atp/troubleshoot-np.md | 38 ++++++++++---------
1 file changed, 20 insertions(+), 18 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
index 82fcbb7ca7..79cdbc3b60 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
author: dansimp
ms.author: dansimp
-ms.date: 03/27/2019
+ms.date: 01/26/2021
ms.reviewer:
manager: dansimp
ms.technology: mde
@@ -24,14 +24,13 @@ ms.technology: mde
**Applies to:**
-* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
-
-* IT administrators
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- IT administrators
When you use [Network protection](network-protection.md) you may encounter issues, such as:
-* Network protection blocks a website that is safe (false positive)
-* Network protection fails to block a suspicious or known malicious website (false negative)
+- Network protection blocks a website that is safe (false positive)
+- Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
@@ -45,11 +44,11 @@ There are four steps to troubleshooting these problems:
Network protection will only work on devices with the following conditions:
>[!div class="checklist"]
-> * Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher.
-> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
-> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
-> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled.
-> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
+> - Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher.
+> - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [See what happens when you are using a non-Microsoft antivirus solution](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md).
+> - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled.
+> - [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled.
+> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
## Use audit mode
@@ -61,9 +60,9 @@ You can enable network protection in audit mode and then visit a website that we
Set-MpPreference -EnableNetworkProtection AuditMode
```
-1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
+2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
-1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
+3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
If network protection is not blocking a connection that you are expecting it should block, enable the feature.
@@ -75,6 +74,8 @@ You can enable network protection in audit mode and then visit a website that we
If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md).
+See [Address false positives/negatives in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives).
+
## Exclude website from network protection scope
To allow the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check.
@@ -89,16 +90,17 @@ When you report a problem with network protection, you are asked to collect and
cd c:\program files\windows defender
```
-1. Run this command to generate the diagnostic logs:
+2. Run this command to generate the diagnostic logs:
```PowerShell
mpcmdrun -getfiles
```
-1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
+3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
## Related topics
-* [Network protection](network-protection.md)
-* [Evaluate network protection](evaluate-network-protection.md)
-* [Enable network protection](enable-network-protection.md)
+- [Network protection](network-protection.md)
+- [Evaluate network protection](evaluate-network-protection.md)
+- [Enable network protection](enable-network-protection.md)
+- [Address false positives/negatives in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives)
From 1bf91a1fd859e054e58303a537815bb4cfbe4c00 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 12:15:51 -0800
Subject: [PATCH 204/454] Update network-protection.md
---
.../microsoft-defender-atp/network-protection.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
index 2a2ebcab64..29ed5acfbf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md
@@ -79,11 +79,11 @@ You can review the Windows event log to see events that are created when network
3. This will create a custom view that filters to only show the following events related to network protection:
- Event ID | Description
- -|-
- 5007 | Event when settings are changed
- 1125 | Event when network protection fires in audit mode
- 1126 | Event when network protection fires in block mode
+ | Event ID | Description |
+ |:---|:---|
+ | 5007 | Event when settings are changed |
+ | 1125 | Event when network protection fires in audit mode |
+ | 1126 | Event when network protection fires in block mode |
## Related articles
From e2f432e0a8799480ccf021609a4e9d178d294237 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 12:28:01 -0800
Subject: [PATCH 205/454] Update md-app-guard-overview.md
---
.../md-app-guard-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 0c47055df2..576fd34c27 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 12/17/2020
+ms.date: 01/27/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
From e6fb1e9cee0ae3f6ba9216514805cddc6a1c70f6 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 12:28:24 -0800
Subject: [PATCH 206/454] Update md-app-guard-overview.md
---
.../md-app-guard-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 576fd34c27..1187818d92 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -52,4 +52,4 @@ Application Guard has been created to target several types of devices:
| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
| [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
-|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/en-us/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
+|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|
From 2cbc3d3d36c30cbefa068412a6d603e077350e91 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Tue, 26 Jan 2021 13:00:19 -0800
Subject: [PATCH 207/454] Update
customize-windows-10-start-screens-by-using-group-policy.md
---
.../customize-windows-10-start-screens-by-using-group-policy.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 3cd4ad2b71..ebadfd9803 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -1,5 +1,5 @@
---
-title: Customize Windows 10 Start and tasbkar with Group Policy (Windows 10)
+title: Customize Windows 10 Start and taskbar with Group Policy (Windows 10)
description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
ms.assetid: F4A47B36-F1EF-41CD-9CBA-04C83E960545
ms.reviewer:
From 8128755e7ef4ff40de3ec3af2895bcdd7ec59206 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 13:08:23 -0800
Subject: [PATCH 208/454] Update defender-endpoint-false-positives-negatives.md
---
...nder-endpoint-false-positives-negatives.md | 39 ++++++++++++++++---
1 file changed, 33 insertions(+), 6 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 9c411725bb..d40358edae 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -183,13 +183,40 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, you can c
- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
-You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following table:
+You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following sections:
-| Indicator type and considerations | Prerequisites |
-|:----|:----|
-|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) |
-| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.
