Intune| |App and update management | Intune |Microsoft Endpoint Configuration Manager
Intune| @@ -216,14 +216,14 @@ These scenarios assume the need to support: Some constraints exist in these scenarios. As you select the deployment and management methods for your device, keep the following constraints in mind: * You can use Group Policy or Intune to manage configuration settings on a device but not both. -* You can use Microsoft Endpoint Configuration Manager or Intune to manage apps and updates on a device but not both. +* You can use Microsoft Endpoint Manager or Intune to manage apps and updates on a device but not both. * You cannot manage multiple users on a device with Intune if the device is AD DS domain joined. Use the cloud-centric scenario and on-premises and cloud scenario as a guide for your district. You may need to customize these scenarios, however, based on your district. As you go through the [Select the deployment methods](#select-the-deployment-methods), [Select the configuration setting management methods](#select-the-configuration-setting-management-methods), and the [Select the app and update management products](#select-the-app-and-update-management-products) sections, remember these scenarios and use them as the basis for your district. ### Select the deployment methods -To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Configuration Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution. +To deploy Windows 10 and your apps, you can use MDT by itself or Microsoft Endpoint Manager and MDT together. For a district, there are a few ways to deploy Windows 10 to devices. Table 2 lists the methods that this guide describes and recommends. Use this information to determine which combination of deployment methods is right for your institution.
| Microsoft Endpoint Configuration Manager and Intune (hybrid) | +Microsoft Endpoint Manager and Intune (hybrid) | Configuration Manager and Intune together extend Configuration Manager from an on-premises management system for domain-joined devices to a solution that can manage devices regardless of their location and connectivity options. This hybrid option provides the benefits of both Configuration Manager and Intune.
Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Configuration Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts. +Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies using Microsoft Endpoint Manager or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts. MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP. diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 652a24f8e4..03a48da95f 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -300,6 +300,10 @@ If you disable or do not configure this setting, users can configure only basic > [!NOTE] > If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. +> [!NOTE] +> Devices that pass Hardware Security Testability Specification (HSTI) validation or Modern +> Standby devices will not be able to configure a Startup PIN using this CSP. Users are required to manually configure the PIN. + Sample value for this node to enable this policy is: ```xml diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 2818c2e55f..c0c9fdf44c 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -35,7 +35,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro > [!NOTE] > - Bulk-join is not supported in Azure Active Directory Join. > - Bulk enrollment does not work in Intune standalone environment. -> - Bulk enrollment works in Microsoft Endpoint Configuration Manager where the ppkg is generated from the Configuration Manager console. +> - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console. > - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. ## What you need diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index da9959c0a2..37205534c5 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -390,6 +390,26 @@ Intune tamper protection setting UX supports three states: When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. +**Configuration/DisableLocalAdminMerge**+This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions. + +If you disable or do not configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, management settings will override preference settings. + +If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator. + +> [!NOTE] +> Applying this setting will not remove exclusions from the device registry, it will only prevent them from being applied/used. This is reflected in **Get-MpPreference**. + +Supported OS versions: Windows 10 + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 1 – Enable. +- 0 (default) – Disable. + **Configuration/EnableFileHashComputation** Enables or disables file hash computation feature. When this feature is enabled Windows defender will compute hashes for files it scans. diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 2c49067d90..fb9c1a57d8 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -199,8 +199,111 @@ A Get to the above URI will return the results of the data gathering for the las Each data gathering node is annotated with the HRESULT of the action and the collection is also annotated with an overall HRESULT. In this example, note that the mdmdiagnosticstool.exe command failed. -The zip file which is created also contains a results.xml file whose contents align to the Data section in the SyncML for ArchiveResults. Accordingly, an IT admin using the zip file for troubleshooting can determine the order and success of each directive without needing a permanent record of the SyncML value for DiagnosticArchive/ArchiveResults. +### Making use of the uploaded data +The zip archive which is created and uploaded by the CSP contains a folder structure like the following: +```powershell +PS C:\> dir C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z + + Directory: C:\DiagArchiveExamples\DiagLogs-MYDEVICE-20201202T182748Z + +Mode LastWriteTime Length Name +---- ------------- ------ ---- +la--- 1/4/2021 2:45 PM 1 +la--- 1/4/2021 2:45 PM 2 +la--- 12/2/2020 6:27 PM 2701 results.xml +``` +Each data gathering directive from the original `Collection` XML corresponds to a folder in the output. For example, if the first directive was
+ + +## ADMX_Power policies + +
+ + +**ADMX_Power/ACConnectivityInStandby_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. + +If you enable this policy setting, network connectivity will be maintained in standby. + +If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. + +If you do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow network connectivity during connected-standby (plugged in)* +- GP name: *ACConnectivityInStandby_2* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/ACCriticalSleepTransitionsDisable_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. + +If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on the ability for applications to prevent sleep transitions (plugged in)* +- GP name: *ACCriticalSleepTransitionsDisable_2* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/ACStartMenuButtonAction_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. + +If you enable this policy setting, select one of the following actions: + +- Sleep +- Hibernate +- Shut down + +If you disable this policy or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Start menu Power button action (plugged in)* +- GP name: *ACStartMenuButtonAction_2* +- GP path: *System\Power Management\Button Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/AllowSystemPowerRequestAC** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep. + +If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. + +If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow applications to prevent automatic sleep (plugged in)* +- GP name: *AllowSystemPowerRequestAC* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/AllowSystemPowerRequestDC** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows applications and services to prevent automatic sleep. + +If you enable this policy setting, any application, service, or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity. + +If you disable or do not configure this policy setting, applications, services, or drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automatically sleep. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow applications to prevent automatic sleep (on battery)* +- GP name: *AllowSystemPowerRequestDC* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/AllowSystemSleepWithRemoteFilesOpenAC** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files. + +If you enable this policy setting, the computer automatically sleeps when network files are open. + +If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow automatic sleep with Open Network Files (plugged in)* +- GP name: *AllowSystemSleepWithRemoteFilesOpenAC* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/AllowSystemSleepWithRemoteFilesOpenDC** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage automatic sleep with open network files. + +If you enable this policy setting, the computer automatically sleeps when network files are open. + +If you disable or do not configure this policy setting, the computer does not automatically sleep when network files are open. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow automatic sleep with Open Network Files (on battery)* +- GP name: *AllowSystemSleepWithRemoteFilesOpenDC* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/CustomActiveSchemeOverride_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. + +If you enable this policy setting, you must specify a power plan, specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, 103eea6e-9fcd-4544-a713-c282d8e50083), indicating the power plan to be active. + +If you disable or do not configure this policy setting, users can see and change this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify a custom active power plan* +- GP name: *CustomActiveSchemeOverride_2* +- GP path: *System\Power Management* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/DCBatteryDischargeAction0_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level. + +If you enable this policy setting, select one of the following actions: + +- Take no action +- Sleep +- Hibernate +- Shut down + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Critical battery notification action* +- GP name: *DCBatteryDischargeAction0_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/DCBatteryDischargeAction1_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level. + +If you enable this policy setting, select one of the following actions: + +- Take no action +- Sleep +- Hibernate +- Shut down + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Low battery notification action* +- GP name: *DCBatteryDischargeAction1_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/DCBatteryDischargeLevel0_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action. + +If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification. + +To set the action that is triggered, see the "Critical Battery Notification Action" policy setting. + +If you disable this policy setting or do not configure it, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Critical battery notification level* +- GP name: *DCBatteryDischargeLevel0_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/DCBatteryDischargeLevel1UINotification_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level. + +If you enable this policy setting, Windows shows a notification when the battery capacity remaining equals the low battery notification level. + +To configure the low battery notification level, see the "Low Battery Notification Level" policy setting. + +The notification will only be shown if the "Low Battery Notification Action" policy setting is configured to "No Action". + +If you disable or do not configure this policy setting, users can control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off low battery user notification* +- GP name: *DCBatteryDischargeLevel1UINotification_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/DCBatteryDischargeLevel1_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action. + +If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the low notification. + +To set the action that is triggered, see the "Low Battery Notification Action" policy setting. + +If you disable this policy setting or do not configure it, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Low battery notification level* +- GP name: *DCBatteryDischargeLevel1_2* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/DCConnectivityInStandby_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. + +If you enable this policy setting, network connectivity will be maintained in standby. + +If you disable this policy setting, network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks only, and is subject to change. + +If you do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow network connectivity during connected-standby (on battery)* +- GP name: *DCConnectivityInStandby_2* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/DCCriticalSleepTransitionsDisable_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping. + +If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on the ability for applications to prevent sleep transitions (on battery)* +- GP name: *DCCriticalSleepTransitionsDisable_2* +- GP path: *System\Power Management\Sleep Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/DCStartMenuButtonAction_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the action that Windows takes when a user presses the Start menu Power button. + +If you enable this policy setting, select one of the following actions: + +- Sleep +- Hibernate +- Shut down + +If you disable this policy or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select the Start menu Power button action (on battery)* +- GP name: *DCStartMenuButtonAction_2* +- GP path: *System\Power Management\Button Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/DiskACPowerDownTimeOut_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. + +If you disable or do not configure this policy setting, users can see and change this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn Off the hard disk (plugged in)* +- GP name: *DiskACPowerDownTimeOut_2* +- GP path: *System\Power Management\Hard Disk Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/DiskDCPowerDownTimeOut_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the period of inactivity before Windows turns off the hard disk. + +If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. + +If you disable or do not configure this policy setting, users can see and change this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn Off the hard disk (on battery)* +- GP name: *DiskDCPowerDownTimeOut_2* +- GP path: *System\Power Management\Hard Disk Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/Dont_PowerOff_AfterShutdown** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. + +This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Task Manager user interfaces. + +Applications such as UPS software may rely on Windows shutdown behavior. + +This setting is only applicable when Windows shutdown is initiated by software programs invoking the Windows programming interfaces ExitWindowsEx() or InitiateSystemShutdown(). + +If you enable this policy setting, the computer system safely shuts down and remains in a powered state, ready for power to be safely removed. + +If you disable or do not configure this policy setting, the computer system safely shuts down to a fully powered-off state. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not turn off system power after a Windows system shutdown has occurred.* +- GP name: *Dont_PowerOff_AfterShutdown* +- GP path: *System* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/EnableDesktopSlideShowAC** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow. + +If you enable this policy setting, desktop background slideshow is enabled. + +If you disable this policy setting, the desktop background slideshow is disabled. + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on desktop background slideshow (plugged in)* +- GP name: *EnableDesktopSlideShowAC* +- GP path: *System\Power Management\Video and Display Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/EnableDesktopSlideShowDC** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify if Windows should enable the desktop background slideshow. + +If you enable this policy setting, desktop background slideshow is enabled. + +If you disable this policy setting, the desktop background slideshow is disabled. + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn on desktop background slideshow (on battery)* +- GP name: *EnableDesktopSlideShowDC* +- GP path: *System\Power Management\Video and Display Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/InboxActiveSchemeOverride_2** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. + +If you enable this policy setting, specify a power plan from the Active Power Plan list. + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Select an active power plan* +- GP name: *InboxActiveSchemeOverride_2* +- GP path: *System\Power Management* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/PW_PromptPasswordOnResume** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hibernate or suspend state. + +If you enable this policy setting, the client computer is locked and prompted for a password when it is resumed from a suspend or hibernate state. + +If you disable or do not configure this policy setting, users control if their computer is automatically locked or not after performing a resume operation. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prompt for password on resume from hibernate/suspend* +- GP name: *PW_PromptPasswordOnResume* +- GP path: *System\Power Management* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/PowerThrottlingTurnOff** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off Power Throttling. + +If you enable this policy setting, Power Throttling will be turned off. + +If you disable or do not configure this policy setting, users control this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Power Throttling* +- GP name: *PowerThrottlingTurnOff* +- GP path: *System\Power Management\Power Throttling Settings* +- GP ADMX file name: *Power.admx* + + + + + + +**ADMX_Power/ReserveBatteryNotificationLevel** + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + + + + + +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode. + +If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification. + +If you disable or do not configure this policy setting, users can see and change this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Reserve battery notification level* +- GP name: *ReserveBatteryNotificationLevel* +- GP path: *System\Power Management\Notification Settings* +- GP ADMX file name: *Power.admx* + + + + + +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-reliability.md b/windows/client-management/mdm/policy-csp-admx-reliability.md index e466f85f86..5db45b394d 100644 --- a/windows/client-management/mdm/policy-csp-admx-reliability.md +++ b/windows/client-management/mdm/policy-csp-admx-reliability.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. If you enable this policy setting, you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. @@ -159,7 +159,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled. If you enable this policy setting, error reporting includes unplanned shutdown events. @@ -234,7 +234,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines when the Shutdown Event Tracker System State Data feature is activated. The system state data file contains information about the basic system state as well as the state of all running processes. @@ -312,7 +312,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. +Available in the latest Windows 10 Insider Preview Build. The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. If you enable this setting and choose "Always" from the drop-down menu list, the Shutdown Event Tracker is displayed when the computer shuts down. diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md index 7f655514ef..1a7df80d7f 100644 --- a/windows/client-management/mdm/policy-csp-admx-scripts.md +++ b/windows/client-management/mdm/policy-csp-admx-scripts.md @@ -107,7 +107,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured. @@ -176,7 +176,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines how long the system waits for scripts applied by Group Policy to run. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines how long the system waits for scripts applied by Group Policy to run. This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event. @@ -251,7 +251,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. @@ -343,7 +343,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. +Available in the latest Windows 10 Insider Preview Build. This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000. @@ -416,7 +416,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in logoff scripts as they run. +Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in logoff scripts as they run. Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script. @@ -487,7 +487,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. @@ -558,7 +558,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. +Available in the latest Windows 10 Insider Preview Build. This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop. If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop. @@ -629,7 +629,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in logon scripts as they run. +Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in logon scripts as they run. Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts. @@ -700,7 +700,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in shutdown scripts as they run. +Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in shutdown scripts as they run. Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script. @@ -771,7 +771,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets the system run startup scripts simultaneously. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets the system run startup scripts simultaneously. Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script. @@ -845,7 +845,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting displays the instructions in startup scripts as they run. +Available in the latest Windows 10 Insider Preview Build. This policy setting displays the instructions in startup scripts as they run. Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script. @@ -920,7 +920,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff. diff --git a/windows/client-management/mdm/policy-csp-admx-sdiageng.md b/windows/client-management/mdm/policy-csp-admx-sdiageng.md index ce4096ecc5..bc7b4bc48a 100644 --- a/windows/client-management/mdm/policy-csp-admx-sdiageng.md +++ b/windows/client-management/mdm/policy-csp-admx-sdiageng.md @@ -80,7 +80,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states, "Do you want the most up-to-date troubleshooting content?" If you enable or do not configure this policy setting, users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface. @@ -149,7 +149,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. If you enable or do not configure this policy setting, users can access and run the troubleshooting tools from the Troubleshooting Control Panel. @@ -220,7 +220,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. If you enable this policy setting, the scripted diagnostics execution engine validates the signer of any diagnostic package and runs only those signed by trusted publishers. diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md index 3f963a77cb..5016dd12b2 100644 --- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md +++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section, where the user can get recommendations to help increase the computer's security. When Security Center is not enabled on the domain, neither the notifications nor the Security Center status section are displayed. Note that Security Center can only be turned off for computers that are joined to a Windows domain. When a computer is not joined to a Windows domain, the policy setting will have no effect. diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md index c18852e5ea..c2738859de 100644 --- a/windows/client-management/mdm/policy-csp-admx-servicing.md +++ b/windows/client-management/mdm/policy-csp-admx-servicing.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the ""Alternate source file path"" text box. Multiple locations can be specified when each path is separated by a semicolon. diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index 7b7f7b195c..365e67295a 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -76,7 +76,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS). +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS). If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option to publish DFS roots as shared folders in AD DS . @@ -149,7 +149,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS). +Available in the latest Windows 10 Insider Preview Build. This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS). If you enable or do not configure this policy setting, users can use the "Publish in Active Directory" option in the Shared Folders snap-in to publish shared folders in AD DS. diff --git a/windows/client-management/mdm/policy-csp-admx-sharing.md b/windows/client-management/mdm/policy-csp-admx-sharing.md index a293d2b013..92d7458cc6 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharing.md +++ b/windows/client-management/mdm/policy-csp-admx-sharing.md @@ -73,7 +73,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile. If you enable this policy setting, users cannot share files within their profile using the sharing wizard. Also, the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders. diff --git a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md index e8df85ad6d..70b33efe0d 100644 --- a/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md +++ b/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. If you enable this policy setting and the user tries to open a command window, the system displays a message explaining that a setting prevents the action. @@ -155,7 +155,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Disables the Windows registry editor Regedit.exe. +Available in the latest Windows 10 Insider Preview Build. Disables the Windows registry editor Regedit.exe. If you enable this policy setting and the user tries to start Regedit.exe, a message appears explaining that a policy setting prevents the action. @@ -227,7 +227,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents Windows from running the programs you specify in this policy setting. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows from running the programs you specify in this policy setting. If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications. @@ -302,7 +302,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Limits the Windows programs that users have permission to run on the computer. +Available in the latest Windows 10 Insider Preview Build. Limits the Windows programs that users have permission to run on the computer. If you enable this policy setting, users can only run programs that you add to the list of allowed applications. diff --git a/windows/client-management/mdm/policy-csp-admx-smartcard.md b/windows/client-management/mdm/policy-csp-admx-smartcard.md index 76452c2119..67c2a2ea26 100644 --- a/windows/client-management/mdm/policy-csp-admx-smartcard.md +++ b/windows/client-management/mdm/policy-csp-admx-smartcard.md @@ -119,7 +119,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction. @@ -194,7 +194,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). In order to use the integrated unblock feature your smart card must support this feature. Please check with your hardware manufacturer to see if your smart card supports this feature. @@ -265,7 +265,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen. @@ -334,7 +334,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. +Available in the latest Windows 10 Insider Preview Build. This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of the certificate on the client machine. @@ -405,7 +405,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card. @@ -474,7 +474,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the cleanup behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificate cleanup will occur on logoff. > [!TIP] @@ -539,7 +539,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card. @@ -611,7 +611,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents plaintext PINs from being returned by Credential Manager. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents plaintext PINs from being returned by Credential Manager. If you enable this policy setting, Credential Manager does not return a plaintext PIN. @@ -683,7 +683,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. If you enable this policy setting, ECC certificates on a smart card can be used to log on to a domain. @@ -755,7 +755,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you configure if all your valid logon certificates are displayed. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you configure if all your valid logon certificates are displayed. During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the same template with the same major version and they are for the same user (determined by their UPN). @@ -831,7 +831,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the reading of all certificates from the smart card for logon. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the reading of all certificates from the smart card for logon. During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your smart card and associated CSP supports the required behavior. @@ -902,7 +902,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the displayed message when a smart card is blocked. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the displayed message when a smart card is blocked. If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked. @@ -974,7 +974,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one certificate from another. For example, if the certificate subject was CN=User1, OU=Users, DN=example, DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appearance of that subject name and might need to be adjusted per organization. @@ -1045,7 +1045,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether Smart Card Plug and Play is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether Smart Card Plug and Play is enabled. If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time. @@ -1117,7 +1117,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart card device driver is installed. @@ -1189,7 +1189,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. +Available in the latest Windows 10 Insider Preview Build. This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain will be displayed. diff --git a/windows/client-management/mdm/policy-csp-admx-snmp.md b/windows/client-management/mdm/policy-csp-admx-snmp.md index 2a83f8346c..4cdc53625c 100644 --- a/windows/client-management/mdm/policy-csp-admx-snmp.md +++ b/windows/client-management/mdm/policy-csp-admx-snmp.md @@ -80,7 +80,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service. SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and setting terminal values and monitoring network events. @@ -161,7 +161,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. @@ -241,7 +241,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring network events. diff --git a/windows/client-management/mdm/policy-csp-admx-systemrestore.md b/windows/client-management/mdm/policy-csp-admx-systemrestore.md index 8e49043225..41c38ffa9f 100644 --- a/windows/client-management/mdm/policy-csp-admx-systemrestore.md +++ b/windows/client-management/mdm/policy-csp-admx-systemrestore.