For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) |
-| **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**
`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date |
+#### Indicators for files
+
+When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
+
+Before you create indicators for files, make sure the following requirements are met:
+- Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
+- Antimalware client version is 4.18.1901.x or later
+- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
+- The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features)
+
+#### Indicators for IP addresses, URLs, or domains
+
+When you [create an "allow" indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked.
+
+Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met:
+- Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection))
+- Antimalware client version is 4.18.1906.x or later
+- Devices are running Windows 10, version 1709, or later
+
+Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).)
+
+#### Indicators for application certificates
+
+When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**, it helps prevent applications, such as internally developed applications, that you organization uses from being blocked.
+
+`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
+
+Before you create indicators for application certificates, make sure the following requirements are met:
+- Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
+- Antimalware client version is 4.18.1901.x or later
+- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
+- Virus and threat protection definitions are up to date
> [!TIP]
> When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).
From 9462c60ab32a5b72766646a6d88d2259a6688024 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 13:12:57 -0800
Subject: [PATCH 209/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index d40358edae..a055c2e2f7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -208,9 +208,7 @@ Custom network indicators are turned on in the Microsoft Defender Security Cente
#### Indicators for application certificates
-When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**, it helps prevent applications, such as internally developed applications, that you organization uses from being blocked.
-
-`.CER` or `.PEM` file extensions are supported. A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft. Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
+When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**, it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported.
Before you create indicators for application certificates, make sure the following requirements are met:
- Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
From 474099df034bf4f0f31aa59f9e6095a7d3208864 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 13:14:30 -0800
Subject: [PATCH 210/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index a055c2e2f7..f327f3bbc5 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -329,7 +329,7 @@ We recommend using Microsoft Endpoint Manager to edit or set PUA protection sett
[Automated investigation and remediation](automated-investigations.md) (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be *Malicious*, *Suspicious*, or *No threats found*.
-Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization, as well as other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team.
+Depending on the [level of automation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels) set for your organization and other security settings, remediation actions are taken on artifacts deemed Malicious or Suspicious. Remediation actions can occur automatically, or only upon approval by your security operations team.
- [Learn more about automation levels](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automation-levels); and then
- [Configure AIR capabilities in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation).
From 2c8970880b66249c95bf2beea131184d0857517f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 13:19:51 -0800
Subject: [PATCH 211/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index f327f3bbc5..f32e43f1a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -183,7 +183,10 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, you can c
- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
-You can create indicators for files, IP addresses, URLs, domains, and certificates, as described in the following sections:
+You can create indicators for:
+- [Files](#indicators-for-files)
+- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains)
+- [Application certificates](#indicators-for-application-certificates)
#### Indicators for files
From d572315a16f509b1a726b333916bf1bd4ef6f822 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Tue, 26 Jan 2021 13:21:16 -0800
Subject: [PATCH 212/454] Update defender-endpoint-false-positives-negatives.md
---
.../defender-endpoint-false-positives-negatives.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index f32e43f1a9..89da6e7ecf 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -211,7 +211,7 @@ Custom network indicators are turned on in the Microsoft Defender Security Cente
#### Indicators for application certificates
-When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**, it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported.
+When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported.
Before you create indicators for application certificates, make sure the following requirements are met:
- Microsoft Defender Antivirus is configured with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
From 76d679eb5918639eca7dc1cde370ef7ae0d35f22 Mon Sep 17 00:00:00 2001
From: Samantha Robertson
Date: Tue, 26 Jan 2021 14:54:57 -0800
Subject: [PATCH 213/454] Adding art for false positive/negatives for Denise
---
...fender-endpoint-false-positives-negatives.md | 8 ++++++++
.../images/false-positives-indicators.png | Bin 0 -> 14102 bytes
.../images/false-positives-overview.png | Bin 0 -> 27939 bytes
.../images/false-positives-step-diagram.png | Bin 0 -> 19014 bytes
4 files changed, 8 insertions(+)
create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png
create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png
create mode 100644 windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png
diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
index 89da6e7ecf..43eebf368e 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md
@@ -33,8 +33,13 @@ ms.custom: FPFN
In endpoint protection, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution.
+
+
If you’re using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection), and you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address false positives or false negatives. These steps include:
+
+
+
1. [Reviewing and classifying alerts](#part-1-review-and-classify-alerts)
2. [Reviewing remediation actions that were taken](#part-2-review-remediation-actions)
3. [Reviewing and defining exclusions](#part-3-review-or-define-exclusions)
@@ -184,10 +189,13 @@ To specify entities as exclusions for Microsoft Defender for Endpoint, you can c
- [Automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)
You can create indicators for:
+
- [Files](#indicators-for-files)
- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains)