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. Allows you to disable System Restore configuration through System Protection. +Available in the latest Windows 10 Insider Preview Build. Allows you to disable System Restore configuration through System Protection. This policy setting allows you to turn off System Restore configuration through System Protection. diff --git a/windows/client-management/mdm/policy-csp-admx-tcpip.md b/windows/client-management/mdm/policy-csp-admx-tcpip.md index b43d4d2011..403e0686e1 100644 --- a/windows/client-management/mdm/policy-csp-admx-tcpip.md +++ b/windows/client-management/mdm/policy-csp-admx-tcpip.md @@ -110,7 +110,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. If you enable this policy setting, you can specify a relay name for a 6to4 host. @@ -179,7 +179,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. If you enable this policy setting, you can specify the value for the duration at which the relay name is resolved periodically. @@ -248,7 +248,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global IPv4 address (w.x.y.z) assigned to a site. If you disable or do not configure this policy setting, the local host setting is used. @@ -323,7 +323,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. If you disable or do not configure this policy setting, the local host settings are used. @@ -398,7 +398,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure IP Stateless Autoconfiguration Limits. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure IP Stateless Autoconfiguration Limits. If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. @@ -467,7 +467,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP router in the text box, DNS services are not required. @@ -536,7 +536,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet. If you disable or do not configure this policy setting, the local host setting is used. @@ -611,7 +611,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to initialize. If you enable this policy setting, you can customize a UDP port for the Teredo client. @@ -680,7 +680,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. If you disable or do not configure this policy setting, the local host setting is used. @@ -751,7 +751,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the Teredo refresh rate. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the Teredo refresh rate. > [!NOTE] > On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation table of the Teredo client's NAT device. @@ -823,7 +823,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo client. @@ -892,7 +892,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. If you disable or do not configure this policy setting, the local host settings are used. @@ -969,7 +969,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. If you do not configure this policy setting, the local host settings are used. diff --git a/windows/client-management/mdm/policy-csp-admx-thumbnails.md b/windows/client-management/mdm/policy-csp-admx-thumbnails.md index 69fd52c66e..9aabebdc8b 100644 --- a/windows/client-management/mdm/policy-csp-admx-thumbnails.md +++ b/windows/client-management/mdm/policy-csp-admx-thumbnails.md @@ -79,7 +79,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer. File Explorer displays thumbnail images by default. @@ -150,7 +150,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders. File Explorer displays thumbnail images on network folders by default. @@ -221,7 +221,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Turns off the caching of thumbnails in hidden thumbs.db files. +Available in the latest Windows 10 Insider Preview Build. Turns off the caching of thumbnails in hidden thumbs.db files. This policy setting allows you to configure File Explorer to cache thumbnails of items residing in network folders in hidden thumbs.db files. diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index aeec40aa7f..da8e499dae 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -101,7 +101,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section. @@ -170,7 +170,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. > [!TIP] @@ -235,7 +235,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list. @@ -306,7 +306,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list. @@ -377,7 +377,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none. @@ -455,7 +455,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows. +Available in the latest Windows 10 Insider Preview Build. This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows. > [!TIP] @@ -520,7 +520,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -601,7 +601,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -684,7 +684,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. @@ -767,7 +767,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from group policy and b)clear the TPM on the system. > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md index d967a2db8e..b82218ed41 100644 --- a/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md +++ b/windows/client-management/mdm/policy-csp-admx-userexperiencevirtualization.md @@ -450,7 +450,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Calculator. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Calculator. By default, the user settings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization between computers. @@ -524,7 +524,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ computers. With Sync Method set to ”SyncProvider,” the UE-V Agent uses a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings storage location. @@ -603,7 +603,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a non-persistent, pooled VDI environment. UE-V settings rollback data and checkpoints are normally stored only on the local computer. With this policy setting enabled, the rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. @@ -677,7 +677,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center. If you enable this policy setting, the Company Settings Center displays the specified text in the link to the Contact IT URL. @@ -748,7 +748,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the URL for the Contact IT link in the Company Settings Center. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies the URL for the Contact IT link in the Company Settings Center. If you enable this policy setting, the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as http or mailto. @@ -819,7 +819,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps. By default, the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage location. @@ -896,7 +896,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of Windows settings between computers. Certain Windows settings will synchronize between computers by default. These settings include Windows themes, Windows desktop settings, Ease of Access settings, and network printers. Use this policy setting to specify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for certain apps, networks, and certificates. If you enable this policy setting, only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization. @@ -967,7 +967,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effect. With Auto-register inbox templates enabled, the UE-V inbox templates such as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed, it will only take effect when UE-V service is re-enabled. @@ -1035,7 +1035,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Finance app. By default, the user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between computers. If you enable this policy setting, Finance user settings continue to sync. @@ -1106,7 +1106,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for the first time. By default, a notification informs users that Company Settings Center, the user-facing name for the UE-V Agent, now helps to synchronize settings between their work computers. With this setting enabled, the notification appears the first time that the UE-V Agent runs. @@ -1178,7 +1178,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Games app. By default, the user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between computers. If you enable this policy setting, Games user settings continue to sync. @@ -1250,7 +1250,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Internet Explorer 8. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Internet Explorer 8. By default, the user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8 from synchronization between computers. @@ -1324,7 +1324,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Internet Explorer 9. By default, the user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9 from synchronization between computers. If you enable this policy setting, the Internet Explorer 9 user settings continue to synchronize. @@ -1396,7 +1396,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Internet Explorer 10. By default, the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 10 from synchronization between computers. If you enable this policy setting, the Internet Explorer 10 user settings continue to synchronize. @@ -1468,7 +1468,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Internet Explorer 11. By default, the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 11 from synchronization between computers. If you enable this policy setting, the Internet Explorer 11 user settings continue to synchronize. @@ -1540,7 +1540,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer. By default, the user settings which are common between the versions of Internet Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between computers. If you enable this policy setting, the user settings which are common between the versions of Internet Explorer continue to synchronize. @@ -1612,7 +1612,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Maps app. By default, the user settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers. If you enable this policy setting, Maps user settings continue to sync. @@ -1684,7 +1684,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. If you enable this policy setting, specify the threshold file size in bytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log. @@ -1754,7 +1754,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2010. By default, the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2010 from synchronization between computers. If you enable this policy setting, Microsoft Access 2010 user settings continue to synchronize. @@ -1826,7 +1826,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 applications. By default, the user settings which are common between the Microsoft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2010 applications continue to synchronize. @@ -1898,7 +1898,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2010. By default, the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2010 from synchronization between computers. If you enable this policy setting, Microsoft Excel 2010 user settings continue to synchronize. @@ -1969,7 +1969,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010. By default, the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers. If you enable this policy setting, Microsoft InfoPath 2010 user settings continue to synchronize. @@ -2041,7 +2041,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2010. By default, the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2010 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2010 user settings continue to synchronize. @@ -2113,7 +2113,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2010. By default, the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2010 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2010 user settings continue to synchronize. @@ -2184,7 +2184,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2010. By default, the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2010 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2010 user settings continue to synchronize. @@ -2256,7 +2256,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010. By default, the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2010 user settings continue to synchronize. @@ -2328,7 +2328,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2010. By default, the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2010 from synchronization between computers. If you enable this policy setting, Microsoft Project 2010 user settings continue to synchronize. @@ -2399,7 +2399,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2010. By default, the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2010 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2010 user settings continue to synchronize. @@ -2471,7 +2471,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010. By default, the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Designer 2010 user settings continue to synchronize. @@ -2543,7 +2543,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010. By default, the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Workspace 2010 user settings continue to synchronize. @@ -2615,7 +2615,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2010. By default, the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2010 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2010 user settings continue to synchronize. @@ -2687,7 +2687,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2010. By default, the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2010 from synchronization between computers. If you enable this policy setting, Microsoft Word 2010 user settings continue to synchronize. @@ -2759,7 +2759,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2013. By default, the user settings of Microsoft Access 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2013 from synchronization between computers. If you enable this policy setting, Microsoft Access 2013 user settings continue to synchronize. @@ -2830,7 +2830,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Access 2013. Microsoft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2013 settings. If you enable this policy setting, certain user settings of Microsoft Access 2013 will continue to be backed up. @@ -2902,7 +2902,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. By default, the user settings which are common between the Microsoft Office Suite 2013 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize. @@ -2974,7 +2974,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office Suite 2013 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2013 applications. If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up. @@ -3047,7 +3047,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2013. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2013. By default, the user settings of Microsoft Excel 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2013 from synchronization between computers. @@ -3120,7 +3120,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Excel 2013. Microsoft Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2013 settings. If you enable this policy setting, certain user settings of Microsoft Excel 2013 will continue to be backed up. @@ -3191,7 +3191,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013. By default, the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers. If you enable this policy setting, Microsoft InfoPath 2013 user settings continue to synchronize. @@ -3263,7 +3263,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013. Microsoft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings. If you enable this policy setting, certain user settings of Microsoft InfoPath 2013 will continue to be backed up. @@ -3335,7 +3335,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2013. By default, the user settings of Microsoft Lync 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2013 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2013 user settings continue to synchronize. @@ -3406,7 +3406,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Lync 2013. Microsoft Lync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2013 settings. If you enable this policy setting, certain user settings of Microsoft Lync 2013 will continue to be backed up. @@ -3478,7 +3478,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for OneDrive for Business 2013. By default, the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers. If you enable this policy setting, OneDrive for Business 2013 user settings continue to synchronize. @@ -3550,7 +3550,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2013. By default, the user settings of Microsoft OneNote 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2013 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2013 user settings continue to synchronize. @@ -3622,7 +3622,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft OneNote 2013. Microsoft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2013 settings. If you enable this policy setting, certain user settings of Microsoft OneNote 2013 will continue to be backed up. @@ -3694,7 +3694,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2013. By default, the user settings of Microsoft Outlook 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2013 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2013 user settings continue to synchronize. @@ -3765,7 +3765,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Outlook 2013. Microsoft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2013 settings. If you enable this policy setting, certain user settings of Microsoft Outlook 2013 will continue to be backed up. @@ -3837,7 +3837,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2013. By default, the user settings of Microsoft PowerPoint 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2013 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2013 user settings continue to synchronize. @@ -3909,7 +3909,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013. Microsoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings. If you enable this policy setting, certain user settings of Microsoft PowerPoint 2013 will continue to be backed up. @@ -3981,7 +3981,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2013. By default, the user settings of Microsoft Project 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2013 from synchronization between computers. If you enable this policy setting, Microsoft Project 2013 user settings continue to synchronize. @@ -4052,7 +4052,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Project 2013. Microsoft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2013 settings. If you enable this policy setting, certain user settings of Microsoft Project 2013 will continue to be backed up. @@ -4124,7 +4124,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2013. By default, the user settings of Microsoft Publisher 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2013 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2013 user settings continue to synchronize. @@ -4196,7 +4196,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Publisher 2013. Microsoft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2013 settings. If you enable this policy setting, certain user settings of Microsoft Publisher 2013 will continue to be backed up. @@ -4268,7 +4268,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013. By default, the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers. If you enable this policy setting, Microsoft SharePoint Designer 2013 user settings continue to synchronize. @@ -4339,7 +4339,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013. Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings. If you enable this policy setting, certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up. @@ -4410,7 +4410,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center. By default, the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers. If you enable this policy setting, Microsoft Office 2013 Upload Center user settings continue to synchronize. @@ -4482,7 +4482,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2013. By default, the user settings of Microsoft Visio 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2013 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2013 user settings continue to synchronize. @@ -4554,7 +4554,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Visio 2013. Microsoft Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2013 settings. If you enable this policy setting, certain user settings of Microsoft Visio 2013 will continue to be backed up. @@ -4626,7 +4626,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2013. By default, the user settings of Microsoft Word 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2013 from synchronization between computers. If you enable this policy setting, Microsoft Word 2013 user settings continue to synchronize. @@ -4698,7 +4698,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Word 2013. Microsoft Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2013 settings. If you enable this policy setting, certain user settings of Microsoft Word 2013 will continue to be backed up. @@ -4770,7 +4770,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Access 2016. By default, the user settings of Microsoft Access 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Access 2016 from synchronization between computers. If you enable this policy setting, Microsoft Access 2016 user settings continue to synchronize. @@ -4842,7 +4842,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Access 2016. Microsoft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Access 2016 settings. If you enable this policy setting, certain user settings of Microsoft Access 2016 will continue to be backed up. @@ -4914,7 +4914,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. By default, the user settings which are common between the Microsoft Office Suite 2016 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers. If you enable this policy setting, the user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize. @@ -4986,7 +4986,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office Suite 2016 has user settings which are common between applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific common Microsoft Office Suite 2016 applications. If you enable this policy setting, certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up. @@ -5059,7 +5059,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Excel 2016. By default, the user settings of Microsoft Excel 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel 2016 from synchronization between computers. If you enable this policy setting, Microsoft Excel 2016 user settings continue to synchronize. @@ -5131,7 +5131,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Excel 2016. Microsoft Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Excel 2016 settings. If you enable this policy setting, certain user settings of Microsoft Excel 2016 will continue to be backed up. @@ -5203,7 +5203,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Lync 2016. By default, the user settings of Microsoft Lync 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 2016 from synchronization between computers. If you enable this policy setting, Microsoft Lync 2016 user settings continue to synchronize. @@ -5275,7 +5275,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Lync 2016. Microsoft Lync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Lync 2016 settings. If you enable this policy setting, certain user settings of Microsoft Lync 2016 will continue to be backed up. @@ -5347,7 +5347,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for OneDrive for Business 2016. By default, the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers. If you enable this policy setting, OneDrive for Business 2016 user settings continue to synchronize. @@ -5419,7 +5419,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft OneNote 2016. By default, the user settings of Microsoft OneNote 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft OneNote 2016 from synchronization between computers. If you enable this policy setting, Microsoft OneNote 2016 user settings continue to synchronize. @@ -5491,7 +5491,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft OneNote 2016. Microsoft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft OneNote 2016 settings. If you enable this policy setting, certain user settings of Microsoft OneNote 2016 will continue to be backed up. @@ -5563,7 +5563,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Outlook 2016. By default, the user settings of Microsoft Outlook 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Outlook 2016 from synchronization between computers. If you enable this policy setting, Microsoft Outlook 2016 user settings continue to synchronize. @@ -5635,7 +5635,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Outlook 2016. Microsoft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Outlook 2016 settings. If you enable this policy setting, certain user settings of Microsoft Outlook 2016 will continue to be backed up. @@ -5707,7 +5707,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2016. By default, the user settings of Microsoft PowerPoint 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft PowerPoint 2016 from synchronization between computers. If you enable this policy setting, Microsoft PowerPoint 2016 user settings continue to synchronize. @@ -5779,7 +5779,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016. Microsoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings. If you enable this policy setting, certain user settings of Microsoft PowerPoint 2016 will continue to be backed up. @@ -5851,7 +5851,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Project 2016. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Project 2016. By default, the user settings of Microsoft Project 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Project 2016 from synchronization between computers. If you enable this policy setting, Microsoft Project 2016 user settings continue to synchronize. @@ -5924,7 +5924,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Project 2016. Microsoft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Project 2016 settings. If you enable this policy setting, certain user settings of Microsoft Project 2016 will continue to be backed up. @@ -5995,7 +5995,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Publisher 2016. By default, the user settings of Microsoft Publisher 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Publisher 2016 from synchronization between computers. If you enable this policy setting, Microsoft Publisher 2016 user settings continue to synchronize. @@ -6067,7 +6067,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Publisher 2016. Microsoft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Publisher 2016 settings. If you enable this policy setting, certain user settings of Microsoft Publisher 2016 will continue to be backed up. @@ -6138,7 +6138,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center. By default, the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers. If you enable this policy setting, Microsoft Office 2016 Upload Center user settings continue to synchronize. @@ -6210,7 +6210,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Visio 2016. By default, the user settings of Microsoft Visio 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2016 from synchronization between computers. If you enable this policy setting, Microsoft Visio 2016 user settings continue to synchronize. @@ -6282,7 +6282,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Visio 2016. Microsoft Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Visio 2016 settings. If you enable this policy setting, certain user settings of Microsoft Visio 2016 will continue to be backed up. @@ -6354,7 +6354,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Word 2016. By default, the user settings of Microsoft Word 2016 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Word 2016 from synchronization between computers. If you enable this policy setting, Microsoft Word 2016 user settings continue to synchronize. @@ -6426,7 +6426,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the backup of certain user settings for Microsoft Word 2016. Microsoft Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific Microsoft Word 2016 settings. If you enable this policy setting, certain user settings of Microsoft Word 2016 will continue to be backed up. @@ -6498,7 +6498,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Access 2013 user settings continue to sync with UE-V. @@ -6570,7 +6570,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Access 2016 user settings continue to sync with UE-V. @@ -6642,7 +6642,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2013 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V. If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE-V. @@ -6713,7 +6713,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2016 applications. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V. If you enable this policy setting, user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE-V. @@ -6785,7 +6785,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V. @@ -6857,7 +6857,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V. @@ -6929,7 +6929,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V. @@ -7000,7 +7000,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V. @@ -7072,7 +7072,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V. @@ -7144,7 +7144,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V. @@ -7216,7 +7216,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V. @@ -7288,7 +7288,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V. @@ -7360,7 +7360,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V. @@ -7432,7 +7432,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V. @@ -7504,7 +7504,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V. @@ -7576,7 +7576,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Project 2013 user settings continue to sync with UE-V. @@ -7647,7 +7647,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Project 2016 user settings continue to sync with UE-V. @@ -7719,7 +7719,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V. @@ -7791,7 +7791,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V. @@ -7863,7 +7863,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync with UE-V. @@ -7935,7 +7935,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V. @@ -8007,7 +8007,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V. @@ -8079,7 +8079,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Word 2013 user settings continue to sync with UE-V. @@ -8151,7 +8151,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016. Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled, then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V. If you enable this policy setting, Microsoft Office 365 Word 2016 user settings continue to sync with UE-V. @@ -8223,7 +8223,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Music app. By default, the user settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between computers. If you enable this policy setting, Music user settings continue to sync. @@ -8294,7 +8294,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the News app. By default, the user settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers. If you enable this policy setting, News user settings continue to sync. @@ -8366,7 +8366,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of Notepad. By default, the user settings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between computers. If you enable this policy setting, the Notepad user settings continue to synchronize. @@ -8438,7 +8438,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Reader app. By default, the user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between computers. If you enable this policy setting, Reader user settings continue to sync. @@ -8511,7 +8511,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. If you enable this policy setting, set the number of milliseconds that the system waits to retrieve settings. @@ -8581,7 +8581,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures where the settings package files that contain user settings are stored. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures where the settings package files that contain user settings are stored. If you enable this policy setting, the user settings are stored in the specified location. @@ -8651,7 +8651,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default Microsoft templates installed with the UE-V Agent. If you enable this policy setting, the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location. @@ -8727,7 +8727,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Sports app. By default, the user settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between computers. If you enable this policy setting, Sports user settings continue to sync. @@ -8799,7 +8799,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier. > [!TIP] @@ -8864,7 +8864,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections. By default, the UE-V Agent does not synchronize settings over a metered connection. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection. @@ -8936,7 +8936,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outside of the home provider network, for example when connected via a roaming connection. By default, the UE-V Agent does not synchronize settings over a metered connection that is roaming. With this setting enabled, the UE-V Agent synchronizes settings over a metered connection that is roaming. @@ -9008,7 +9008,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization. If you enable this policy setting, the sync provider pings the settings storage location before synchronizing settings packages. @@ -9079,7 +9079,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. +Available in the latest Windows 10 Insider Preview Build. This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that are not explicitly listed in Windows App List. By default, the UE-V Agent only synchronizes settings of those Windows apps included in the Windows App List. With this setting enabled, the settings of all Windows apps not expressly disable in the Windows App List are synchronized. @@ -9151,7 +9151,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Travel app. By default, the user settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between computers. If you enable this policy setting, Travel user settings continue to sync. @@ -9222,7 +9222,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. +Available in the latest Windows 10 Insider Preview Build. This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default, an icon appears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application, Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clicking the icon. When this group policy setting is enabled, the UE-V tray icon is visible, the UE-V notifications display, and the Company Settings Center is accessible from the tray icon. With this setting disabled, the tray icon does not appear in the system tray, UE-V never displays notifications, and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control Panel and the Start menu or Start screen. @@ -9292,7 +9292,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Video app. By default, the user settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computers. If you enable this policy setting, Video user settings continue to sync. @@ -9364,7 +9364,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings for the Weather app. By default, the user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between computers. If you enable this policy setting, Weather user settings continue to sync. @@ -9435,7 +9435,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the synchronization of user settings of WordPad. By default, the user settings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization between computers. If you enable this policy setting, the WordPad user settings continue to synchronize. diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index a9b6715a43..0afeb2cfc3 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -83,7 +83,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values. @@ -228,7 +228,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a set of parameters for controlling the Windows NTP Client. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies a set of parameters for controlling the Windows NTP Client. If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. @@ -318,7 +318,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the Windows NTP Client is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. @@ -389,7 +389,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify whether the Windows NTP Server is enabled. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether the Windows NTP Server is enabled. If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers. diff --git a/windows/client-management/mdm/policy-csp-admx-wincal.md b/windows/client-management/mdm/policy-csp-admx-wincal.md index bceaf394ed..d5aba0a18f 100644 --- a/windows/client-management/mdm/policy-csp-admx-wincal.md +++ b/windows/client-management/mdm/policy-csp-admx-wincal.md @@ -77,7 +77,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. +Available in the latest Windows 10 Insider Preview Build. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. If you enable this setting, Windows Calendar will be turned off. @@ -150,7 +150,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. +Available in the latest Windows 10 Insider Preview Build. Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. If you enable this setting, Windows Calendar will be turned off. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md index 8b06f92864..c0b49d9fae 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md @@ -75,7 +75,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. By default, Add features to Windows 10 is available for all administrators. +Available in the latest Windows 10 Insider Preview Build. By default, Add features to Windows 10 is available for all administrators. If you enable this policy setting, the wizard will not run. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md index 80b7d947fa..bec9255c05 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsconnectnow.md @@ -80,7 +80,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prohibits access to Windows Connect Now (WCN) wizards. +Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. @@ -149,7 +149,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prohibits access to Windows Connect Now (WCN) wizards. +Available in the latest Windows 10 Insider Preview Build. This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireless device" are disabled. @@ -218,7 +218,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. Additional options are available to allow discovery and configuration over a specific medium. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md index d9845c8533..0fa4658ba7 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediadrm.md @@ -74,7 +74,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md index 69a27c1fef..22acf9fa38 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsmediaplayer.md @@ -134,7 +134,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -215,7 +215,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the MMS proxy settings for Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the MMS proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -295,7 +295,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: @@ -373,7 +373,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to turn off do not show first use dialog boxes. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to turn off do not show first use dialog boxes. If you enable this policy setting, the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media Player. @@ -444,7 +444,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Network tab. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Network tab. If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player. @@ -513,7 +513,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode. If you enable this policy setting, the anchor window is hidden when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. @@ -584,7 +584,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode. +Available in the latest Windows 10 Insider Preview Build. This policy setting prevents the anchor window from being displayed when Windows Media Player is in skin mode. This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not available. @@ -655,7 +655,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent video smoothing from occurring. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent video smoothing from occurring. If you enable this policy setting, video smoothing is prevented, which can improve video playback on computers with limited resources. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available. @@ -728,7 +728,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows a screen saver to interrupt playback. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows a screen saver to interrupt playback. If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player is selected and is not available. @@ -799,7 +799,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Privacy tab in Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Privacy tab in Windows Media Player. If you enable this policy setting, the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the Media Library tab is available, even though the Privacy tab is hidden, unless the "Prevent music file media information retrieval" policy setting is enabled. @@ -870,7 +870,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to hide the Security tab in Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to hide the Security tab in Windows Media Player. If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden or disabled by Internet Explorer policies. @@ -939,7 +939,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is played. @@ -1013,7 +1013,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent Windows Media Player from downloading codecs. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent Windows Media Player from downloading codecs. If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not available. @@ -1084,7 +1084,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available. @@ -1153,7 +1153,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media sharing from Windows Media Player. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media sharing from Windows Media Player. If you enable this policy setting, any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from programs that depend on the Player's media sharing feature. @@ -1222,7 +1222,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent media information for music files from being retrieved from the Internet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent media information for music files from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available. @@ -1291,7 +1291,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar. If you enable this policy setting, the user cannot add the shortcut for the Player to the Quick Launch bar. @@ -1359,7 +1359,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent radio station presets from being retrieved from the Internet. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent radio station presets from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in Media Library. In addition, presets that exist before the policy is configured are not be updated, and presets a user adds are not be displayed. @@ -1428,7 +1428,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop. If you enable this policy setting, users cannot add the Player shortcut icon to their desktops. @@ -1497,7 +1497,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab. @@ -1570,7 +1570,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. +Available in the latest Windows 10 Insider Preview Build. This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. If you enable this policy setting, the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected, a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports, the Player uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected. diff --git a/windows/client-management/mdm/policy-csp-admx-wininit.md b/windows/client-management/mdm/policy-csp-admx-wininit.md index dbbecca9d5..9e17ae7971 100644 --- a/windows/client-management/mdm/policy-csp-admx-wininit.md +++ b/windows/client-management/mdm/policy-csp-admx-wininit.md @@ -80,7 +80,7 @@ manager: dansimp -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. If you enable this policy setting, the system does not create the named pipe remote shutdown interface. @@ -149,7 +149,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting controls the use of fast startup. +Available in the latest Windows 10 Insider Preview Build. This policy setting controls the use of fast startup. If you enable this policy setting, the system requires hibernate to be enabled. @@ -218,7 +218,7 @@ ADMX Info: -Available in Windows 10 Insider Preview Build 20185. This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown. +Available in the latest Windows 10 Insider Preview Build. This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shutdown. If you enable this policy setting, the system waits for the hung logon sessions for the number of minutes specified. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index dcea40a888..6387efccc5 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -2317,6 +2317,15 @@ Added in Windows 10, version 1607. Specifies the level of detection for potenti > Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software which might be unexpected or unwanted. By default in Windows 10 (version 2004 and later), Microsoft Defender Antivirus blocks apps that are considered PUA, for Enterprise (E5) devices. For more information about PUA, see [Detect and block potentially unwanted applications](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). + +ADMX Info: +- GP English name: *Configure detection for potentially unwanted applications* +- GP name: *Root_PUAProtection* +- GP element: *Root_PUAProtection* +- GP path: *Windows Components/Microsoft Defender Antivirus* +- GP ADMX file name: *WindowsDefender.admx* + + The following list shows the supported values: @@ -3112,6 +3121,7 @@ Footnotes: - 6 - Available in Windows 10, version 1903. - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. +- 9 - Available in Windows 10, version 20H2. diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index f68a71f820..b106637736 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -677,7 +677,7 @@ The following list shows the supported values: -Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. +Specifies the maximum amount of time (in seconds) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. * On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. * On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 0325decbfc..dc6cd495a9 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -281,25 +281,6 @@ Valid values: Value type is bool. Supported operations include Get, Add, Replace, and Delete. -**VPNv2/**ProfileName**/LockDown** (./Device only profile) -Lockdown profile. - -Valid values: - -- False (default) - this is not a LockDown profile. -- True - this is a LockDown profile. - -When the LockDown profile is turned on, it does the following things: - -- First, it automatically becomes an "always on" profile. -- Second, it can never be disconnected. -- Third, if the profile is not connected, then the user has no network. -- Fourth, no other profiles may be connected or modified. - -A Lockdown profile must be deleted before you can add, remove, or connect other profiles. - -Value type is bool. Supported operations include Get, Add, Replace, and Delete. - **VPNv2/**ProfileName**/DeviceTunnel** (./Device only profile) Device tunnel profile. diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index c0e32c95b7..ee3e5cfb4c 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -31,7 +31,6 @@ Here's the XSD for the ProfileXML node in the VPNv2 CSP and VpnManagementAgent:: +>An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. +> >Also ensure that the Group Policy setting: Computer Configuration > Administrative Templates > Windows Components > Windows Update > "Do not connect to any Windows Update Internet locations" is set to "Disabled". ## Firmware-embedded activation key -To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt +To determine if the computer has a firmware-embedded activation key, type the following command at an elevated Windows PowerShell prompt: -``` -(Get-WmiObject -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey +```PowerShell +(Get-CimInstance -query ‘select * from SoftwareLicensingService’).OA3xOriginalProductKey ``` If the device has a firmware-embedded activation key, it will be displayed in the output. If the output is blank, the device does not have a firmware embedded activation key. Most OEM-provided devices designed to run Windows 8 or later will have a firmware-embedded key. @@ -44,19 +45,28 @@ If the device has a firmware-embedded activation key, it will be displayed in th If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant: 1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license: -2. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 -3. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 -4. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. -5. The admin can now assign subscription licenses to users. ->Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: + - **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3 + - **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5 + +1. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant. + +1. The admin can now assign subscription licenses to users. + +Use the following process if you need to update contact information and retrigger activation in order to resend the activation email: 1. Sign in to the [Microsoft Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -2. Click on **Subscriptions**. -3. Click on **Online Services Agreement List**. + +2. Click **Subscriptions**. + +3. Click **Online Services Agreement List**. + 4. Enter your agreement number, and then click **Search**. + 5. Click the **Service Name**. + 6. In the **Subscription Contact** section, click the name listed under **Last Name**. + 7. Update the contact information, then click **Update Contact Details**. This will trigger a new email. Also in this article: @@ -91,17 +101,21 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service: - +> [!div class="mx-imgBorder"] +>  The following methods are available to assign licenses: 1. When you have the required Azure AD subscription, [group-based licensing](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal) is the preferred method to assign Enterprise E3 or E5 licenses to users. + 2. You can sign in to portal.office.com and manually assign licenses:  3. You can assign licenses by uploading a spreadsheet. + 4. A per-user [PowerShell scripted method](https://social.technet.microsoft.com/wiki/contents/articles/15905.how-to-use-powershell-to-automatically-assign-licenses-to-your-office-365-users.aspx) of assigning licenses is available. + 5. Organizations can use synchronized [AD groups](https://ronnydejong.com/2015/03/04/assign-ems-licenses-based-on-local-active-directory-group-membership/) to automatically assign licenses. ## Explore the upgrade experience @@ -114,50 +128,50 @@ Users can join a Windows 10 Pro device to Azure AD the first time they start the **To join a device to Azure AD the first time the device is started** -1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**. +1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 2**. 
**Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
-2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.+2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**. 
**Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**. 
**Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
-Now the device is Azure AD joined to the company’s subscription.
+Now the device is Azure AD–joined to the company’s subscription.
**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
>[!IMPORTANT]
>Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
-1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.+1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**. 
**Figure 5. Connect to work or school configuration in Settings**
-2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.+2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**. 
**Figure 6. Set up a work or school account**
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.+3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**. 
**Figure 7. The “Let’s get you signed in” dialog box**
-Now the device is Azure AD joined to the company’s subscription.
+Now the device is Azure AD–joined to the company's subscription.
### Step 2: Pro edition activation
@@ -165,7 +179,7 @@ Now the device is Azure AD joined to the company’s subscription.
>If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
>If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
-
+
Figure 7a - Windows 10 Pro activation in Settings @@ -176,7 +190,7 @@ Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. - 
+
**Figure 8. Sign in by using Azure AD account**
@@ -184,7 +198,7 @@ Once the device is joined to your Azure AD subscription, the user will sign in b
You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
-
+
**Figure 9 - Windows 10 Enterprise subscription in Settings**
@@ -218,19 +232,19 @@ Use the following figures to help you troubleshoot when users experience these c
- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro is not activated, but the Windows 10 Enterprise subscription is active.
-
+ 
Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings - [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. - + 
Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings - [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed. - + 
Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index f73558bd91..ebdcfa1363 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -63,7 +63,7 @@ Windows PowerShell cmdlets for Delivery Optimization have been improved: Additional improvements in [Delivery Optimization](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization) include: - Enterprise network [throttling is enhanced](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new#new-download-throttling-options-for-delivery-optimization-build-18917) to optimize foreground vs. background throttling. - Automatic cloud-based congestion detection is available for PCs with cloud service support. -- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Configuration Manager content coming soon! +- Improved Peer Efficiency for enterprises and educational institutions with complex networks is enabled with of [new policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization). This now supports Microsoft 365 Apps for enterprise updates, and Intune content, with Microsoft Endpoint Manager content coming soon! The following Delivery Optimization policies are removed in the Windows 10, version 2004 release: diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 7e1c6b9819..4b0eb20dcf 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -1,6 +1,6 @@ --- title: Create an app to deploy with Windows 10 using Configuration Manager -description: Microsoft Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. +description: Microsoft Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c ms.reviewer: manager: laurawi @@ -22,7 +22,7 @@ ms.topic: article - Windows 10 -Microsoft Endpoint Configuration Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Configuration Manager that you later configure the task sequence to use. +Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Manager that you later configure the task sequence to use. For the purposes of this guide, we will use one server computer: CM01. - CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index bbc562e930..ccb8ed6bb5 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -1,6 +1,6 @@ --- title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) -description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. +description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa ms.reviewer: manager: laurawi @@ -21,7 +21,7 @@ ms.topic: article - Windows 10 -In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Configuration Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. +In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. This topic assumes that you have completed the following prerequisite procedures: - [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 116cb87a9e..348d4fd07c 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -22,7 +22,7 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Configuration Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT). +This topic will walk you through the Zero Touch Installation process of Windows 10 operating system deployment (OSD) using Microsoft Endpoint Manager (ConfigMgr) [integrated](#why-integrate-mdt-with-configuration-manager) with Microsoft Deployment Toolkit (MDT). ## Prerequisites diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md index 46a0b5ee09..1c8551218d 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md @@ -1,6 +1,6 @@ --- title: Perform in-place upgrade to Windows 10 via Configuration Manager -description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Endpoint Configuration Manager task sequence. +description: Learn how to perform an in-place upgrade to Windows 10 by automating the process with a Microsoft Endpoint Manager task sequence. ms.assetid: F8DF6191-0DB0-4EF5-A9B1-6A11D5DE4878 ms.reviewer: manager: laurawi @@ -22,7 +22,7 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Configuration Manager task sequence to completely automate the process. +The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Windows 8.1 to Windows 10 is through an in-place upgrade. You can use a Microsoft Endpoint Manager task sequence to completely automate the process. >[!IMPORTANT] >Beginning with Windows 10 and Windows Server 2016, Windows Defender is already installed. A management client for Windows Defender is also installed automatically if the Configuration Manager client is installed. However, previous Windows operating systems installed the System Center Endpoint Protection (SCEP) client with the Configuration Manager client. The SCEP client can block in-place upgrade to Windows 10 due to incompatibility, and must be removed from a device before performing an in-place upgrade to Windows 10. diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 52246fddfd..c4445493e4 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -81,7 +81,7 @@ The following OU structure is used in this guide. Instructions are provided [bel These steps assume that you have the MDT01 member server running and configured as a domain member server. -On **MTD01**: +On **MDT01**: Visit the [Download and install the Windows ADK](https://go.microsoft.com/fwlink/p/?LinkId=526803) page and download the following items to the **D:\\Downloads\\ADK** folder on MDT01 (you will need to create this folder): - [The Windows ADK for Windows 10](https://go.microsoft.com/fwlink/?linkid=2086042) diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index ecf21c9ffc..bb85dc9972 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -31,7 +31,7 @@ Windows 10 upgrade options are discussed and information is provided about plann |[Windows 10 deployment test lab](windows-10-poc.md) |This guide contains instructions to configure a proof of concept (PoC) environment requiring a minimum amount of resources. The guide makes extensive use of Windows PowerShell and Hyper-V. Subsequent companion guides contain steps to deploy Windows 10 using the PoC environment. After completing this guide, additional guides are provided to deploy Windows 10 in the test lab using [Microsoft Deployment Toolkit](windows-10-poc-mdt.md) or [Microsoft Endpoint Configuration Manager](windows-10-poc-sc-config-mgr.md). | |[Plan for Windows 10 deployment](planning/index.md) | This section describes Windows 10 deployment considerations and provides information to assist in Windows 10 deployment planning. | |[Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md) |This guide will walk you through the process of deploying Windows 10 in an enterprise environment using the Microsoft Deployment Toolkit (MDT). | -|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Endpoint Configuration Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | +|[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) |If you have Microsoft Endpoint Manager in your environment, you will most likely want to use it to deploy Windows 10. This topic will show you how to set up Configuration Manager for operating system deployment and how to integrate Configuration Manager with the Microsoft Deployment Toolkit (MDT) or. | |[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. | |[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.| diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index c5312c0bd7..7324318c18 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -410,7 +410,7 @@ When you start a Windows 10, version 1903-based computer in the Windows Preinsta **Issue 2** When you manually run the MBR2GPT.exe command in a Command Prompt window, there is no output from the tool. -**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Endpoint Configuration Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. +**Issue 3** When MBR2GPT.exe runs inside an imaging process such as a Microsoft Endpoint Manager task sequence, an MDT task sequence, or by using a script, you receive the following exit code: 0xC0000135/3221225781. #### Cause diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md index 8ab327afb4..99acb38299 100644 --- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md +++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md @@ -56,7 +56,7 @@ The following scenarios are examples of situations in which Windows To Go worksp - **Managed free seating.** The employee is issued a Windows To Go drive that is then used with the host computer assigned to that employee for a given session (this could be a vehicle, workspace, or standalone laptop). When the employee leaves the session, the next time they return they use the same USB flash drive but use a different host computer. -- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Configuration Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. +- **Work from home.** In this situation, the Windows To Go drive can be provisioned for employees using various methods including Microsoft Endpoint Manager or other deployment tools and then distributed to employees. The employee is instructed to boot the Windows To Go drive initially at work, which caches the employee's credentials on the Windows To Go workspace and allows the initial data synchronization between the enterprise network and the Windows To Go workspace. The user can then bring the Windows To Go drive home where it can be used with their home computer, with or without enterprise network connectivity. - **Travel lightly.** In this situation you have employees who are moving from site to site, but who always will have access to a compatible host computer on site. Using Windows To Go workspaces allows them to travel without the need to pack their PC. diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index fa4f088b49..2012a23148 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -59,7 +59,7 @@ The features described below are no longer being actively developed, and might b |Trusted Platform Module (TPM) Owner Password Management |This functionality within TPM.msc will be migrated to a new user interface.| 1709 | |Trusted Platform Module (TPM): TPM.msc and TPM Remote Management | To be replaced by a new user interface in a future release. | 1709 | |Trusted Platform Module (TPM) Remote Management |This functionality within TPM.msc will be migrated to a new user interface. | 1709 | -|Windows Hello for Business deployment that uses Microsoft Endpoint Configuration Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 | +|Windows Hello for Business deployment that uses Microsoft Endpoint Manager |Windows Server 2016 Active Directory Federation Services – Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 | |Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 | |Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 | |Tile Data Layer | The [Tile Data Layer](https://docs.microsoft.com/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 | diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md index 546b8de3af..b48649cf32 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md @@ -64,7 +64,7 @@ Many existing Win32 and Win64 applications already run reliably on Windows 10 wi Updated versions of Microsoft deployment tools, including MDT, Configuration Manager, and the Windows Assessment and Deployment Kit (Windows ADK) have been released to support Windows 10. - [MDT](https://www.microsoft.com/mdt) is Microsoft’s recommended collection of tools, processes, and guidance for automating desktop and server deployment. -- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Configuration Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. +- Configuration Manager simplifies the deployment and management of Windows 10. If you are not currently using Configuration Manager, you can download a free 180-day trial of [Microsoft Endpoint Manager and Endpoint Protection (current branch)](https://www.microsoft.com/evalcenter/evaluate-system-center-configuration-manager-and-endpoint-protection) from the TechNet Evaluation Center. - The [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit#winADK) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center. ### Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image? diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md index 7ca82acf70..ccc6b27193 100644 --- a/windows/deployment/planning/windows-10-infrastructure-requirements.md +++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md @@ -40,7 +40,7 @@ The latest version of the Microsoft Deployment Toolkit (MDT) is available for do For Configuration Manager, Windows 10 version specific support is offered with [various releases](https://docs.microsoft.com/mem/configmgr/core/plan-design/configs/support-for-windows-10). -For more details about Microsoft Endpoint Configuration Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). +For more details about Microsoft Endpoint Manager support for Windows 10, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Management tools diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md index 202b4531b9..1706180e52 100644 --- a/windows/deployment/update/deploy-updates-configmgr.md +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -17,4 +17,4 @@ ms.topic: article - Windows 10 -See the Microsoft Endpoint Configuration Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. \ No newline at end of file +See the Microsoft Endpoint Manager [documentation](https://docs.microsoft.com/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates. \ No newline at end of file diff --git a/windows/deployment/update/feature-update-mission-critical.md b/windows/deployment/update/feature-update-mission-critical.md index c44569853e..5c4c8987f1 100644 --- a/windows/deployment/update/feature-update-mission-critical.md +++ b/windows/deployment/update/feature-update-mission-critical.md @@ -1,6 +1,6 @@ --- title: Best practices and recommendations for deploying Windows 10 Feature updates to mission-critical devices -description: Learn how to use the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. +description: Learn how to use the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. ms.prod: w10 ms.mktglfcycl: manage audience: itpro @@ -19,7 +19,7 @@ ms.custom: seo-marvel-apr2020 **Applies to**: Windows 10 -Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Configuration Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. +Managing an environment with devices that provide mission critical services 24 hours a day, 7 days a week, can present challenges in keeping these devices current with Windows 10 feature updates. The processes that you use to keep regular devices current with Windows 10 feature updates, often aren't the most effective to service mission critical devices. This whitepaper will focus on the recommended approach of using the Microsoft Endpoint Manager (current branch) software updates feature to deploy Windows 10 semi-annual feature updates. For simplicity, we will outline the steps to deploy a feature update manually. If you prefer an automated approach, see [Manage Windows as a service using Configuration Manager](https://docs.microsoft.com/configmgr/osd/deploy-use/manage-windows-as-a-service). diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 6c8417f572..236fb16910 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -47,6 +47,6 @@ Windows as a service provides a new way to think about building, deploying, and | [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. | >[!TIP] ->Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. +>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as Microsoft Endpoint Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. >With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](../deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709). diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md index fc033d13bd..bb67966504 100644 --- a/windows/deployment/update/plan-define-strategy.md +++ b/windows/deployment/update/plan-define-strategy.md @@ -24,7 +24,7 @@ Though we encourage you to deploy every available release and maintain a fast ca You can use a calendar approach for either a faster twice-per-year cadence or an annual cadence. Depending on company size, installing Windows 10 feature updates less often than once annually risks devices going out of service and becoming vulnerable to security threats, because they will stop receiving the monthly security updates. ### Annual -Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Configuration Manager and Microsoft 365 Apps release cycles: +Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Manager and Microsoft 365 Apps release cycles: [  ](images/annual-calendar.png#lightbox) diff --git a/windows/deployment/update/waas-branchcache.md b/windows/deployment/update/waas-branchcache.md index f85076eabc..597bfadf2a 100644 --- a/windows/deployment/update/waas-branchcache.md +++ b/windows/deployment/update/waas-branchcache.md @@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. +BranchCache is a bandwidth-optimization feature that has been available since the Windows Server 2008 R2 and Windows 7 operating systems. Each client has a cache and acts as an alternate source for content that devices on its own network request. Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to optimize network bandwidth during update deployment, and it's easy to configure for either of them. BranchCache has two operating modes: Distributed Cache mode and Hosted Cache mode. - Distributed Cache mode operates like the [Delivery Optimization](waas-delivery-optimization.md) feature in Windows 10: each client contains a cached version of the BranchCache-enabled files it requests and acts as a distributed cache for other clients requesting that same file. diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 02dd9f8971..bbafcf8b44 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -25,7 +25,7 @@ ms.custom: seo-marvel-apr2020 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Configuration Manager (when installation of Express Updates is enabled). +Windows updates, upgrades, and applications can contain packages with very large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based servers. You can use Delivery Optimization in conjunction with Windows Update, Windows Server Update Services (WSUS), Windows Update for Business, or Microsoft Endpoint Manager (when installation of Express Updates is enabled). Delivery Optimization is a cloud-managed solution. Access to the Delivery Optimization cloud services is a requirement. This means that in order to use the peer-to-peer functionality of Delivery Optimization, devices must have access to the internet. @@ -62,10 +62,11 @@ For information about setting up Delivery Optimization, including tips for the b - DOMaxUploadBandwidth - Support for new types of downloads: - - Office installations and updates + - Office installs and updates - Xbox game pass games - MSIX apps (HTTP downloads only) - - Edge browser installations and updates + - Edge browser installs and updates + - [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) ## Requirements @@ -90,7 +91,9 @@ The following table lists the minimum Windows 10 version that supports Delivery | Win32 apps for Intune | 1709 | | Xbox game pass games | 2004 | | MSIX apps (HTTP downloads only) | 2004 | -| Configuration Manager Express Updates | 1709 + Configuration Manager version 1711 | +| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | +| Edge browser installs and updates | 1809 | +| [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) | 1903 | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](https://docs.microsoft.com/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md index 9f7d882387..01bfeb4954 100644 --- a/windows/deployment/update/waas-manage-updates-wsus.md +++ b/windows/deployment/update/waas-manage-updates-wsus.md @@ -24,7 +24,7 @@ ms.topic: article >Due to [naming changes](waas-overview.md#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy or the registry. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. -WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Configuration Manager provides. +WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Manager provides. When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10. diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 1e0f4be7b7..0a81369222 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -24,7 +24,7 @@ When considering your content distribution strategy for Windows 10, think about Two methods of peer-to-peer content distribution are available in Windows 10. -- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfil peer-to-peer requests. +- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfill peer-to-peer requests. Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates. @@ -33,9 +33,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10. >[!NOTE] >Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations. - Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content. + Windows Server Update Services (WSUS) and Microsoft Endpoint Manager can use BranchCache to allow peers to source content from each other versus always having to contact a server. Using BranchCache, files are cached on each individual client, and other clients can retrieve them as needed. This approach distributes the cache rather than having a single point of retrieval, saving a significant amount of bandwidth while drastically reducing the time that it takes for clients to receive the requested content. - + | Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager | | --- | --- | --- | --- | --- | @@ -43,9 +43,9 @@ Two methods of peer-to-peer content distribution are available in Windows 10. | BranchCache |  |  | |  | > [!NOTE] -> Microsoft Endpoint Configuration Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Microsoft Endpoint Configuration Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/configmgr/core/plan-design/hierarchy/client-peer-cache). +> Microsoft Endpoint Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Microsoft Endpoint Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](https://docs.microsoft.com/configmgr/core/plan-design/hierarchy/client-peer-cache). > -> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Microsoft Endpoint Configuration Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). +> In addition to Client Peer Cache, similar functionality is available in the Windows Preinstallation Environment (Windows PE) for imaging-related content. Using this technology, clients imaging with Microsoft Endpoint Manager task sequences can source operating system images, driver packages, boot images, packages, and programs from peers instead of distribution points. For detailed information about how Windows PE Peer Cache works and how to configure it, see [Prepare Windows PE peer cache to reduce WAN traffic in Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/osd/get-started/prepare-windows-pe-peer-cache-to-reduce-wan-traffic). ## Express update delivery @@ -93,7 +93,7 @@ At this point, the download is complete and the update is ready to be installed. |  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) | |  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) | |  | Optimize update delivery for Windows 10 updates (this topic) | -|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | +|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md) or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md) or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](waas-manage-updates-configuration-manager.md) | ## Related topics diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index a656c096f6..01f89be64e 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -46,7 +46,7 @@ Application compatibility testing has historically been a burden when approachin Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10. -For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics s a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows). +For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics is a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows). ### Device compatibility @@ -165,7 +165,7 @@ There are many tools with which IT pros can service Windows as a service. Each o - **Windows Server Update Services (WSUS)** provides extensive control over Windows 10 updates and is natively available in the Windows Server operating system. In addition to the ability to defer updates, organizations can add an approval layer for updates and choose to deploy them to specific computers or groups of computers whenever ready. - **Microsoft Endpoint Configuration Manager** provides the greatest control over servicing Windows as a service. IT pros can defer updates, approve them, and have multiple options for targeting deployments and managing bandwidth usage and deployment times. -With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses Microsoft Endpoint Configuration Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1. +With all these options, which an organization chooses depends on the resources, staff, and expertise its IT organization already has. For example, if IT already uses Microsoft Endpoint Manager to manage Windows updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that. For a consolidated look at the benefits of each tool, see Table 1. **Table 1** diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index e185b2eb5a..d06e1da91b 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -87,7 +87,7 @@ Moving to the cumulative model for legacy OS versions continues to improve predi Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month's B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month's B release package together with new security updates. Security-only Packages are not part of the C/D preview program. > [!NOTE] -> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as Microsoft Endpoint Configuration Manager that rely on it, will not see preview updates for older versions of Windows 10. +> Only preview updates for the most recent release of Windows 10 are published to Windows Server Update Services (WSUS). For customers using the WSUS channel, and products such as Microsoft Endpoint Manager that rely on it, will not see preview updates for older versions of Windows 10. > [!NOTE] > Preview updates for Windows 10 are not named differently than their LCU counterparts and do not contain the word 'Preview'. They can be identified by their release date (C or D week) and their classification as non-security updates. diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index e4dd1ed582..39038a810e 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -33,7 +33,7 @@ Windows 10 spreads the traditional deployment effort of a Windows upgrade, which - **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-Annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. - **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL folder of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) -- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). +- **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). > [!NOTE] diff --git a/windows/deployment/update/wufb-autoupdate.md b/windows/deployment/update/wufb-autoupdate.md index 0fc1330492..055d3b723c 100644 --- a/windows/deployment/update/wufb-autoupdate.md +++ b/windows/deployment/update/wufb-autoupdate.md @@ -25,7 +25,7 @@ Automatic Update governs the "behind the scenes" download and installation proce |-|-| |Configure Automatic Updates|Governs the installation activity that happens in the background. This allows you to configure the installation to happen during the [maintenance window](https://docs.microsoft.com/configmgr/core/clients/manage/collections/use-maintenance-windows). Also, you can specify an installation time where the device will also try to install the latest packages. You can also pick a certain day and or week.| |Automatic Update Detection Frequency|Lets you set the scan frequency the device will use to connect to Windows Update to see if there is any available content. Default is 22 hours, but you can increase or decrease the frequency. Keep in mind a desktop computer may need to scan less frequently than laptops, which can have intermittent internet connection.| -|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or Microsoft Endpoint Configuration Manager users who want to install custom packages that are not offered through Windows Update.| +|Specify Intranet Microsoft Update Service Location|Used for Windows Server Update Services or Microsoft Endpoint Manager users who want to install custom packages that are not offered through Windows Update.| |Do not connect to any Windows Update Internet locations Required for Dual Scan|Prevents access to Windows Update.| ## Suggested configuration diff --git a/windows/deployment/update/wufb-managedrivers.md b/windows/deployment/update/wufb-managedrivers.md index 56f956aae8..e0a6e9e21f 100644 --- a/windows/deployment/update/wufb-managedrivers.md +++ b/windows/deployment/update/wufb-managedrivers.md @@ -39,7 +39,7 @@ You can use an on-premises catalog, like WSUS, to deploy 3rd Party patches and u |Policy| Description | |-|-| -|Specify Intranet Microsoft Update Service Location| Used for WSUS/Microsoft Endpoint Configuration Manager customers who want to install custom packages that are not offered through Windows Update.| +|Specify Intranet Microsoft Update Service Location| Used for WSUS/Microsoft Endpoint Manager customers who want to install custom packages that are not offered through Windows Update.| ### Suggested configuration diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index e2806e3c0c..033f0e0e0d 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -93,7 +93,7 @@ You can run the changepk.exe command-line tool to upgrade devices to a supported `changepk.exe /ProductKey +You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0. + **Example** -``` +```xml +Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values. + |Attribute|Value| |---------|-----| @@ -109,8 +111,8 @@ You define the bluetooth signal with additional attributes in the signal element |rssiMin|"*number*"|no| |rssiMaxDelta|"*number*"|no| -Example: -``` +**Example** +```xml +The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string. A **signal** element may only contain one **ipv4Prefix** element. + **Example** -``` +```xml +The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4Gateway** element. + **Example** -``` +```xml +The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv4DhcpServer** element. + **Example** -``` +```xml +The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements. + **Example:** -``` +```xml +The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string. A **signal** element may only contain one **ipv6Prefix** element. + **Example** -``` +```xml +The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6Gateway** element. + **Example** -``` +```xml +The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. A **signal** element may only contain one **ipv6DhcpServer** element. + **Example** -``` +```xml +The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements. + **Example** -``` +```xml -``` +Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required. + +```xml +Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional. + **Example** -``` +```xml +Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional. + **Example** -``` +```xml +Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal. + **Example** -``` +```xml -  -8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values. -  -9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section. -10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section. -11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers. +1. Start the **Group Policy Management Console** (gpmc.msc). - ## Troubleshooting - Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**. +2. Expand the domain and select the **Group Policy Object** node in the navigation pane. + +3. Right-click **Group Policy object** and select **New**. + +4. Type *Multifactor Unlock* in the name box and click **OK**. + +5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**. + +6. In the navigation pane, expand **Policies** under **Computer Configuration**. + +7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. + +  + +8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values. + +  + +9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors). + +10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider). + +11. Click **OK** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers. + +## Troubleshooting +Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**. ### Events diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index 01dffaef6d..d0857ccd72 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -15,7 +15,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 03/05/2020 +ms.date: 01/12/2021 --- # Windows Hello biometrics in the enterprise @@ -53,7 +53,7 @@ The biometric data used to support Windows Hello is stored on the local device o ## Has Microsoft set any device requirements for Windows Hello? We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: -- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm. +- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm. - **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. @@ -81,6 +81,10 @@ To allow facial recognition, you must have devices with integrated special infra - Effective, real world FRR with Anti-spoofing or liveness detection: <10% +> [!NOTE] +>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. + + ## Related topics - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 8e3e7d4f74..22d05b8312 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 01/14/2021 ms.reviewer: --- # Prepare and Deploy Windows Server 2016 Active Directory Federation Services @@ -39,9 +39,9 @@ A new Active Directory Federation Services farm should have a minimum of two fed Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. > [!NOTE] ->For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: +> For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: > -> 1. Launch AD FS management console. Brose to "Services > Scope Descriptions". +> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions". > 2. Right click "Scope Descriptions" and select "Add Scope Description". > 3. Under name type "ugs" and Click Apply > OK. > 4. Launch PowerShell as an administrator. @@ -50,9 +50,8 @@ Prepare the Active Directory Federation Services deployment by installing and up > (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier > ``` > 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -After successfully completing the second factor of authentication, the user is asked to enroll biometrics (if available on the device) and create PIN as a backup gesture. Windows then registers the public version of the Windows Hello for Business credential with the identity provider. -For cloud and hybrid deployments, the identity provider is Azure Active Directory and the user registers their key with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the user registers their key with the enterprise device registration service hosted on the federation servers. -Provision can occur automatically through the out-of-box-experience (OOBE) on Azure Active Directory joined devices, or on hybrid Azure Active Directory joined devices where the user or device is influenced by Windows Hello for Business policy settings. Users can start provisioning through **Add PIN** from Windows Settings. Watch the [Windows Hello for Business enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) from our [Videos](hello-videos.md) page. - -[How Windows Hello for Business provisioning works](hello-how-it-works-provisioning.md) - -## Authentication - -Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. - -[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 72cba7a12e..cf3fb265d2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -162,7 +162,7 @@ Primarily for large enterprise organizations with more complex authentication re For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable: - IT departments to manage work-owned devices from a central location. - Users to sign in to their devices with their Active Directory work or school accounts. -Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Microsoft Endpoint Configuration Manager or group policy (GP) to manage them. +Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy (GP) to manage them. If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md index 528c1b6fe8..c9844c3d80 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md @@ -19,29 +19,46 @@ ms.reviewer: **Applies to** -- Windows 10 +- Windows 10 -Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. +Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices. Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features. > [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8] ## Technical Deep Dive -Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business. +Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the categories and how they support Windows Hello for Business. -Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning and authentication work. +### Device Registration + +Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS). + +For more information read [how device registration works](hello-how-it-works-device-registration.md). + +### Provisioning + +Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential. + +Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business provisioning works. > [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s] + +For more information read [how provisioning works](hello-how-it-works-provisioning.md). + +### Authentication + +With the device registered and provisioning complete, users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential. + +Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works. + > [!VIDEO https://www.youtube.com/embed/WPmzoP_vMek] -- [Technology and Terminology](hello-how-it-works-technology.md) -- [Device Registration](hello-how-it-works-device-registration.md) -- [Provisioning](hello-how-it-works-provisioning.md) -- [Authentication](hello-how-it-works-authentication.md) +For more information read [how authentication works](hello-how-it-works-authentication.md). ## Related topics +- [Technology and Terminology](hello-how-it-works-technology.md) - [Windows Hello for Business](hello-identity-verification.