- [Application certificates](#indicators-for-application-certificates)
+
+
#### Indicators for files
When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png
new file mode 100644
index 0000000000000000000000000000000000000000..733db3cb46935defdc17fb312d25c927ea95f178
GIT binary patch
literal 14102
zcmc(`X*^q7^fw+{)zZ=lEk%dhDvAzTHAQvOQq(-vaI0FOi7_H1p70g38aFzxVoC@atzg;+>Rp9_D;me|`FrW+r?>LgmH*XykCF*qu`yjaM?S
zr+#cd+Guv+wuFk$+AF@eUZTb1^}Duh*WELBj_x@jt2Z3-CcNHwguJt0tUZt}G!mM!
zDjnqnzni)%4e2%^izbhp7fKz=N(cE=QBhZ9xfSlUE#_J2?)&=NCsSrIa-!nZPBGy2
z<>P;Cx2XB~-f;<0dE)B-uQz{~`HZ|1Y?8@?DB?Iayoj~Q?`>x@gcB1?K5T1jdd&vO
z*uq$Dk-lZ8-xP`Cy)V5lHhPtgDWyNdQENA)mHAwYKkho>PVk2
z2p#oedkQ?X*VovaD;SKF=z1p3HoUjw%S2$_E!rlRu8nM(SNedL?AkNEmsV9MUi
z+Kg_CZbB!h001#>hU~;P9|jY*gqKX~ofS*8HW$ui=gErR^HZ&GPE-I+d}eB|&mW&0
zoOa*rPGRPB13xWRn@6wE+Wqv4Almbs0ys=H`p0x2v<0Mem@#Y$)XClII6W|g!~&}ZBuuq{+Ziv`7Q#B~~P{VHfibL#HOkx=U6gzvmm+x#g%a5Ua&0&A97|
zO5FL7LgUrXHTQ(yS2U9so)Y1W^{=w&(R~dGYF-GxsQY7ns-4-4FF@jIvfR6Sf9AxG
zTdh4wj>}oywQYUPD6N4Tj~Gids^psO?wD-;>+bV^6^r+{1);erlC^JHPdtQ|cUno?kc39_;SO-BEm^
zP8J^z41Z$VGoSB5?v1y|3eRmfU+B#RAZHg1&RwRS7pe%q4?-#m!;j@d+t{rDlVT>E
z`nOm4X)qr$GB$J{s{jq~Keu*imbN#8@g}~nCMtzNrm~@J!UJ4Fg}Z{N%}&*JVgz@R
z{jr{e`(>YJUzjz;3NZj2nRCDSqwkj}>#QAF(j8L?`2L0?5(W6}jc(Z3(REnk
zkCLWL%a-5`Px?Z4D*~pU8+K(ahZFBG2J@utrA#d(Dn8~V^xSto(yhid<24BiqnpVc
zqMnv^(rhM9wG*4LzP;eDBR&-HPBeEFO1@)_x8S<=A$+>YEdU
z0^AI&f}9Ieln2{4dJk;{u_jot3&V!A)n^&K`e#MXtLlb(Y>Lj8LNI>a*d@~K+zta-
zg7{6Tm++o4qF_g|^bujMum#2IdeZPC0+@W%r~0pVYi!iRQTqIFiqwy#hZ$Z->xw`|B4sIM@dX%vZZE8acXhi
zlB2TM*G%hqQG4iT60{k-*NMUF?T0?LUAe?Ap!_Wt?vr0O^Buoy>3x4qOnM~ug2bCx
zUq*G`LBW>(3eg#`IF7F|ZTwlUUGxl7`>OAw!FVXC-;4z51U08qv%=5srVNAC*A#Dm!r}_N}ayUpu9lIdGoqZItx8
zu-OIK>Jv2Ln=AbwTgO<>W7L`>BWBu6TYfm~%4~H7!~UvSI2V+p{pX@U_vT=-6}z!h
zw_^jY5x5F#?Eju&n#K<>
zoS}NV|EY?I{BdzL6ivM#x&m;?F#|qGXzh)wGyQ;M$j3-pZOf
zaOs7W71!wlGQV-FMGnRbo)o17_v
zLwV$-!KPJqvA;0#YI*!KY6*;&D>85!{
zY-v~VOIK2_B5}R7S5>|PHbdkbGqtgxaPn`VGdO4Iq-(t^L#Jm7V|RhE^UodgIqVel
z#dwB-rP*9#>W7E*yHBks}ryD+;b!`K^3x>O)Ub#QjNmjI=6^A-ACU&Xk
zoaNow($!RZ_`<8rUlibOi6K8+^_2V|n+lW!W|bTtc=2&V)opLguhsoRin4be4$v#x9=!ahj3TVJZ)=efJZ(p8XPH9?F^OPZPz`hg-cI!)A5O!NbjnP8_@PE&WoI%9@o*5$Gk(C^)TNu3m3s{?bkjKGc`^9e?MMz^o32tD`K)C4KD`E<&HKqbPX&^sUbeOcuhmAHz8$f0kEdY1`d4Eqs#baj~=o(730=4u&C*w0Qmy>}sKVXEig`i9W1)^=%`O5Wri*M|gRBE{D^rS?gRcUmU
zvS3Q-!p~*}D7hbXG?-UcJzF(nhc457hjJDxoMElG_1L@R1zw9Zs@Vv@Hie(>L^H?3
zi$?2I-0Egu;8?k*JO=!QOC6UWakDRka-)3=o^JhktVBaVDx}c=U9f>g;Vj5M5!9hv
zzC-N--%EHJsf91u``gYXoOyoIq6TE(nat?aN~%jRx6zf~u%ZlWK9Jf0rd`$@gH({s
z?C4JIi66dH>^thz02ZJI7q6fD!^|42Y;nlJYBc*xZ`d9Cq#;@9esbsSf4qoHt3Wq0
zzOn31Is2kbxy*nj;+JoR6$<82OuT4AZTRS5K9A=c4LC}mD$^14!->HO
z?8?@a(@k!9jHOl91+TqDNlULdW}tz!GmuC2k8Km6c7E@YmtwcVJxPdJ|3g7&i
zI=F|_{j&N>mM^vH@;APzZT@LkNG9C@MY`WJ_$zMLAMW_)fcIF5t5Q#;zrq@)R8mwv
zc4xWOA&!Ew!ar$h;O@;I?OFRNb$u-U^h;qkqIuovEs#<-XU+wU8vfDqU?s;p(ZcIv
zdW_|h
zJIsv|`R^rn^Z7318O7+Lm^S%}B(-iSI!sv{bnw
z?~#>!^f!A?R<$#cKfqdr(Hl+|3k&!Iis6Lyv)cCLzDP>VnczRH6@Pr{%|LT-lUs5+
zVbaZM
zopt|^5Zj$bM?L&XTjXLDh<@&U%ZNUP7r!s#6dn4C!7WWSy>=-RV9NF>)ta~jyj@cm
zcDGIXdrMda;5H?$Mc5kFye@4^@zJX1f4KzJ2>u5<)5>Nx_s7QpDPpA(6tVch!fr$i
z4*X2k0_nwk&Rw2J-=}S^?tJEqV>>>+Up;HEB1I1pRsJ_}rhI0A(_lH~4UO0;2FZYL
zyPKWSx$E)%i+IvVWIBd~NeWguQ2Qop83~KNJ3OqTI&d}1>j&O@t-+FF_sqgpzEn#|
zY6n?KwW}g~ak8g24R!*wNZC1lbGLJi&RSz~!x3dGCM>2%FO@)5&kXreg#2AIFPkp$
z^U&osCpxAXdz0C7j@dk*C@p)7r1bB)bqcq8kC9=tC2SWILfUbW&1fXdxhu}-q2mO0
z5_v3Fw7TarvUvr~H*L_F=Dc(-k=45a=}ck{tdbTuqe;UTZW}^!pCa)1?+U<&mQ~go
zo!k@dwpNC6R(fDSNz(0j
zeu0gL!+!jpG(T6u9Bn6?iZFtX%w_&m)9J>Ql@O9WS}hbakoP~-xjZTyzJCZtXI9Hi
zU7C;L?H%oknn~=~F&ZCM*m+1vQEKZoSh1GyGC^q(d&=e-9qd1xbVF8d-pR)KXX%{7
zdS~dyaN_J91(FyztFE%vM6K6pFIBUqkrUMNJN<5%iefN9M={wj54l+HI9O3=wcXy*
zvk1j2jE>JwufM{5LrN8uC1T*|H)9ZJn8~G(F?IOfJ}A#4Rzp`bTSsV{{Lr@?&(PJ!
zj4EdN?7n*BR))^_@;f%aV*gqpb?N;wuhJ3h!gj=Ip0hh3#aKGFGL+wYGuYC&xUp&R
zele$yQGvRTYk04;e60>V65ot_)Zh@FMUux08s5qL20B*-!>zP^Ag;^WQ2O8iAOHB7
zR#BbB$-3jv1vEQWzfNZ$R)Bc72`R~+%M$hQA}q&n%z)-+W*lgxnCuT-J;d7V4X)%?