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) - [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index cd9f264b8a..d9ccb2db53 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -13,12 +13,13 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 01/14/2021 ms.reviewer: --- # Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business **Applies to** + - Windows 10 - Azure Active Directory joined - Hybrid Deployment @@ -63,6 +64,7 @@ If your CRL distribution point does not list an HTTP distribution point, then yo > If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server. ### Windows Server 2016 Domain Controllers + If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We are glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. If you are interested in configuring your environment to use the Windows Hello for Business certificate rather than key, then you are the right place. The same certificate configuration on the domain controllers is needed, whether you are using Windows Server 2016 domain controllers or domain controllers running earlier versions of Windows Server. You can simply ignore the Windows Server 2016 domain controller requirement. @@ -73,20 +75,20 @@ Certificate authorities write CRL distribution points in certificates as they ar #### Why does Windows need to validate the domain controller certificate? -Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: +Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: - The domain controller has the private key for the certificate provided. - The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. - Use the **Kerberos Authentication certificate template** instead of any other older template. -- The domain controller's certificate has the **KDC Authentication** enhanced key usage. +- The domain controller's certificate has the **KDC Authentication** enhanced key usage (EKU). - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain. - The domain controller's certificate's signature hash algorithm is **sha256**. - The domain controller's certificate's public key is **RSA (2048 Bits)**. +Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business does not enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you are adding Azure AD joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md) > [!Tip] > If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate. - ## Configuring a CRL Distribution Point for an issuing certificate authority diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 95638c7735..c5273dc500 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -1,7 +1,7 @@ --- title: Using Certificates for AADJ On-premises Single-sign On single sign-on description: If you want to use certificates for on-premises single-sign on for Azure Active Directory joined devices, then follow these additional steps. -keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, +keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,11 +14,12 @@ ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/19/2018 -ms.reviewer: +ms.reviewer: --- + # Using Certificates for AADJ On-premises Single-sign On -**Applies to** +**Applies to:** - Windows 10 - Azure Active Directory joined - Hybrid Deployment @@ -27,7 +28,7 @@ ms.reviewer: If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD joined devices. > [!IMPORTANT] -> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. +> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue. Steps you will perform include: - [Prepare Azure AD Connect](#prepare-azure-ad-connect) @@ -45,7 +46,7 @@ You need to install and configure additional infrastructure to provide Azure AD - A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role ### High Availaibilty -The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. +The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority. The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion). @@ -55,17 +56,17 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u - Encryption - Signature and Encryption -If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificates templates to reduce the number of certificate templates. +If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates. ### Network Requirements -All communication occurs securely over port 443. +All communication occurs securely over port 443. ## Prepare Azure AD Connect Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name. Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller. -To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules need to for these attributes. +To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes. ### Verify AAD Connect version Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_. @@ -100,8 +101,8 @@ Sign-in to a domain controller or management workstation with access equivalent Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. 1. Open **Active Directory Users and Computers**. -2. Expand the domain node from the navigation pane. -3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**. +2. Expand the domain node from the navigation pane. +3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**. 4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog. > [!NOTE] @@ -118,10 +119,10 @@ Sign-in to a domain controller or management workstation with access equivalent 4. Click **Finish**. > [!IMPORTANT] -> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires. +> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires. ### Create the NDES Service User Rights Group Policy object -The Group Policy object ensures the NDES Service account has the proper user right assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through Group Policy. +The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy. Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. @@ -135,10 +136,10 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. 9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice. 10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times. -11. Close the **Group Policy Management Editor**. +11. Close the **Group Policy Management Editor**. ### Configure security for the NDES Service User Rights Group Policy object -The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group. +The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group. Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_. @@ -159,7 +160,7 @@ Sign-in to a domain controller or management workstation with access equivalent 3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**. > [!IMPORTANT] -> Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object. +> Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object. ## Prepare Active Directory Certificate Authority You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you will @@ -177,46 +178,52 @@ When deploying certificates using Microsoft Intune, you have the option of provi Sign-in to the issuing certificate authority with access equivalent to _local administrator_. -1. Open and elevated command prompt. Type the command +1. Open an elevated command prompt and type the following command: ``` certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE ``` -2. Restart the **Active Directory Certificate Services** service. +2. Restart the **Active Directory Certificate Services** service. ### Create an NDES-Intune authentication certificate template -NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point. +NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point. Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. +1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**. -4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. - **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the lab. -5. On the **Subject** tab, select **Supply in the request**. -6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**. -7. On the **Security** tab, click **Add**. -8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**. -9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -10. Click on the **Apply** to save changes and close the console. +4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. + + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. + +5. On the **Subject** tab, select **Supply in the request**. +6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**. +7. On the **Security** tab, click **Add**. +8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**. +9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. +10. Click on the **Apply** to save changes and close the console. ### Create an Azure AD joined Windows Hello for Business authentication certificate template -During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from the Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. +During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server. -Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. +Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. - **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. -6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. +5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. + + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. + +6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. 8. On the **Subject** tab, select **Supply in the request**. 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**. 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**. -12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for the **Read**, **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 13. Close the console. ### Publish certificate templates @@ -231,7 +238,7 @@ Sign-in to the certificate authority or management workstations with an _Enterpr 2. Expand the parent node from the navigation pane. 3. Click **Certificate Templates** in the navigation pane. 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. -5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. +5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. 6. Close the console. ## Install and Configure the NDES Role @@ -250,10 +257,10 @@ Install the Network Device Enrollment Service role on a computer other than the Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. 1. Open **Server Manager** on the NDES server. -2. Click **Manage**. Click **Add Roles and Features**. +2. Click **Manage**. Click **Add Roles and Features**. 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**.  -4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. +4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.  @@ -270,8 +277,8 @@ Sign-in to the certificate authority or management workstations with an _Enterpr * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**  9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**. - > [!Important] - > The .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \ -```setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]``` -where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following. -```setspn -s http/ndes.corp.contoso.com contoso\ndessvc``` +2. Type the following command to register the service principal name + ``` + setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount] + ``` + where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following: + ``` + setspn -s http/ndes.corp.contoso.com contoso\ndessvc + ``` > [!NOTE] > If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs. @@ -306,16 +317,16 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_. 1. Open **Active Directory Users and Computers** 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab. - +  3. Select **Trust this user for delegation to specified services only**. 4. Select **Use any authentication protocol**. 5. Click **Add**. 6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**. - -7. Repeat steps 5 and 6 for each NDES server using this service account.8. Click **Add**. +  +7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**. 8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**. 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates. - +  10. Click **OK**. Close **Active Directory Users and Computers**. ### Configure the NDES Role and Certificate Templates @@ -325,61 +336,65 @@ This task configures the NDES role and the certificate templates the NDES server Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. > [!NOTE] -> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point. +> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point.  1. Click the **Configure Active Directory Certificate Services on the destination server** link. 2. On the **Credentials** page, click **Next**. - +  3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next** - -4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...** Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. - +  +4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**. +  5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**. - +  6. On the **RA Information**, click **Next**. 7. On the **Cryptography for NDES** page, click **Next**. 8. Review the **Confirmation** page. Click **Configure**. - +  8. Click **Close** after the configuration completes. #### Configure Certificate Templates on NDES -A single NDES server can request a maximum of three certificate template. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values. +A single NDES server can request a maximum of three certificate templates. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values. * Digital Signature * Key Encipherment * Key Encipherment, Digital Signature -Each value maps to a registry value name in the NDES server. The NDES server translate an incoming SCEP provide value into the correspond certificate template. The table belows shows the SCEP profile value to the NDES certificate template registry value name +Each value maps to a registry value name in the NDES server. The NDES server translates an incoming SCEP provided value into the corresponding certificate template. The table below shows the SCEP profile values of the NDES certificate template registry value names. -|SCEP Profile Key usage| NDES Registry Value Name| -|:----------:|:-----------------------:| -|Digital Signature|SignatureTemplate| -|Key Encipherment|EncryptionTemplate| -|Key Encipherment Digital Signature|GeneralPurposeTemplate| +| SCEP Profile Key usage| NDES Registry Value Name | +| :-------------------: | :----------------------: | +| Digital Signature | SignatureTemplate | +| Key Encipherment | EncryptionTemplate | +| Key Encipherment Digital Signature | GeneralPurposeTemplate | -Ideally, you should match the certificate request with registry value name to keep the configuration intuitive (encryption certificates use the encryptionTemplate, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise. +Ideally, you should match the certificate request with the registry value name to keep the configuration intuitive (encryption certificates use the encryption template, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in the NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise. - If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it. +If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it. Sign-in to the NDES Server with _local administrator_ equivalent credentials. 1. Open an elevated command prompt. 2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices. -3. Type the following command -```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]``` -where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example: -```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication``` +3. Type the following command: + ``` + reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName] + ``` + where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example: + ``` + reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication + ``` 4. Type **Y** when the command asks for permission to overwrite the existing value. 5. Close the command prompt. > [!IMPORTANT] -> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (certtmpl.msc). +> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`). ### Create a Web Application Proxy for the internal NDES URL. Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services. -Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies. +Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies. Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications. @@ -395,7 +410,7 @@ Sign-in a workstation with access equivalent to a _domain user_.  5. Sign-in the computer that will run the connector with access equivalent to a _domain user_. > [!IMPORTANT] - > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategtically locate Azure AD application proxy connectors throughout your organization to ensure maximum availablity. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. + > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers. 6. Start **AADApplicationProxyConnectorInstaller.exe**. 7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**. @@ -412,9 +427,9 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**. 2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**. 3. Under **MANAGE**, click **Application proxy**. - +  4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**. - +  5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests. 6. Click **Save**. @@ -426,18 +441,18 @@ Sign-in a workstation with access equivalent to a _domain user_. 3. Under **MANAGE**, click **Application proxy**. 4. Click **Configure an app**. 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL. -6. Next to **Internal Url**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. -7. Under **Internal Url**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net). +6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**. +7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).  8. Select **Passthrough** from the **Pre Authentication** list. 9. Select **NDES WHFB Connectors** from the **Connector Group** list. -10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. +10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**. 11. Click **Add**. 12. Sign-out of the Azure Portal. + > [!IMPORTANT] > Write down the internal and external URLs. You will need this information when you enroll the NDES-Intune Authentication certificate. - ### Enroll the NDES-Intune Authentication certificate This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server. @@ -449,8 +464,8 @@ Sign-in the NDES server with access equivalent to _local administrators_. 4. Click **Next** on the **Before You Begin** page. 5. Click **Next** on the **Select Certificate Enrollment Policy** page. 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link -  +7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link +  8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**. 9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished. 9. Click **Enroll** @@ -462,44 +477,46 @@ This task configures the Web Server role on the NDES server to use the server au Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. -2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. - +2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. +  3. Click **Bindings...*** under **Actions**. Click **Add**. - +  4. Select **https** from **Type**. Confirm the value for **Port** is **443**. 5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**. - -6. Select **http** from the **Site Bindings** list. Click **Remove**. +  +6. Select **http** from the **Site Bindings** list. Click **Remove**. 7. Click **Close** on the **Site Bindings** dialog box. -8. Close **Internet Information Services (IIS) Manager**. +8. Close **Internet Information Services (IIS) Manager**. ### Verify the configuration This task confirms the TLS configuration for the NDES server. Sign-in the NDES server with access equivalent to _local administrator_. -#### Disable Internet Explorer Enhanced Security Configuration +#### Disable Internet Explorer Enhanced Security Configuration 1. Open **Server Manager**. Click **Local Server** from the navigation pane. 2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section. 3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**. 4. Close **Server Manager**. #### Test the NDES web server -1. Open **Internet Explorer**. -2. In the navigation bar, type -```https://[fqdnHostName]/certsrv/mscep/mscep.dll``` -where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. +1. Open **Internet Explorer**. +2. In the navigation bar, type + ``` + https://[fqdnHostName]/certsrv/mscep/mscep.dll + ``` + where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server. -A web page similar to the following should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source. +A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.  -Confirm the web site uses the server authentication certificate. +Confirm the web site uses the server authentication certificate.  ## Configure Network Device Enrollment Services to work with Microsoft Intune -You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs. +You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs. - Configure NDES to support long URLs @@ -510,7 +527,7 @@ Sign-in the NDES server with access equivalent to _local administrator_. 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**. 2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**. 3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane. - +  4. Select **Allow unlisted file name extensions**. 5. Select **Allow unlisted verbs**. 6. Select **Allow high-bit characters**. @@ -521,21 +538,23 @@ Sign-in the NDES server with access equivalent to _local administrator_. #### Configure Parameters for HTTP.SYS 1. Open an elevated command prompt. -2. Run the following commands -```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534``` -```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534``` +2. Run the following commands: + ``` + reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534 + reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534 + ``` 3. Restart the NDES server. ## Download, Install and Configure the Intune Certificate Connector -The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. +The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune. -### Download Intune Certificate Connector +### Download Intune Certificate Connector Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**. 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section. - +  4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server. 5. Sign-out of the Microsoft Endpoint Manager admin center. @@ -544,30 +563,33 @@ Sign-in the NDES server with access equivalent to _domain administrator_. 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server. 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server. -3. On the **Microsoft Intune** page, click **Next**. +3. On the **Microsoft Intune** page, click **Next**.  4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation. 5. On the **Destination Folder** page, click **Next**. 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.  -7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**. +7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.  + > [!NOTE] > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page. 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**. 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.  - > [!NOTE] - > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder -10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task. + > [!NOTE] + > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder. + +10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.  ### Configure the Intune Certificate Connector Sign-in the NDES server with access equivalent to _domain administrator_. 1. The **NDES Connector** user interface should be open from the last task. + > [!NOTE] > If the **NDES Connector** user interface is not open, you can start it from **\ ## Follow the Windows Hello for Business hybrid certificate trust deployment guide + 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index aea8c9df8d..958991988c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -112,7 +112,7 @@ Windows Hello for Business uses multifactor authentication during provisioning a Review the [What is Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. -### Azure AD Multi-Factor Authentication Authentication (MFA) Cloud +### Azure AD Multi-Factor Authentication (MFA) Cloud > [!IMPORTANT] > As long as your users have licenses that include Azure AD Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index 87b70bbd2c..c05de0195e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -13,31 +13,31 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/19/2018 +ms.date: 01/14/2021 ms.reviewer: --- # Configure Hybrid Windows Hello for Business: Public Key Infrastructure **Applies to** -- Windows 10, version 1703 or later -- Hybrid Deployment -- Key trust +- Windows 10, version 1703 or later +- Hybrid Deployment +- Key trust Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer. -All deployments use enterprise issued certificates for domain controllers as a root of trust. +All deployments use enterprise issued certificates for domain controllers as a root of trust. ## Certificate Templates -This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority. +This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority. ### Domain Controller certificate template Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority. -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. +Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD joined devices. The steps below to update the domain controller certificate to include the **KDC Authentication** OID may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD joined devices to your environment in the future. By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template. @@ -49,10 +49,10 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e 2. Right-click **Certificate Templates** and click **Manage**. 3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. +5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab. 6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. +7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. 8. Close the console. >[!NOTE] @@ -113,13 +113,13 @@ Sign-in to the certificate authority or management workstation with _Enterprise 5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. ### Section Review + > [!div class="checklist"] > * Domain Controller certificate template > * Configure superseded domain controller certificate templates > * Publish Certificate templates to certificate authorities > * Unpublish superseded certificate templates -> -> +> s > [!div class="step-by-step"] > [< Configure Azure AD Connect](hello-hybrid-key-whfb-settings-dir-sync.md) > [Configure policy settings >](hello-hybrid-key-whfb-settings-policy.md) @@ -129,6 +129,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise ## Follow the Windows Hello for Business hybrid key trust deployment guide + 1. [Overview](hello-hybrid-cert-trust.md) 2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 4d3512719a..d53a57bff1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -1,6 +1,6 @@ --- -title: Windows Hello for Business (Windows 10) -description: Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. +title: Windows Hello for Business Deployment Prerequisite Overview +description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E ms.reviewer: keywords: identity, PIN, biometric, Hello, passport @@ -15,29 +15,14 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 05/05/2018 +ms.date: 1/22/2021 --- -# Windows Hello for Business +# Windows Hello for Business Deployment Prerequisite Overview -In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. -Windows Hello for Business lets user authenticate to an Active Directory or Azure Active Directory account. +This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business. -Windows Hello addresses the following problems with passwords: - -- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites. -- Server breaches can expose symmetric network credentials (passwords). -- Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673). -- Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing). - -> | | | | -> | :---: | :---: | :---: | -> | [](hello-overview.md)[Overview](hello-overview.md) | [](hello-why-pin-is-better-than-password.md)[Why PIN is better than a password](hello-why-pin-is-better-than-password.md) | [](hello-manage-in-organization.md)[Manage Windows Hello in your Organization](hello-manage-in-organization.md) | - - -## Prerequisites - -### Cloud Only Deployment +## Cloud Only Deployment * Windows 10, version 1511 or later * Microsoft Azure Account @@ -46,9 +31,9 @@ Windows Hello addresses the following problems with passwords: * Modern Management (Intune or supported third-party MDM), *optional* * Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory -### Hybrid Deployments +## Hybrid Deployments -The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. +The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. | Key trustGroup Policy managed | Certificate trustMixed managed | Key trustModern managed | Certificate trustModern managed | | --- | --- | --- | --- | @@ -76,7 +61,7 @@ The table shows the minimum requirements for each deployment. For key trust in a > Reset above lock screen - Windows 10, version 1709, Professional > Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 -### On-premises Deployments +## On-premises Deployments The table shows the minimum requirements for each deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md index 51d246f3f4..1a4dcd1e37 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md @@ -1,12 +1,12 @@ --- -title: Key registration for on-premises deployment of Windows Hello for Business +title: Key registration for on-premises deployment of Windows Hello for Business description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model. keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, mobile -author: DaniHalfin +author: dansimp audience: ITPro ms.author: dolmont manager: dansimp diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md index 18f6f3dbf0..c21280812b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md +++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md @@ -15,7 +15,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 4/16/2017 +ms.date: 1/20/2021 --- # Manage Windows Hello for Business in your organization @@ -369,9 +369,11 @@ For more information about using the PIN recovery service for PIN reset see [Win Windows Hello for Business is designed to be managed by Group Policy or MDM but not a combination of both. If policies are set from both sources it can result in a mixed result of what is actually enforced for a user or device. -Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. All PIN complexity policies are grouped together and enforced from a single policy source. +Policies for Windows Hello for Business are enforced using the following hierarchy: User Group Policy > Computer Group Policy > User MDM > Device MDM > Device Lock policy. -Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies is enforced on a per policy basis. +Feature enablement policy and certificate trust policy are grouped together and enforced from the same source (either GP or MDM), based on the rule above. The Use Passport for Work policy is used to determine the winning policy source. + +All PIN complexity policies, are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis. >[!NOTE] > Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP. @@ -382,8 +384,6 @@ Use a hardware security device and RequireSecurityDevice enforcement are also gr > >- Use Windows Hello for Business - Enabled >- User certificate for on-premises authentication - Enabled ->- Require digits - Enabled ->- Minimum PIN length - 6 > >The following are configured using device MDM Policy: > @@ -398,8 +398,10 @@ Use a hardware security device and RequireSecurityDevice enforcement are also gr > >- Use Windows Hello for Business - Enabled >- Use certificate for on-premises authentication - Enabled ->- Require digits - Enabled ->- Minimum PIN length - 6d +>- MinimumPINLength - 8 +>- Digits - 1 +>- LowercaseLetters - 1 +>- SpecialCharacters - 1 ## How to use Windows Hello for Business with Azure Active Directory diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 265aa7219d..57805caf8b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -19,13 +19,15 @@ ms.reviewer: # Planning a Windows Hello for Business Deployment **Applies to** -- Windows 10 + +- Windows 10 Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure. This guide explains the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of the infrastructure. Armed with your planning worksheet, you'll use that information to select the correct deployment guide for your needs. -If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). +> [!Note] +>If you have an Azure tenant, you can use our online, interactive Passwordless Wizard which walks through the same choices instead of using our manual guide below. The Passwordless Wizard is available in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup). ## Using this guide @@ -38,12 +40,13 @@ This guide removes the appearance of complexity by helping you make decisions on Read this document and record your decisions on the worksheet. When finished, your worksheet has all the necessary information for your Windows Hello for Business deployment. There are six major categories you need to consider for a Windows Hello for Business deployment. Those categories are: -* Deployment Options -* Client -* Management -* Active Directory -* Public Key Infrastructure -* Cloud + +- Deployment Options +- Client +- Management +- Active Directory +- Public Key Infrastructure +- Cloud ### Baseline Prerequisites @@ -58,13 +61,16 @@ The goal of Windows Hello for Business is to enable deployments for all organiza There are three deployment models from which you can choose: cloud only, hybrid, and on-premises. ##### Cloud only + The cloud only deployment model is for organizations who only have cloud identities and do not access on-premises resources. These organizations typically join their devices to the cloud and exclusively use resources in the cloud such as SharePoint, OneDrive, and others. Also, because these users do not use on-premises resources, they do not need certificates for things like VPN because everything they need is hosted in Azure. ##### Hybrid + The hybrid deployment model is for organizations that: -* Are federated with Azure Active Directory -* Have identities synchronized to Azure Active Directory using Azure Active Directory Connect -* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources + +- Are federated with Azure Active Directory +- Have identities synchronized to Azure Active Directory using Azure Active Directory Connect +- Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources > [!Important] > Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models. @@ -154,7 +160,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in ### Cloud -Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from the those that are optional. +Some deployment combinations require an Azure account, and some require Azure Active Directory for user identities. These cloud requirements may only need an Azure account while other features need an Azure Active Directory Premium subscription. The planning process identifies and differentiates the components that are needed from those that are optional. ## Planning a Deployment @@ -332,7 +338,7 @@ Windows Hello for Business does not require an Azure AD premium subscription. H If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet. -If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multi-factor authentication). +If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the Azure Active Directory free tier. All Azure Active Directory free accounts can use Azure AD Multi-Factor Authentication through the use of security defaults. Some Azure AD Multi-Factor Authentication features require a license. For more details, see [Features and licenses for Azure AD Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-licensing). If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature. diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml new file mode 100644 index 0000000000..4282b8e701 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -0,0 +1,110 @@ +### YamlMime:Landing + +title: Windows Hello for Business documentation +summary: Learn how to manage and deploy Windows Hello for Business. + +metadata: + title: Windows Hello for Business documentation + description: Learn how to manage and deploy Windows Hello for Business. + ms.prod: w10 + ms.topic: landing-page + author: mapalko + manager: dansimp + ms.author: mapalko + ms.date: 01/22/2021 + ms.collection: M365-identity-device-management + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card + - title: About Windows Hello For Business + linkLists: + - linkListType: overview + links: + - text: Windows Hello for Business Overview + url: hello-overview.md + - linkListType: concept + links: + - text: Passwordless Strategy + url: passwordless-strategy.md + - text: Why a PIN is better than a password + url: hello-why-pin-is-better-than-password.md + - text: Windows Hello biometrics in the enterprise + url: hello-biometrics-in-enterprise.md + - text: How Windows Hello for Business works + url: hello-how-it-works.md + - linkListType: learn + links: + - text: Technical Deep Dive - Device Registration + url: hello-how-it-works-device-registration.md + - text: Technical Deep Dive - Provisioning + url: hello-how-it-works-provisioning.md + - text: Technical Deep Dive - Authentication + url: hello-how-it-works-authentication.md + - text: Technology and Terminology + url: hello-how-it-works-technology.md + - text: Frequently Asked Questions (FAQ) + url: hello-faq.yml + + # Card + - title: Configure and manage Windows Hello for Business + linkLists: + - linkListType: concept + links: + - text: Windows Hello for Business Deployment Overview + url: hello-deployment-guide.md + - text: Planning a Windows Hello for Business Deployment + url: hello-planning-guide.md + - text: Deployment Prerequisite Overview + url: hello-identity-verification.md + - linkListType: how-to-guide + links: + - text: Hybrid Azure AD Joined Key Trust Deployment + url: hello-hybrid-key-trust.md + - text: Hybrid Azure AD Joined Certificate Trust Deployment + url: hello-hybrid-cert-trust.md + - text: On-premises SSO for Azure AD Joined Devices + url: hello-hybrid-aadj-sso.md + - text: On-premises Key Trust Deployment + url: hello-deployment-key-trust.md + - text: On-premises Certificate Trust Deployment + url: hello-deployment-cert-trust.md + - linkListType: learn + links: + - text: Manage Windows Hello for Business in your organization + url: hello-manage-in-organization.md + - text: Windows Hello and password changes + url: hello-and-password-changes.md + - text: Prepare people to use Windows Hello + url: hello-prepare-people-to-use.md + + # Card + - title: Windows Hello for Business Features + linkLists: + - linkListType: how-to-guide + links: + - text: Conditional Access + url: hello-feature-conditional-access.md + - text: PIN Reset + url: hello-feature-pin-reset.md + - text: Dual Enrollment + url: hello-feature-dual-enrollment.md + - text: Dynamic Lock + url: hello-feature-dynamic-lock.md + - text: Multi-factor Unlock + url: feature-multifactor-unlock.md + - text: Remote Desktop + url: hello-feature-remote-desktop.md + + # Card + - title: Windows Hello for Business Troubleshooting + linkLists: + - linkListType: how-to-guide + links: + - text: Known Deployment Issues + url: hello-deployment-issues.md + - text: Errors During PIN Creation + url: hello-errors-during-pin-creation.md diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md deleted file mode 100644 index 3913ea8734..0000000000 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ /dev/null @@ -1,70 +0,0 @@ -# [Windows Hello for Business](hello-identity-verification.md) - -## [Password-less Strategy](passwordless-strategy.md) - -## [Windows Hello for Business Overview](hello-overview.md) -## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -## [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) - -## [Windows Hello for Business Features](hello-features.md) -### [Conditional Access](hello-feature-conditional-access.md) -### [Dual Enrollment](hello-feature-dual-enrollment.md) -### [Dynamic Lock](hello-feature-dynamic-lock.md) -### [Multifactor Unlock](feature-multifactor-unlock.md) -### [PIN Reset](hello-feature-pin-reset.md) -### [Remote Desktop](hello-feature-remote-desktop.md) - -## [How Windows Hello for Business works](hello-how-it-works.md) -### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive) -#### [Device Registration](hello-how-it-works-device-registration.md) -#### [Provisioning](hello-how-it-works-provisioning.md) -#### [Authentication](hello-how-it-works-authentication.md) -#### [Technology and Terminology](hello-how-it-works-technology.md) - -## [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) - -## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) - -## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md) - -### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) -#### [Prerequisites](hello-hybrid-key-trust-prereqs.md) -#### [New Installation Baseline](hello-hybrid-key-new-install.md) -#### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -#### [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) -#### [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -#### [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) - -### [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) -#### [Prerequisites](hello-hybrid-cert-trust-prereqs.md) -#### [New Installation Baseline](hello-hybrid-cert-new-install.md) -#### [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md) -#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) - -### [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) -#### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) -#### [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md) - -### [On Premises Key Trust Deployment](hello-deployment-key-trust.md) -#### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) -#### [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) -##### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) -#### [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) - -### [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md) -#### [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -#### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -#### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -#### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) - -## [Windows Hello and password changes](hello-and-password-changes.md) -## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) - -## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.yml) -### [Windows Hello for Business Videos](hello-videos.md) - -## [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -## [Event ID 300 - Windows Hello successfully created](hello-event-300.md) diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml new file mode 100644 index 0000000000..8a29bb7d81 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -0,0 +1,137 @@ +- name: Windows Hello for Business documentation + href: index.yml +- name: Overview + items: + - name: Windows Hello for Business Overview + href: hello-overview.md +- name: Concepts + expanded: true + items: + - name: Passwordless Strategy + href: passwordless-strategy.md + - name: Why a PIN is better than a password + href: hello-why-pin-is-better-than-password.md + - name: Windows Hello biometrics in the enterprise + href: hello-biometrics-in-enterprise.md + - name: How Windows Hello for Business works + href: hello-how-it-works.md + - name: Technical Deep Dive + items: + - name: Device Registration + href: hello-how-it-works-device-registration.md + - name: Provisioning + href: hello-how-it-works-provisioning.md + - name: Authentication + href: hello-how-it-works-authentication.md +- name: How-to Guides + items: + - name: Windows Hello for Business Deployment Overview + href: hello-deployment-guide.md + - name: Planning a Windows Hello for Business Deployment + href: hello-planning-guide.md + - name: Deployment Prerequisite Overview + href: hello-identity-verification.md + - name: Prepare people to use Windows Hello + href: hello-prepare-people-to-use.md + - name: Deployment Guides + items: + - name: Hybrid Azure AD Joined Key Trust + items: + - name: Hybrid Azure AD Joined Key Trust Deployment + href: hello-hybrid-key-trust.md + - name: Prerequisites + href: hello-hybrid-key-trust-prereqs.md + - name: New Installation Baseline + href: hello-hybrid-key-new-install.md + - name: Configure Directory Synchronization + href: hello-hybrid-key-trust-dirsync.md + - name: Configure Azure Device Registration + href: hello-hybrid-key-trust-devreg.md + - name: Configure Windows Hello for Business settings + href: hello-hybrid-key-whfb-settings.md + - name: Sign-in and Provisioning + href: hello-hybrid-key-whfb-provision.md + - name: Hybrid Azure AD Joined Certificate Trust + items: + - name: Hybrid Azure AD Joined Certificate Trust Deployment + href: hello-hybrid-cert-trust.md + - name: Prerequisites + href: hello-hybrid-cert-trust-prereqs.md + - name: New Installation Baseline + href: hello-hybrid-cert-new-install.md + - name: Configure Azure Device Registration + href: hello-hybrid-cert-trust-devreg.md + - name: Configure Windows Hello for Business settings + href: hello-hybrid-cert-whfb-settings.md + - name: Sign-in and Provisioning + href: hello-hybrid-cert-whfb-provision.md + - name: On-premises SSO for Azure AD Joined Devices + items: + - name: On-premises SSO for Azure AD Joined Devices Deployment + href: hello-hybrid-aadj-sso.md + - name: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business + href: hello-hybrid-aadj-sso-base.md + - name: Using Certificates for AADJ On-premises Single-sign On + href: hello-hybrid-aadj-sso-cert.md + - name: On-premises Key Trust + items: + - name: On-premises Key Trust Deployment + href: hello-deployment-key-trust.md + - name: Validate Active Directory Prerequisites + href: hello-key-trust-validate-ad-prereq.md + - name: Validate and Configure Public Key Infrastructure + href: hello-key-trust-validate-pki.md + - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + href: hello-key-trust-adfs.md + - name: Validate and Deploy Multi-factor Authentication (MFA) Services + href: hello-key-trust-validate-deploy-mfa.md + - name: Configure Windows Hello for Business policy settings + href: hello-key-trust-policy-settings.md + - name: On-premises Certificate Trust + items: + - name: On-premises Certificate Trust Deployment + href: hello-deployment-cert-trust.md + - name: Validate Active Directory Prerequisites + href: hello-cert-trust-validate-ad-prereq.md + - name: Validate and Configure Public Key Infrastructure + href: hello-cert-trust-validate-pki.md + - name: Prepare and Deploy Windows Server 2016 Active Directory Federation Services + href: hello-cert-trust-adfs.md + - name: Validate and Deploy Multi-factor Authentication (MFA) Services + href: hello-cert-trust-validate-deploy-mfa.md + - name: Configure Windows Hello for Business policy settings + href: hello-cert-trust-policy-settings.md + - name: Managing Windows Hello for Business in your organization + href: hello-manage-in-organization.md + - name: Windows Hello for Business Features + items: + - name: Conditional Access + href: hello-feature-conditional-access.md + - name: PIN Reset + href: hello-feature-pin-reset.md + - name: Dual Enrollment + href: hello-feature-dual-enrollment.md + - name: Dynamic Lock + href: hello-feature-dynamic-lock.md + - name: Multi-factor Unlock + href: feature-multifactor-unlock.md + - name: Remote Desktop + href: hello-feature-remote-desktop.md + - name: Troubleshooting + items: + - name: Known Deployment Issues + href: hello-deployment-issues.md + - name: Errors During PIN Creation + href: hello-errors-during-pin-creation.md + - name: Event ID 300 - Windows Hello successfully created + href: hello-event-300.md + - name: Windows Hello and password changes + href: hello-and-password-changes.md +- name: Reference + items: + - name: Technology and Terminology + href: hello-how-it-works-technology.md + - name: Frequently Asked Questions (FAQ) + href: hello-faq.yml + - name: Windows Hello for Business videos + href: hello-videos.md diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index 98e0bb9835..dd87cded73 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: danihalfin +author: dansimp ms.author: daniha manager: dansimp ms.collection: M365-identity-device-management @@ -31,5 +31,5 @@ Learn more about identity and access management technologies in Windows 10 and | [Virtual Smart Cards](virtual-smart-cards/virtual-smart-card-overview.md) | Provides information about deploying and managing virtual smart cards, which are functionally similar to physical smart cards and appear in Windows as smart cards that are always-inserted. Virtual smart cards use the Trusted Platform Module (TPM) chip that is available on computers in many organizations, rather than requiring the use of a separate physical smart card and reader. | | [VPN technical guide](vpn/vpn-guide.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md) | Provides a collection of references topics about smart cards, which are tamper-resistant portable storage devices that can enhance the security of tasks such as authenticating clients, signing code, securing e-mail, and signing in with a Windows domain account. | -| [Windows Hello for Business](hello-for-business/hello-identity-verification.md) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | +| [Windows Hello for Business](hello-for-business/index.yml) | In Windows 10, Windows Hello replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN. | | [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) | Learn more about credential theft mitigation in Windows 10. | diff --git a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md index 65e353cb81..fc906d9e08 100644 --- a/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md +++ b/windows/security/identity-protection/installing-digital-certificates-on-windows-10-mobile.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 60dc685e1e..0637c997cc 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index 5e5003aa9f..f8baa1b11c 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index 89ddb7fa8a..bb2559ccf0 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md index 997384b9e0..ae671b4ace 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index 17564fc13b..3d76ae2b17 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index d905fbf992..dbaa8112f7 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md index 04e43174e8..50d2b45bb2 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md index 56228dff85..9939c9ec73 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md +++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md index dd8812970c..fa36cf563f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md index a913f4c769..e4548fc317 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md +++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md index 794b8e096c..74fdcc3e8f 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md +++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md index 53ebc5b4f6..99defcec30 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index 254e57e0e9..10ffd31a84 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -8,7 +8,7 @@ ms.mktglfcycl: operate ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index e8d50dc97f..130688534d 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md index 9c9011d7ad..a95145abaa 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md index 9cb4e34436..793fe303aa 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management @@ -65,7 +65,7 @@ This policy setting controls the behavior of the elevation prompt for standard u This policy setting controls the behavior of application installation detection for the computer. - **Enabled** (Default) When an app installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Endpoint Configuration Manager should disable this policy setting. In this case, installer detection is unnecessary. +- **Disabled** App installation packages are not detected and prompted for elevation. Enterprises that are running standard user desktops and use delegated installation technologies, such as Group Policy or Microsoft Endpoint Manager should disable this policy setting. In this case, installer detection is unnecessary. ## User Account Control: Only elevate executable files that are signed and validated diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md index 5e643f7d75..a168874b63 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md index f0b0220678..6fb462eb81 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md index 34daf7a11e..6810a79d95 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md index aa61d00b97..29bb2adede 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md index a979d2b781..c37a9a9b29 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md index 0194ee2c80..d7c394285f 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md index 0737f18fec..30671f6e4a 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 6b9868b0f0..97ee24eb64 100644 --- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.author: dansimp ms.localizationpriority: medium ms.date: 02/08/2018 diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 0b6ff85b21..24a4378ebe 100644 --- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.date: 04/19/2017 ms.reviewer: manager: dansimp diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 3fe2c08d57..5f4cf0a2b1 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 29c8f5e474..59ffc5f231 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 9aee353de2..0d608b647c 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.reviewer: @@ -31,6 +31,7 @@ Conditional Access Platform components used for Device Compliance include the fo - [Windows Health Attestation Service](https://technet.microsoft.com/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional) - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. +See also [Always On VPN deployment for Windows Server and Windows 10](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy). - Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued. diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index d825487b05..a0330b3425 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium ms.date: 11/13/2020 ms.reviewer: diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md index ae26cfc95a..1ec959d53e 100644 --- a/windows/security/identity-protection/vpn/vpn-guide.md +++ b/windows/security/identity-protection/vpn/vpn-guide.md @@ -1,10 +1,10 @@ --- title: Windows 10 VPN technical guide (Windows 10) -description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. +description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium ms.date: 11/13/2020 ms.reviewer: diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md index 3b6a776b1e..2076d89817 100644 --- a/windows/security/identity-protection/vpn/vpn-name-resolution.md +++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md index 077c2d4c8f..d47c757946 100644 --- a/windows/security/identity-protection/vpn/vpn-profile-options.md +++ b/windows/security/identity-protection/vpn/vpn-profile-options.md @@ -8,7 +8,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.author: dansimp ms.localizationpriority: medium ms.date: 05/17/2018 diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md index 416bc57d04..fd26221328 100644 --- a/windows/security/identity-protection/vpn/vpn-routing.md +++ b/windows/security/identity-protection/vpn/vpn-routing.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index 19a298bef8..96964c7d9b 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: dulcemontemayor +author: dansimp ms.localizationpriority: medium ms.date: 07/27/2017 ms.reviewer: diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index 26db02bc64..2c1a02b8db 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security audience: ITPro -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp ms.collection: M365-identity-device-management diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md index 4fe2a734da..4f58a3d8d5 100644 --- a/windows/security/includes/microsoft-defender-api-usgov.md +++ b/windows/security/includes/microsoft-defender-api-usgov.md @@ -17,4 +17,4 @@ ms.topic: article --- >[!NOTE] ->If you are a US Government customer, please use the URIs listed in [Microsoft Defender for Endpoint for US Government GCC High customers](../threat-protection/microsoft-defender-atp/gov.md#api). +>If you are a US Government customer, please use the URIs listed in [Microsoft Defender for Endpoint for US Government customers](../threat-protection/microsoft-defender-atp/gov.md#api). diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml index f873294bba..8b59d31999 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml @@ -35,7 +35,7 @@ sections: answer: Yes. - question: Is there a noticeable performance impact when BitLocker is enabled on a computer? - answer: Generally it imposes a single-digit percentage performance overhead. + answer: Typically, there's a small performance overhead, often in single-digit percentages, which is relative to the throughput of the storage operations on which it needs to operate. - question: How long will initial encryption take when BitLocker is turned on? answer: | @@ -94,4 +94,3 @@ sections: - question: What type of disk configurations are supported by BitLocker? answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported. - diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index f6f72e035f..2bda9b48ce 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -20,9 +20,9 @@ ms.custom: bitlocker # BitLocker Group Policy settings -**Applies to** +**Applies to:** -- Windows 10 +- Windows 10, Windows Server 2019, Windows Server 2016, Windows 8.1, and Windows Server 2012 R2 This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 2061c1421c..b69e88d45f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -1,6 +1,6 @@ --- -title: BitLocker How to enable Network Unlock (Windows 10) -description: This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. +title: BitLocker - How to enable Network Unlock (Windows 10) +description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it. ms.assetid: be45bc28-47db-4931-bfec-3c348151d2e9 ms.reviewer: ms.prod: w10 @@ -23,178 +23,168 @@ ms.custom: bitlocker **Applies to** - Windows 10 -This topic for the IT professional describes how BitLocker Network Unlock works and how to configure it. +This article for IT professionals describes how BitLocker Network Unlock works and how to configure it. -Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. -Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). This can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers. +Network Unlock was introduced in Windows 8 and Windows Server 2012 as a BitLocker protector option for operating system volumes. Network Unlock helps you manage BitLocker-enabled desktops and servers in a domain environment by automatically unlocking operating system volumes when the system is rebooted and is connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. -Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the key for Network Unlock is composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session. +Without Network Unlock, operating system volumes that use TPM+PIN protectors require a PIN when a computer reboots or resumes after hibernation (for example, by Wake on LAN). For enterprises, this setup can make software patches difficult to roll out to unattended desktops and remotely administered servers. -This topic contains: - -- [Network Unlock core requirements](#bkmk-nunlockcorereqs) -- [Network Unlock sequence](#bkmk-networkunlockseq) -- [Configure Network Unlock](#bkmk-configuringnetworkunlock) -- [Create the certificate template for Network Unlock](#bkmk-createcerttmpl) -- [Turning off Network Unlock](#bkmk-turnoffnetworkunlock) -- [Update Network Unlock certificates](#bkmk-updatecerts) -- [Troubleshoot Network Unlock](#bkmk-troubleshoot) -- [Configure Network Unlock on unsupported systems](#bkmk-unsupportedsystems) +Network Unlock allows BitLocker-enabled systems that use TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works like the TPM+StartupKey at boot. But the StartupKey doesn't need to be read from USB media. Instead, the key for Network Unlock is composed from a key that's stored in the TPM and an encrypted network key that's sent to the server. It's decrypted and returned to the client in a secure session. ## Network Unlock core requirements -Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain joined systems. These requirements include: +Network Unlock requires the following mandatory hardware and software configurations before it can automatically unlock domain-joined systems: - You must be running at least Windows 8 or Windows Server 2012. -- Any supported operating system with UEFI DHCP drivers can be Network Unlock clients. -- Network Unlock clients must have a TPM chip and at least one TPM protector. -- A server running the Windows Deployment Services (WDS) role on any supported server operating system. -- BitLocker Network Unlock optional feature installed on any supported server operating system. -- A DHCP server, separate from the WDS server. -- Properly configured public/private key pairing. -- Network Unlock Group Policy settings configured. +- Any supported operating system that uses UEFI DHCP drivers can be a Network Unlock client. +- Network Unlock clients must have a TPM (trusted platform module) chip and at least one TPM protector. +- You must have a server running the Windows Deployment Services (WDS) role on any supported server operating system. +- The BitLocker Network Unlock optional feature can be installed on any supported server operating system. +- You must have a DHCP server, separate from the WDS server. +- You must have a properly configured public/private key pairing. +- Network Unlock Group Policy settings must be configured. -The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer. +The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus. So confirm that the network stack has been enabled in the BIOS before you start the computer. > [!NOTE] -> To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled. +> To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled. -For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail. +On computers that run Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This adapter must be used for Network Unlock. + +Use this configuration especially when you have multiple adapters and you want to configure one without DHCP, such as for a lights-out management protocol. The configuration is necessary because Network Unlock stops enumerating adapters when it reaches an adapter that has a DHCP port that has failed for any reason. So if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail. -The Network Unlock server component installs on supported versions of Windows Server 2012 and later as a Windows feature using Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement. +On supported versions of Windows Server 2012 and later, the Network Unlock server component installs as a Windows feature. It uses Server Manager or Windows PowerShell cmdlets. In Server Manager, the feature name is BitLocker Network Unlock. In Windows PowerShell, the feature name is BitLocker-NetworkUnlock. This feature is a core requirement. -Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation is not required; however, the WDS service needs to be running on the server. +Network Unlock requires WDS in the environment where the feature will be used. Configuration of the WDS installation isn't required. But the WDS service must be running on the server. -The network key is stored on the system drive along with an AES 256 session key, and encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key. +The network key is stored on the system drive along with an AES 256 session key. It's encrypted with the 2048-bit RSA public key of the unlock server's certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server that's running WDS. The network key is returned encrypted with its corresponding session key. ## Network Unlock sequence -The unlock sequence starts on the client side, when the Windows boot manager detects the existence of Network Unlock protector. It leverages the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. +The unlock sequence starts on the client side, when the Windows boot manager detects the existence of the Network Unlock protector. It uses the DHCP driver in UEFI to get an IP address for IPv4. Then it broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described earlier. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply. -On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet in order to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, this means the standard TPM+PIN unlock screen is presented to unlock the drive. +On the server side, the WDS server role has an optional plug-in component, like a PXE (preboot execution environment) provider. The plug-in component handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions. These restrictions require the IP address that's provided by the client in the Network Unlock request to belong to a permitted subnet in order to release the network key to the client. If the Network Unlock provider is unavailable, then BitLocker fails over to the next available protector to unlock the drive. So in a typical configuration, the standard TPM+PIN unlock screen is presented to unlock the drive. -The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and for the public key certificate to be distributed to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM). +The server-side configuration to enable Network Unlock requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate. The configuration also requires the public key certificate to be distributed to the clients. - +Manage and deploy this certificate through the Group Policy editor directly on a domain controller that has a domain functional level of at least Windows Server 2012. This certificate is the public key that encrypts the intermediate network key. The intermediate network key is one of the two secrets that are required to unlock the drive; the other secret is stored in the TPM. -**Phases in the Network Unlock process** + -1. The Windows boot manager detects that a Network Unlock protector exists in the BitLocker configuration. -2. The client computer uses its DHCP driver in the UEFI to obtain a valid IPv4 IP address. +The Network Unlock process follows these phases: + +1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration. +2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address. 3. The client computer broadcasts a vendor-specific DHCP request that contains: - 1. A Network Key (a 256-bit intermediate key) encrypted using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server. - 2. An AES-256 session key for the reply. + - A network key (a 256-bit intermediate key) that's encrypted by the 2048-bit RSA public key of the Network Unlock certificate from the WDS server. + - An AES-256 session key for the reply. 4. The Network Unlock provider on the WDS server recognizes the vendor-specific request. -5. The provider decrypts it with the WDS server’s BitLocker Network Unlock certificate RSA private key. -6. The WDS provider then returns the network key encrypted with the session key using its own vendor-specific DHCP reply to the client computer. This forms an intermediate key. -7. The returned intermediate key is then combined with another local 256-bit intermediate key that can only be decrypted by the TPM. +5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key. +6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key. +7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM. 8. This combined key is used to create an AES-256 key that unlocks the volume. 9. Windows continues the boot sequence. ## Configure Network Unlock -The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012. +The following steps allow an administrator to configure Network Unlock in a domain where the functional level is at least Windows Server 2012. -### Install the WDS Server role +### Install the WDS server role -The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. +The BitLocker Network Unlock feature installs the WDS role if it's not already installed. If you want to install it separately before you install BitLocker Network Unlock, use Server Manager or Windows PowerShell. To install the role in Server Manager, select the **Windows Deployment Services** role. -To install the role using Windows PowerShell, use the following command: +To install the role by using Windows PowerShell, use the following command: ```powershell Install-WindowsFeature WDS-Deployment ``` -You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard. +Configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Domain Services) and the client computer. Use the WDS management tool, `wdsmgmt.msc`. This tool starts the Windows Deployment Services Configuration Wizard. -### Confirm the WDS Service is running +### Confirm the WDS service is running -To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service. +To confirm the WDS service is running, use the Services Management console or Windows PowerShell. To confirm the service is running in the Services Management console, open the console by using `services.msc`. Then check the status of the WDS service. -To confirm the service is running using Windows PowerShell, use the following command: +To confirm the service is running by using Windows PowerShell, use the following command: ```powershell Get-Service WDSServer ``` -### Install the Network Unlock feature +### Install the Network Unlock feature -To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console. +To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature in the Server Manager console, select **BitLocker Network Unlock**. -To install the feature using Windows PowerShell, use the following command: +To install the feature by using Windows PowerShell, use the following command: ```powershell Install-WindowsFeature BitLocker-NetworkUnlock ``` -### Create the certificate template for Network Unlock +### Create the certificate template for Network Unlock -A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates. +A properly configured Active Directory Services Certification Authority can use the certificate template to create and issue Network Unlock certificates. To create a certificate template: -1. Open the Certificates Template snap-in (certtmpl.msc). -2. Locate the User template. Right-click the template name and select **Duplicate Template**. -3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8 respectively. Ensure the **Show resulting changes** dialog box is selected. -4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the checkbox for the **Publish certificate in Active Directory** option. -5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop down menu. Ensure the **Allow private key to be exported** option is selected. -6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. (Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility we recommend using the **Microsoft Software Key Storage Provider**.) -7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider you selected, such as the **Microsoft Software Key Storage Provider**. -8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears. -9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options. -10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**. -11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**. -12. On the **Edit Application Policies Extension** dialog box, select **Add**. -13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box enter the following information in the space provided and then click **OK** to create the BitLocker Network Unlock application policy: +1. Open the certificate template snap-in (`certtmpl.msc`). +2. Locate the user template. Right-click the template name, and then select **Duplicate Template**. +3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to **Windows Server 2012** and **Windows 8**, respectively. Ensure **Show resulting changes** is selected. +4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for **Publish certificate in Active Directory**. +5. Select the **Request Handling** tab. In the **Purpose** drop-down menu, select **Encryption**. Ensure the **Allow private key to be exported** option is selected. +6. Select the **Cryptography** tab. Set the **Minimum key size** to **2048**. (For this template, you can use any Microsoft cryptographic provider that supports RSA. But for simplicity and forward compatibility, we recommend using **Microsoft Software Key Storage Provider**.) +7. Select **Requests must use one of the following providers**. Then clear all options except for your selected cryptography provider, such as the **Microsoft Software Key Storage Provider**. +8. Select the **Subject Name** tab. Select **Supply in the request**. If the certificate templates dialog box appears, select **OK**. +9. Select the **Issuance Requirements** tab. Then select both **CA certificate manager approval** and **Valid existing certificate**. +10. Select the **Extensions** tab. Then select **Application Policies** > **Edit**. +11. In the **Edit Application Policies Extension** dialog box, select **Client Authentication**, **Encrypting File System**, and **Secure Email**. Then choose **Remove**. +12. In the **Edit Application Policies Extension** dialog box, select **Add**. +13. In the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided, and then select **OK** to create the BitLocker Network Unlock application policy. - - **Name:** **BitLocker Network Unlock** - - **Object Identifier:** **1.3.6.1.4.1.311.67.1.1** + - **Name**: **BitLocker Network Unlock** + - **Object Identifier**: **1.3.6.1.4.1.311.67.1.1** -14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**. -15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog, select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option. +14. Select the newly created **BitLocker Network Unlock** application policy, and then select **OK**. +15. With the **Extensions** tab still open, select **Edit Key Usage Extension**, and then select **Allow key exchange only with key encryption (key encipherment)**. Then select **Make this extension critical**. 16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission. 17. Select **OK** to complete configuration of the template. -To add the Network Unlock template to the Certification Authority, open the Certification Authority snap-in (certsrv.msc). Right-click the **Certificate Templates** item and choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate. +To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate. -After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock. +After you add the Network Unlock template to the certificate authority, you can use this certificate to configure BitLocker Network Unlock. -### Create the Network Unlock certificate +### Create the Network Unlock certificate -Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate. +Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate. -To enroll a certificate from an existing certification authority (CA), do the following: +To enroll a certificate from an existing certificate authority: -1. Open Certificate Manager on the WDS server using **certmgr.msc** -2. Under the Certificates - Current User item, right-click Personal -3. Select All Tasks, then **Request New Certificate** -4. Select **Next** when the Certificate Enrollment wizard opens -5. Select Active Directory Enrollment Policy -6. Choose the certificate template created for Network Unlock on the Domain controller and select **Enroll**. When prompted for more information, add the following attribute to the certificate: +1. On the WDS server, open Certificate Manager by using `certmgr.msc`. +2. Under **Certificates - Current User**, right-click **Personal**. +3. Select **All Tasks** > **Request New Certificate**. +4. When the Certificate Enrollment wizard opens, select **Next**. +5. Select **Active Directory Enrollment Policy**. +6. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**. +1. When you're prompted for more information, select **Subject Name** and provide a friendly name value. Your friendly name should include information for the domain or organizational unit for the certificate. Here's an example: *BitLocker Network Unlock Certificate for Contoso domain*. +7. Create the certificate. Ensure the certificate appears in the **Personal** folder. +8. Export the public key certificate for Network Unlock: - - Select the **Subject Name** pane and provide a friendly name value. It is suggested that this friendly name include information for the domain or organizational unit for the certificate. For example "BitLocker Network Unlock Certificate for Contoso domain" - -7. Create the certificate. Ensure the certificate appears in the Personal folder. -8. Export the public key certificate for Network Unlock - - 1. Create a .cer file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. + 1. Create a *.cer* file by right-clicking the previously created certificate and choosing **All Tasks** > **Export**. 2. Select **No, do not export the private key**. - 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file. - 4. Give the file a name such as BitLocker-NetworkUnlock.cer. - -9. Export the public key with a private key for Network Unlock - - 1. Create a .pfx file by right-clicking the previously created certificate, choosing **All Tasks**, then **Export**. + 3. Select **DER encoded binary X.509**, and then finish exporting the certificate to a file. + 4. Give the file a name, such as *BitLocker-NetworkUnlock.cer*. +9. Export the public key with a private key for Network Unlock: + 1. Create a *.pfx* file by right-clicking the previously created certificate. Then choose **All Tasks** > **Export**. 2. Select **Yes, export the private key**. - 3. Complete the wizard to create the .pfx file. + 3. Complete the steps to create the *.pfx* file. -To create a self-signed certificate, you can either use the New-SelfSignedCertificate cmdlet in Windows PowerShell or use Certreq. +To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq`. -Windows PowerShell example: +Here's a Windows PowerShell example: ```powershell New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1") ``` -Certreq example: +Here's a `certreq` example: -1. Create a text file with an .inf extension. For example, notepad.exe BitLocker-NetworkUnlock.inf. +1. Create a text file that has an *.inf* extension. For example, *notepad.exe* *BitLocker-NetworkUnlock.inf*. 2. Add the following contents to the previously created file: ```ini @@ -216,176 +206,183 @@ Certreq example: _continue_ = "1.3.6.1.4.1.311.67.1.1" ``` -3. Open an elevated command prompt and use the certreq tool to create a new certificate using the following command, specifying the full path to the file created previously, along with the file name: +3. Open an elevated command prompt and use the `certreq` tool to create a new certificate. Use the following command, specifying the full path to the file that you created previously. Also specify the file name. ```cmd certreq -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer ``` -4. Verify the previous command properly created the certificate by confirming the .cer file exists. -5. Launch Certificates - Local Machine by running **certlm.msc**. -6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file. +4. Verify the previous command properly created the certificate by confirming the *.cer* file exists. +5. Launch **Certificates - Local Machine** by running `certlm.msc`. +6. Create a *.pfx* file by opening the *Certificates – Local Computer\\Personal\\Certificates* path in the navigation pane. Right-click the previously imported certificate, and then select **All Tasks** > **Export**. Follow through the steps to create the *.pfx* file. -### Deploy the private key and certificate to the WDS server +### Deploy the private key and certificate to the WDS server -With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following: +Now that you've created the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates: -1. On the WDS server, open a new MMC and add the certificates snap-in. Select the computer account and local computer when given the options. -2. Right-click the Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock item, choose All Tasks, then **Import**. -3. In the **File to Import** dialog, choose the .pfx file created previously. -4. Enter the password used to create the .pfx and complete the wizard. +1. On the WDS server, open a new Microsoft Management Console (MMC), and then add the certificates snap-in. When you're prompted, select the computer account and local computer. +2. Right-click **Certificates (Local Computer) - BitLocker Drive Encryption Network Unlock**, and then choose **All Tasks** > **Import**. +3. In the **File to Import** dialog box, choose the *.pfx* file that you created previously. +4. Enter the password that you used to create the *.pfx* file, and finish the steps. ### Configure Group Policy settings for Network Unlock -With certificate and key deployed to the WDS server for Network Unlock, the final step is to use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock using the Network Unlock key. Group Policy settings for BitLocker can be found under **\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console. +You've now deployed the certificate and key to the WDS server for Network Unlock. In the final step, you'll use Group Policy settings to deploy the public key certificate to computers that you want to be able to unlock by using the Network Unlock key. Find Group Policy settings for BitLocker in *\\Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption* by using the Local Group Policy Editor or the MMC. -The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock. +To enable the Group Policy setting that's required to configure Network Unlock: -1. Open Group Policy Management Console (gpmc.msc). -2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** or **Allow startup PIN with TPM** option. +1. Open Group Policy Management Console (`gpmc.msc`). +2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**. 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. -The following steps describe how to deploy the required Group Policy setting: +To deploy the required Group Policy setting: > [!NOTE] > The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. -1. Copy the .cer file created for Network Unlock to the domain controller. -2. On the domain controller, launch Group Policy Management Console (gpmc.msc). +1. Copy the *.cer* file that you created for Network Unlock to the domain controller. +2. On the domain controller, open Group Policy Management Console (`gpmc.msc`). 3. Create a new Group Policy Object or modify an existing object to enable the **Allow network unlock at startup** setting. 4. Deploy the public certificate to clients: - 1. Within Group Policy Management Console, navigate to the following location: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate**. - 2. Right-click the folder and choose **Add Network Unlock Certificate**. - 3. Follow the wizard steps and import the .cer file that was copied earlier. + 1. In Group Policy Management Console, go to *Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Public Key Policies\\BitLocker Drive Encryption Network Unlock Certificate*. + 2. Right-click the folder, and then choose **Add Network Unlock Certificate**. + 3. Follow the steps and import the *.cer* file that you copied earlier. -> [!NOTE] -> Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer. + > [!NOTE] + > Only one network unlock certificate can be available at a time. If you need a new certificate, delete the current certificate before you deploy a new one. The Network Unlock certificate is located in the *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* key on the client computer. -5. Reboot the clients after deploying the group policy. +5. Reboot the clients after you deploy the Group Policy. > [!NOTE] - > The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store. + > The **Network (Certificate Based)** protector is added only after a reboot where the policy is enabled and a valid certificate is present in the FVE_NKP store. -### Subnet policy configuration files on WDS Server (Optional) +### Subnet policy configuration files on the WDS server (optional) -By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock. +By default, the server unlocks clients that have the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP. You can create a subnet policy configuration file on the WDS server to limit the subnets that Network Unlock clients can use for unlocking. -The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL (%windir%\System32\Nkpprov.dll) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider will fail and stop responding to requests. +The configuration file, called *bde-network-unlock.ini*, must be located in the same directory as the Network Unlock provider dynamic-link library (*%windir%\System32\Nkpprov.dll*). The configuration file applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, then the provider fails and stops responding to requests. -The subnet policy configuration file must use a “\[SUBNETS\]” section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equals sign, and the subnet identified on the right of the equal sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word “ENABLED” is disallowed for subnet names. +The subnet policy configuration file must use a `[SUBNETS]` section to identify the specific subnets. You can then use the named subnets to specify restrictions in certificate subsections. + +Subnets are defined as simple name-value pairs, in the common INI format. In this format, each subnet has its own line. The name is on the left of the equals sign. The subnet on the right of the equals sign is a Classless Interdomain Routing (CIDR) address or range. The keyword `ENABLED` is disallowed for subnet names. ```ini [SUBNETS] -SUBNET1=10.185.250.0/24 ; comment about this subrange could be here, after the semi-colon +SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon SUBNET2=10.185.252.200/28 SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP. ``` -Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate. +Following the `[SUBNETS]` section are sections for each Network Unlock certificate. A certificate is identified by the certificate thumbprint, which is formatted without any spaces. These sections define subnet clients that you can unlock by using that certificate. > [!NOTE] -> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid. +> When you specify the certificate thumbprint, don't include spaces. Thumbprints that include spaces aren't recognized as valid. The spaces will cause the subnet configuration to fail. -Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section. -Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon. +Each certificate section defines subnet restrictions by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate has no section in the subnet policy configuration file, then no subnet unlocking restrictions are applied for that certificate. + +So to apply restrictions to every certificate, you must add a certificate section for every Network Unlock certificate on the server. And you must add an explicit allow list set for each certificate section. + +Create subnet lists by putting the name of a subnet from the `[SUBNETS]` section on its own line below the certificate section header. Then, the server will unlock clients that have this certificate only on the subnets that the list specifies. + +To troubleshoot, you can quickly exclude a subnet without deleting it from the section. Just comment it out by using a prepended semicolon. ```ini [2158a767e1c14e88e27a4c0aee111d2de2eafe60] ;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on. -;This list shows this cert is only allowed to unlock clients on SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out. +;This list shows this cert is allowed to unlock clients only on the SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out. SUBNET1 ;SUBNET2 SUBNET3 ``` -To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED". +To disallow the use of a certificate altogether, add a `DISABLED` line to its subnet list. -## Turning off Network Unlock +## Turn off Network Unlock -To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. +To turn off the unlock server, you can unregister the PXE provider from the WDS server or uninstall it altogether. However, to stop clients from creating Network Unlock protectors, you should disable the **Allow Network Unlock at startup** Group Policy setting. When you disable this policy setting on client computers, any Network Unlock key protectors on the computer are deleted. Alternatively, you can delete the BitLocker Network Unlock certificate policy on the domain controller to accomplish the same task for an entire domain. > [!NOTE] -> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server. +> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this condition is seen as an error. It's not a supported or recommended method for turning off the Network Unlock server. -## Update Network Unlock certificates +## Update Network Unlock certificates -To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller. +To update the certificates that Network Unlock uses, administrators need to import or generate the new certificate for the server. Then they must update the Network Unlock certificate Group Policy setting on the domain controller. > [!NOTE] -> Servers that do not receive the Group Policy Object (GPO) will require a PIN when booting. In such cases, the reason why the server did not receive the GPO to update the certificate needs to be investigated. +> Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why the server didn't receive the GPO to update the certificate. ## Troubleshoot Network Unlock -Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue will be the root cause of the failure. Items to verify include: +To troubleshoot Network Unlock problems, begin by verifying the environment. Often, a small configuration issue is the root cause of the failure. Verify these items: -- Verify client hardware is UEFI-based and is on firmware version is 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode. -- All required roles and services are installed and started -- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer. -- Group policy for Network Unlock is enabled and linked to the appropriate domains. -- Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities. -- Verify the clients were rebooted after applying the policy. -- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the local computer: +- Client hardware is based on UEFI and uses firmware version 2.3.1, and the UEFI firmware is in native mode and has no compatibility support module (CSM) for BIOS mode enabled. Verify this configuration by ensuring that the firmware has no enabled option such as **Legacy mode** or **Compatibility mode** and that the firmware doesn't appear to be in a BIOS-like mode. +- All required roles and services are installed and started. +- Public and private certificates have been published and are in the proper certificate containers. Verify the presence of the Network Unlock certificate by using Microsoft Management Console (*MMC.exe*) on the WDS server. The certificate snap-ins for the local computer should be enabled. Verify the client certificate by checking the registry key *HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP* on the client computer. +- Group Policy for Network Unlock is enabled and linked to the appropriate domains. +- Group Policy is reaching the clients properly. Verify this functionality by using the *GPRESULT.exe* utility or the *RSOP.msc* utility. +- The clients were rebooted after the policy was applied. +- The **Network (Certificate Based)** protector is listed on the client. Check for this protector by using either `manage-bde` or Windows PowerShell cmdlets. For example, the following command lists the key protectors that are currently configured on drive C on the local computer. ```powershell manage-bde -protectors -get C: ``` > [!NOTE] - > Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock + > Use the output of `manage-bde` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock. -Files to gather when troubleshooting BitLocker Network Unlock include: +Gather the following files to troubleshoot BitLocker Network Unlock. -1. The Windows event logs. Specifically the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log +- The Windows event logs. Specifically, get the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log. - Debug logging is turned off by default for the WDS server role, so you will need to enable it first. You can use either of the following two methods to turn on WDS debug logging. + Debug logging is turned off by default for the WDS server role, so you need to enable it before you can retrieve it. Use either of the following two methods to turn on WDS debug logging. - 1. Start an elevated command prompt and run the following command: + - Start an elevated command prompt, and then run the following command: ```cmd wevtutil sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true ``` - 2. Open Event Viewer on the WDS server. + - Open Event Viewer on the WDS server: - In the left pane, click **Applications and Services Logs**, click **Microsoft**, click **Windows**, click **Deployment-Services-Diagnostics**, and then click **Debug**. + 1. In the left pane, select **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**. + 1. In the right pane, select **Enable Log**. - In the right pane, click **Enable Log**. - -2. The DHCP subnet configuration file (if one exists). -3. The output of the BitLocker status on the volume, this can be gathered into a text file using **manage-bde -status** or **Get-BitLockerVolume** in Windows PowerShell. -4. Network Monitor capture on the server hosting the WDS role, filtered by client IP address. +- The DHCP subnet configuration file (if one exists). +- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`. +- The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address. ## Configure Network Unlock Group Policy settings on earlier versions -Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012 but can be deployed using operating systems running Windows Server 2008 R2 and Windows Server 2008. +Network Unlock and the accompanying Group Policy settings were introduced in Windows Server 2012. But you can deploy them by using operating systems that run Windows Server 2008 R2 and Windows Server 2008. -**Requirements** +Your system must meet these requirements: -- The server hosting WDS must be running any of the server operating systems designated in the **Applies To** list at the beginning of this topic. -- Client computers must be running any of the client operating systems designated in the **Applies To** list at the beginning of this topic. +- The server that hosts WDS must be running a server operating system that's designated in the "Applies to" list at the beginning of this article. +- Client computers must be running a client operating system that's designated in the "Applies to" list at the beginning of this article. -The following steps can be used to configure Network Unlock on these older systems. +Follow these steps to configure Network Unlock on these older systems. -1. [Install the WDS Server role](#bkmk-installwdsrole) -2. [Confirm the WDS Service is running](#bkmk-confirmwdsrunning) -3. [Install the Network Unlock feature](#bkmk-installnufeature) -4. [Create the Network Unlock certificate](#bkmk-createcert) -5. [Deploy the private key and certificate to the WDS server](#bkmk-deploycert) +1. [Install the WDS server role.](#bkmk-installwdsrole) +2. [Confirm the WDS service is running.](#bkmk-confirmwdsrunning) +3. [Install the Network Unlock feature.](#bkmk-installnufeature) +4. [Create the Network Unlock certificate.](#bkmk-createcert) +5. [Deploy the private key and certificate to the WDS server.](#bkmk-deploycert) 6. Configure registry settings for Network Unlock: - Apply the registry settings by running the following certutil script (assuming your network unlock certificate file is called **BitLocker-NetworkUnlock.cer**) on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic. -```console - certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f - reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f -``` + Apply the registry settings by running the following `certutil` script (assuming your Network Unlock certificate file is called *BitLocker-NetworkUnlock.cer*) on each computer that runs a client operating system that's designated in the "Applies to" list at the beginning of this article. -7. Set up a TPM protector on the clients -8. Reboot the clients to add the Network (Certificate Based) protector + ```console + certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseAdvancedStartup /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UsePIN /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMPIN /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPM /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f + ``` + +7. Set up a TPM protector on the clients. +8. Reboot the clients to add the **Network (Certificate Based)** protector. ## See also diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md index 9ed6f0f984..4ae0e5d8e8 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-loop-break.