zUh1TSOAkWNuo?%}Ocd}0I!+EnhnVQ7)yVOIq{+_@)Ae)<_j&JBIJ};CZfCH5W<*98
z!u(|Tf!pzhZ7={Qv`W-r1)*lp6t{G4=#Pp{!$A}9pwH;ibx#;+8S){xTA}+x(z(9R
z4GM#tV^-Yb?1z+ETZ-UZ_`sQ^>ep^WodW0xX!Dr9UXo#RGLqNdH|xHDGILs3g+6ZY
zGn;w#Smk*`^do1&jWTgdR(Q0h{C+~NvfxEYehAuk%?nJE#VyVSI-Xj*#v*K#9zyhv
zOI!l}ObZpmq+FA${J>nW*CuKId$Ov?89qx}s6ARJ0uU~ARL(~B>Q_CQNc#}d?0d_(
z8uP{G#Fdmv(oJiUMb-`|@3~&@@wgH_Ml<%oW3%URp{92amsIwmdX1Nk{HeZpE@(w1
z>0_WrD)-vw$_v7gYtp0=0glDR@cYT9p(z>zqf3<_N~p3&>f}2Yov!^SX6`qBdJ{G%
zvhfrOJ(!+|m6q1Wp{mYE&_eC?H31}LfCJpO<>enxZ%5u64iuC^emB1VfMO@KZ
zrT?ZCU#u*vGgi3*Il0_E%l7k>B)C1wSXlpI4*WbgpDuT<7|Oen94PZs>q_^OT7^58
zIlcA>)$USqCG_mH%+cIC7SwWh+&@de0L|wn7OCzpJZu?q9wp6*^5t6dl_GSl-5gS+
zGh*G*0hES&L3nv8YnhkN79gl_+W@O&_}o6{d%s#4`?J2kbcg5Q?xo#?FA*|Nb|RI;
zvcg2}Lg1FLLD5FHI`GIdhMDuq>(CiIz(@M3v7zlkE&zDyq7AU|z1mOf3100+SEMMy
zF%;;H31}($AMU=f9mV?erEKFX7-4fcBuW#5Kne%Z{efJ~rsb?KtPo%!q1@csU
z;>Xsr@Qul56WsHdR8_hAZ<8T2!ZP0y#0xUVQv4Z&R_TFX1-D)Lcy*}C$DD-#8U)0<
zY)(fk+~!=a3q>nxTugl8;qGj81omaw?iIqd2+aPhVx=4U!%NoAJrFb!j7wdwb{nG-
z=rt8q@M`&mQM~@buj)sO?w&^M$@)$dt00a{_-52Lal&J-kqbA(;+xle#H;uaLb;xH
zv+$IAakU<*Htp$|Wx=Tt=`0&cNKMkPp4t>IqElnHd#2oBCZZ=9!#wipT2I>L%gHT?
z?u$OSSA7I7BNBCGD(;+UkpZ*(|Z(R@DmacbXdIV>~3jGQ^O
zRB6vt(JHFJfHL&dk~LoS*;`(toP8Jk1&#vcMKCT$+b^9-_vo5#=zpK5-i;fM+JB$G
zE5HVLI9S>&m?-fC`z+|XP1JnLoW51aQynyeyPg>s^~gL!F?f~?ez}K_NLRXlsJM4e
z4019fbx&T;qv6Kw*;@r7M(**AY}=)Doznu(@5AMiOXczp>sEV?oeT8$kTF3Pf)DBOO7MkvX}A-vh&ZA8F!}`Q$BDV@JUk^
zosY|2bkf
zWUtWy5kbUTY+zL`uTLch`ZaY&jdA;!#b_W;C^}k;<{oFG_ScMyn2T2}xv;T!i(eS3
zt0#B<5wQbpliBo*Q)a;b{pa7KYX9-oC$7CF*6#c7fxTv%gEzKW>$7%$@!Su5dmtP0
zv?ua+73tE+_cUCf4e3be&*qTbE=VG;Gq5kk252y6QZ&H>lmjJsA@e20pK*0N#W%$6
z25nWNg^%s`mrCaV)G|#a*OVlpesmdg?21Eij8}FS?Ru&PT
zkKZ1{#j;278Ma|DPfq+$(-q&4%!WRx?o#9h(ZIOTI%!v_#~NH6b&=LQjEj3tI;+B`-z<;E$%UhKdMW<3+dbjP
ze}wMK%lx@QbyMkOcGKF}m^S}PfgBL4F9a{9L*MCJXG#O0)*c>ePIi5NLG@E
zjcC;xbmKh%`n7m{dZvbo;7~GdR+c1shSHI1OHW+^0XoDPHHz2Bl1szNhGG#pkmt)^
zUQ>N{hu=jveFtgUYF{pt%X{m&`A*PBP9DvxM3H6s_R-K*vtrrPWnM!6;o1P|aEI3x
zpIV$jST1V){;|>-HzJx$J*$~6R4n)|86~oUhx5wRev+qLKcHD68JN-~WSd&TfXfd2
zA!RgLHDZ|>(9#6Tirp%sZ^SP1O{2Z{|Dms|t6Rq+0c7r!+SX;{HXq_87^V(ZaI*p`
zZ!3Bsf+Jb(^ekDU-=8G<3Xg7`)P>(}5G>+rX7pJgsa#--QZaGE0!IxK^wBb>jSh6JINFKa@0i5{vK;N-vM?UvJ0Yir*
znbLzZ;NpeA75vhoNvp3vP;xoCf%|+J4dLI2M1%zYY5u_Kl1WC$Mv1%Zg|_nM%uO30
z6OVGCgC7Eg!6X%Z(7;xQGvTdj@8=_htT{Q-G^b5O8F|2qh4%i6qw
zHHh3lo-o@qhk4eQxK(Mq35-d!XEiMhRh{rat_(0=UFdQV+!3h0Zy{56r1Kjw)VSzR8&qB00VHBXn(*C%A*s~>6!
zAXNaj2)MTTs~c6fezt-?S|&%h{9|hsM?_wUL1VfZp!GZXdqj4<`?>1d0h6zg*UVd=P5n^{2a((jWiuO}~^{v%j5lHgUs?rG{zR_#J(Y
zckkQ%OB$WUQh@`CYRw4YFSPL2FsFY{aiSY%;G+2`v~OA9zasU}EQWa9D6d*q$SOoL
zYrY>Tq+h{ELUC~=i*-U2hEmVaR
zE?A93yR5XhPiH?q{8R=Ilh{ixSrmD2`*{daxH@^Q+Muaw(4u0qzkBW_Ai90IgPCYJ
zlWMQP|C&I9;KB0Mvd!Ygfr9FGCvP#mbfJL0wRzh)S4YUacxtl(H)hE5P?X}itShN*
z>p%qC%`tPnjwh8gs}m4}O1eZ(GM~a?BpEGcZp?veRb?*}R~js7*9As=Qd9-|F
zc{^t*Q2-zwoc0pVDuxX|ujGmiU2dvyYC&enX7fZqgposxOR!Wi1LRMYjhqgs+|2AK
zygxE}OSo2T-g8(?)X;^^kjWS77!kOYTwbWeFDm_Bl^CiwZJKC-Uh_pQs*s9FdHjW8
zcYn)GA<^Le`8%@-m5ng){B3h%b(5fW%b^p^v5jj@?A*qhjuw2w_?&rQEtG|VFuHQ3
z{#ut_gvV*~y$`AY4jq!5uVOcPBA|<)XZnzTJ)fo#kFs>TjPg9>&b*F|SZOj{9rB@8
zTo;ShsE;PQkG-uV@aLgurrD?n05eDb_59Cxmv;;g4a~OT*X{rXg^DU}BYQn|e{}Co
zgqc>Y{(9yay8QQ?)F&5d4smk@TdXFWGiQo$X#K+quur140gq)yei}rw2kzShCA;?C
zc+~#z@G0)|6CH8`+Se#SxqwT_f(frMif-SO2%9-i-H=X^*%d&l%x6N#+NM6J3@?jZ
zdNO0kYLM!ic|<(t5iLB-YQsCjazp@3TK;+>8o$U>TA`}flgfAg$#|Up&v~frryu{E
z6Wg59+qJhJy*bY|`MkJL^R-vyD#N#wkTpAQWr-6t`w@H5h3Rb%n|$K0N&7TJC!~?I%caHK#BUjjr~6z>*Q!I0WP=lo-kK$ESzpVdNF&U_a6FW``zNMO