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium ms.author: v-maave -author: martyav +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 74e8c2d67c..2c39161d3c 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index d3ff0fb615..76cd4b50a5 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -7,7 +7,7 @@ ms.mktglfcycl: Explore ms.pagetype: security ms.sitesec: library ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp manager: dansimp audience: ITPro ms.collection: M365-security-compliance diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md index 3e3fdfd9b5..596d94cff0 100644 --- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md +++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md index 1cb7f1c281..7854157fed 100644 --- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md +++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index c802bfae51..06d8c54066 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md index cf6d045df3..27d47eebbc 100644 --- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md +++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index d9e1befbcd..fed9817bba 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 462656a2ad..06382dc117 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index fb2784e2d5..997c6add77 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index a6c748fa89..d573495c4e 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index d94485704c..f6df5436b6 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md index 45c32cd7da..124caf74f2 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md index 97733a4dd7..f7aad3051d 100644 --- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 78edc9a59e..c84d5cbc1a 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 2bcfcf6622..629994e90f 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index 6c672171ac..a124fbdd24 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index 49a57283b7..ac44e2f1bd 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -1,5 +1,5 @@ --- -title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10) +title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10) description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 ms.reviewer: @@ -9,7 +9,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 7f89a245b5..19f213f47f 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -1,11 +1,11 @@ --- title: Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune (Windows 10) -description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network. +description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro @@ -444,7 +444,7 @@ To stop Windows from automatically blocking these connections, you can add the ` For example: ```console -URL <,proxy>|URL <,proxy>/*AppCompat*/ +URL <,proxy>|URL <,proxy>|/*AppCompat*/ ``` When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the **Domain joined or marked as compliant** option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index 42caa212cd..524199cf73 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index ebe3c59220..557fa276cb 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -9,7 +9,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md index 576fe7cf71..bbfa13516c 100644 --- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -9,7 +9,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index 27d3f1d9c9..bf2e926154 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro @@ -28,7 +28,7 @@ This list provides all of the tasks and settings that are required for the opera |Task|Description| |----|-----------| |Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.| -|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| +|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional. Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional. Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md index a1e662c65e..419f25c61c 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md @@ -1,6 +1,6 @@ --- -title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10) -description: Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10) +description: Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 ms.reviewer: ms.prod: w10 @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro @@ -23,11 +23,11 @@ ms.date: 02/26/2019 - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later -Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ## In this section |Topic |Description | |------|------------| -|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | +|[Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) |Microsoft Endpoint Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | |[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md index e40c2405a1..42f746faba 100644 --- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md @@ -1,6 +1,6 @@ --- title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10) -description: Microsoft Intune and Microsoft Endpoint Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy. +description: Microsoft Intune and Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy. ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6 ms.reviewer: ms.prod: w10 @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 9af557f950..336a37f408 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -9,7 +9,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro @@ -110,7 +110,7 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. >[!NOTE] - >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager. Microsoft Endpoint Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. + >For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager. Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. ## How WIP works WIP helps address your everyday challenges in the enterprise. Including: diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index fee621245c..d2ff6e2a2f 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 7353daae25..2eefdaf76e 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -9,7 +9,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md index 94df767962..c7caa873dc 100644 --- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md index 5a8333cab2..b54cc7cbe1 100644 --- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.author: dansimp manager: dansimp audience: ITPro diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 862dcdb459..e62fbe4434 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -1,15 +1,15 @@ # [Threat protection](index.md) ## [Overview]() -### [What is Microsoft Defender Advanced Threat Protection?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) +### [What is Microsoft Defender for Endpoint?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md) ### [Minimum requirements](microsoft-defender-atp/minimum-requirements.md) -### [What's new in Microsoft Defender ATP](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) +### [What's new in Microsoft Defender for Endpoint](microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md) ### [Preview features](microsoft-defender-atp/preview.md) ### [Data storage and privacy](microsoft-defender-atp/data-storage-privacy.md) ### [Overview of Microsoft Defender Security Center](microsoft-defender-atp/use.md) ### [Portal overview](microsoft-defender-atp/portal-overview.md) -### [Microsoft Defender ATP for US Government Community Cloud High customers](microsoft-defender-atp/gov.md) -### [Microsoft Defender ATP for non-Windows platforms](microsoft-defender-atp/non-windows.md) +### [Microsoft Defender for Endpoint for US Government customers](microsoft-defender-atp/gov.md) +### [Microsoft Defender for Endpoint for non-Windows platforms](microsoft-defender-atp/non-windows.md) ## [Evaluate capabilities](microsoft-defender-atp/evaluation-lab.md) @@ -115,6 +115,7 @@ ##### [Enable exploit protection](microsoft-defender-atp/enable-exploit-protection.md) ##### [Customize exploit protection](microsoft-defender-atp/customize-exploit-protection.md) ##### [Import, export, and deploy exploit protection configurations](microsoft-defender-atp/import-export-exploit-protection-emet-xml.md) +##### [Troubleshoot exploit protection mitigations](microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md) ##### [Exploit protection reference](microsoft-defender-atp/exploit-protection-reference.md ) #### [Network protection]() @@ -171,12 +172,11 @@ ##### [Manage next-generation protection in your business]() ###### [Management overview](microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md) -###### [Use Microsoft Intune and Microsoft Endpoint Configuration Manager to manage next-generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) +###### [Use Microsoft Intune and Microsoft Endpoint Manager to manage next-generation protection](microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md) ###### [Use Group Policy settings to manage next-generation protection](microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md) ###### [Use PowerShell cmdlets to manage next-generation protection](microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md) ###### [Use Windows Management Instrumentation (WMI) to manage next-generation protection](microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md) ###### [Use the mpcmdrun.exe command line tool to manage next-generation protection](microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md) -###### [Handle false positives/negatives in Microsoft Defender Antivirus](microsoft-defender-antivirus/antivirus-false-positives-negatives.md) ##### [Deploy, manage updates, and report on antivirus]() ###### [Preparing to deploy](microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md) @@ -196,8 +196,7 @@ ##### [Customize, initiate, and review the results of scans and remediation]() ###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md) -###### [Configure and validate exclusions in antivirus scans]() -###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) +###### [Configure and validate exclusions in antivirus scans](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md) ###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) ###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) ###### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) @@ -234,14 +233,14 @@ #### [Better together: Microsoft Defender Antivirus and Office 365](microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md) -### [Microsoft Defender Advanced Threat Protection for Mac]() -#### [Overview of Microsoft Defender ATP for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) +### [Microsoft Defender for Endpoint for Mac]() +#### [Overview of Microsoft Defender for Endpoint for Mac](microsoft-defender-atp/microsoft-defender-atp-mac.md) #### [What's New](microsoft-defender-atp/mac-whatsnew.md) #### [Deploy]() ##### [Microsoft Intune-based deployment](microsoft-defender-atp/mac-install-with-intune.md) ##### [JAMF Pro-based deployment]() -###### [Deploying Microsoft Defender ATP for macOS using Jamf Pro](microsoft-defender-atp/mac-install-with-jamf.md) +###### [Deploying Microsoft Defender for Endpoint for macOS using Jamf Pro](microsoft-defender-atp/mac-install-with-jamf.md) ###### [Login to Jamf Pro](microsoft-defender-atp/mac-install-jamfpro-login.md) ###### [Set up device groups](microsoft-defender-atp/mac-jamfpro-device-groups.md) ###### [Set up policies](microsoft-defender-atp/mac-jamfpro-policies.md) @@ -269,8 +268,8 @@ -### [Microsoft Defender Advanced Threat Protection for iOS]() -#### [Overview of Microsoft Defender Advanced Threat Protection for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md) +### [Microsoft Defender for Endpoint for iOS]() +#### [Overview of Microsoft Defender for Endpoint for iOS](microsoft-defender-atp/microsoft-defender-atp-ios.md) #### [Deploy]() ##### [Deploy Microsoft Defender for Endpoint for iOS via Intune](microsoft-defender-atp/ios-install.md) @@ -280,8 +279,8 @@ #### [Privacy](microsoft-defender-atp/ios-privacy.md) -### [Microsoft Defender Advanced Threat Protection for Linux]() -#### [Overview of Microsoft Defender ATP for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) +### [Microsoft Defender for Endpoint for Linux]() +#### [Overview of Microsoft Defender for Endpoint for Linux](microsoft-defender-atp/microsoft-defender-atp-linux.md) #### [What's New](microsoft-defender-atp/linux-whatsnew.md) #### [Deploy]() ##### [Manual deployment](microsoft-defender-atp/linux-install-manually.md) @@ -296,30 +295,31 @@ ##### [Static proxy configuration](microsoft-defender-atp/linux-static-proxy-configuration.md) ##### [Set preferences](microsoft-defender-atp/linux-preferences.md) ##### [Detect and block Potentially Unwanted Applications](microsoft-defender-atp/linux-pua.md) -##### [Schedule scans with Microsoft Defender ATP for Linux](microsoft-defender-atp/linux-schedule-scan-atp.md) +##### [Schedule scans with Microsoft Defender for Endpoint for Linux](microsoft-defender-atp/linux-schedule-scan-atp.md) ##### [Schedule an update of the Microsoft Defender for Endpoint (Linux)](microsoft-defender-atp/linux-update-MDE-Linux.md) #### [Troubleshoot]() ##### [Troubleshoot installation issues](microsoft-defender-atp/linux-support-install.md) ##### [Troubleshoot cloud connectivity issues](microsoft-defender-atp/linux-support-connectivity.md) ##### [Troubleshoot performance issues](microsoft-defender-atp/linux-support-perf.md) +##### [Troubleshoot missing events issues](microsoft-defender-atp/linux-support-events.md) #### [Privacy](microsoft-defender-atp/linux-privacy.md) #### [Resources](microsoft-defender-atp/linux-resources.md) -### [Microsoft Defender Advanced Threat Protection for Android]() -#### [Overview of Microsoft Defender ATP for Android](microsoft-defender-atp/microsoft-defender-atp-android.md) +### [Microsoft Defender for Endpoint for Android]() +#### [Overview of Microsoft Defender for Endpoint for Android](microsoft-defender-atp/microsoft-defender-atp-android.md) #### [Deploy]() -##### [Deploy Microsoft Defender ATP for Android with Microsoft Intune](microsoft-defender-atp/android-intune.md) +##### [Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune](microsoft-defender-atp/android-intune.md) #### [Configure]() -##### [Configure Microsoft Defender ATP for Android features](microsoft-defender-atp/android-configure.md) +##### [Configure Microsoft Defender for Endpoint for Android features](microsoft-defender-atp/android-configure.md) #### [Privacy]() -##### [Microsoft Defender ATP for Android - Privacy information](microsoft-defender-atp/android-privacy.md) +##### [Microsoft Defender for Endpoint for Android - Privacy information](microsoft-defender-atp/android-privacy.md) #### [Troubleshoot]() ##### [Troubleshoot issues](microsoft-defender-atp/android-support-signin.md) @@ -445,7 +445,7 @@ ## [How-to]() ### [Onboard devices to the service]() -#### [Onboard devices to Microsoft Defender ATP](microsoft-defender-atp/onboard-configure.md) +#### [Onboard devices to Microsoft Defender for Endpoint](microsoft-defender-atp/onboard-configure.md) #### [Onboard previous versions of Windows](microsoft-defender-atp/onboard-downlevel.md) #### [Onboard Windows 10 devices]() ##### [Onboarding tools and methods](microsoft-defender-atp/configure-endpoints.md) @@ -479,6 +479,7 @@ #### [General]() ##### [Verify data storage location and update data retention settings](microsoft-defender-atp/data-retention-settings.md) ##### [Configure alert notifications](microsoft-defender-atp/configure-email-notifications.md) +##### [Configure vulnerability notifications](microsoft-defender-atp/configure-vulnerability-email-notifications.md) ##### [Configure advanced features](microsoft-defender-atp/advanced-features.md) #### [Permissions]() @@ -509,22 +510,25 @@ #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md) #### [Configure Microsoft Cloud App Security integration](microsoft-defender-atp/microsoft-cloud-app-security-config.md) +### [Address false positives/negatives in Microsoft Defender for Endpoint](microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) + ### [Use audit mode](microsoft-defender-atp/audit-windows-defender.md) ## Reference ### [Management and APIs]() #### [Overview of management and APIs](microsoft-defender-atp/management-apis.md) -#### [Microsoft Defender ATP API]() +#### [Microsoft Defender for Endpoint API]() ##### [Get started]() -###### [Microsoft Defender ATP API license and terms](microsoft-defender-atp/api-terms-of-use.md) -###### [Access the Microsoft Defender ATP APIs](microsoft-defender-atp/apis-intro.md) +###### [Microsoft Defender for Endpoint API license and terms](microsoft-defender-atp/api-terms-of-use.md) +###### [Access the Microsoft Defender for Endpoint APIs](microsoft-defender-atp/apis-intro.md) ###### [Hello World](microsoft-defender-atp/api-hello-world.md) ###### [Get access with application context](microsoft-defender-atp/exposed-apis-create-app-webapp.md) ###### [Get access with user context](microsoft-defender-atp/exposed-apis-create-app-nativeapp.md) ###### [Get partner application access](microsoft-defender-atp/exposed-apis-create-app-partners.md) -##### [Microsoft Defender ATP APIs Schema]() -###### [Supported Microsoft Defender ATP APIs](microsoft-defender-atp/exposed-apis-list.md) +##### [Microsoft Defender for Endpoint APIs Schema]() +###### [Supported Microsoft Defender for Endpoint APIs](microsoft-defender-atp/exposed-apis-list.md) +###### [Release Notes](microsoft-defender-atp/api-release-notes.md) ###### [Common REST API error codes](microsoft-defender-atp/common-errors.md) ###### [Advanced Hunting](microsoft-defender-atp/run-advanced-query-api.md) @@ -551,6 +555,7 @@ ####### [Get security recommendations](microsoft-defender-atp/get-security-recommendations.md) ####### [Add or Remove machine tags](microsoft-defender-atp/add-or-remove-machine-tags.md) ####### [Find machines by IP](microsoft-defender-atp/find-machines-by-ip.md) +####### [Find machines by tag](microsoft-defender-atp/find-machines-by-tag.md) ####### [Get missing KBs](microsoft-defender-atp/get-missing-kbs-machine.md) ####### [Set device value](microsoft-defender-atp/set-device-value.md) @@ -577,6 +582,7 @@ ###### [Indicators]() ####### [Indicators methods and properties](microsoft-defender-atp/ti-indicator.md) ####### [Submit Indicator](microsoft-defender-atp/post-ti-indicator.md) +####### [Import Indicators](microsoft-defender-atp/import-ti-indicators.md) ####### [List Indicators](microsoft-defender-atp/get-ti-indicators-collection.md) ####### [Delete Indicator](microsoft-defender-atp/delete-ti-indicator-by-id.md) @@ -648,7 +654,7 @@ ##### [Learn about different ways to pull detections](microsoft-defender-atp/configure-siem.md) ##### [Enable SIEM integration](microsoft-defender-atp/enable-siem-integration.md) ##### [Configure Micro Focus ArcSight to pull detections](microsoft-defender-atp/configure-arcsight.md) -##### [Microsoft Defender ATP detection fields](microsoft-defender-atp/api-portal-mapping.md) +##### [Microsoft Defender for Endpoint detection fields](microsoft-defender-atp/api-portal-mapping.md) ##### [Pull detections using SIEM REST API](microsoft-defender-atp/pull-alerts-using-rest-api.md) ##### [Fetch alerts from customer tenant](microsoft-defender-atp/fetch-alerts-mssp.md) ##### [Troubleshoot SIEM tool integration issues](microsoft-defender-atp/troubleshoot-siem.md) @@ -676,11 +682,11 @@ ### [Partner integration scenarios]() #### [Technical partner opportunities](microsoft-defender-atp/partner-integration.md) #### [Managed security service provider opportunity](microsoft-defender-atp/mssp-support.md) -#### [Become a Microsoft Defender ATP partner](microsoft-defender-atp/get-started-partner-integration.md) +#### [Become a Microsoft Defender for Endpoint partner](microsoft-defender-atp/get-started-partner-integration.md) ### [Integrations]() -#### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md) +#### [Microsoft Defender for Endpoint integrations](microsoft-defender-atp/threat-protection-integration.md) #### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md) #### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md) @@ -688,13 +694,13 @@ ### [Information protection in Windows overview]() #### [Windows integration](microsoft-defender-atp/information-protection-in-windows-overview.md) -### [Access the Microsoft Defender ATP Community Center](microsoft-defender-atp/community.md) +### [Access the Microsoft Defender for Endpoint Community Center](microsoft-defender-atp/community.md) ### [Helpful resources](microsoft-defender-atp/helpful-resources.md) -### [Troubleshoot Microsoft Defender ATP]() +### [Troubleshoot Microsoft Defender for Endpoint]() #### [Troubleshoot sensor state]() ##### [Check sensor state](microsoft-defender-atp/check-sensor-status.md) ##### [Fix unhealthy sensors](microsoft-defender-atp/fix-unhealthy-sensors.md) @@ -702,10 +708,10 @@ ##### [Misconfigured devices](microsoft-defender-atp/fix-unhealthy-sensors.md#misconfigured-devices) ##### [Review sensor events and errors on machines with Event Viewer](microsoft-defender-atp/event-error-codes.md) -#### [Troubleshoot Microsoft Defender ATP service issues]() +#### [Troubleshoot Microsoft Defender for Endpoint service issues]() ##### [Troubleshoot service issues](microsoft-defender-atp/troubleshoot-mdatp.md) ##### [Check service health](microsoft-defender-atp/service-status.md) -##### [Contact Microsoft Defender ATP support](microsoft-defender-atp/contact-support.md) +##### [Contact Microsoft Defender for Endpoint support](microsoft-defender-atp/contact-support.md) #### [Troubleshoot live response issues](microsoft-defender-atp/troubleshoot-live-response.md) @@ -1334,7 +1340,6 @@ #### [Windows security baselines](windows-security-configuration-framework/windows-security-baselines.md) ##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md) ##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md) -### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index 2893cf7ece..6df69c3b35 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -4,7 +4,7 @@ description: This reference for IT professionals provides information about the ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171 ms.reviewer: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate. ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Advanced security audit policy settings diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md index 99b8a989c4..86a39fc1b7 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md @@ -4,7 +4,7 @@ description: This topic for the IT professional lists questions and answers abou ms.assetid: 80f8f187-0916-43c2-a7e8-ea712b115a06 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Advanced security auditing FAQ diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md index 7c55d51d21..4a3608816f 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md @@ -4,7 +4,7 @@ description: Advanced security audit policy settings may appear to overlap with ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Advanced security audit policies diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md index 505da9bbb0..c892db7b11 100644 --- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md +++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md @@ -2,7 +2,7 @@ title: Appendix A, Security monitoring recommendations for many audit events (Windows 10) description: Learn about recommendations for the type of monitoring required for certain classes of security audit events. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # Appendix A: Security monitoring recommendations for many audit events diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index a18783d92c..2d63b25eb8 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -4,7 +4,7 @@ description: Apply audit policies to individual files and folders on your comput ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 07/25/2018 +ms.technology: mde --- # Apply a basic audit policy on a file or folder diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md index 1ea3e878e6..77f8126a98 100644 --- a/windows/security/threat-protection/auditing/audit-account-lockout.md +++ b/windows/security/threat-protection/auditing/audit-account-lockout.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 07/16/2018 +ms.technology: mde --- # Audit Account Lockout diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md index b594ba40ca..9215959064 100644 --- a/windows/security/threat-protection/auditing/audit-application-generated.md +++ b/windows/security/threat-protection/auditing/audit-application-generated.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Application Generated diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md index 8dce282dfa..a06d67b8d9 100644 --- a/windows/security/threat-protection/auditing/audit-application-group-management.md +++ b/windows/security/threat-protection/auditing/audit-application-group-management.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Application Group Management diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md index 376cab2bcf..81422c0d3f 100644 --- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Audit Policy Change diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md index 4a6f754c01..8bf74ed78f 100644 --- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Authentication Policy Change diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md index b13bec6cbc..c00445582a 100644 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Authorization Policy Change diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md index f655b5d8c6..e607b7c276 100644 --- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md +++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Central Access Policy Staging diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md index a1e50c1538..24af233cc3 100644 --- a/windows/security/threat-protection/auditing/audit-certification-services.md +++ b/windows/security/threat-protection/auditing/audit-certification-services.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Certification Services diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md index ab838fd042..677244f857 100644 --- a/windows/security/threat-protection/auditing/audit-computer-account-management.md +++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Computer Account Management diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md index 9ce3b5aa5b..4fdf9060db 100644 --- a/windows/security/threat-protection/auditing/audit-credential-validation.md +++ b/windows/security/threat-protection/auditing/audit-credential-validation.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Credential Validation diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md index 859859fc2b..a6f472d018 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Detailed Directory Service Replication diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md index 3b223b9331..4428aad464 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md +++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Detailed File Share diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md index 0a13f90a87..db603d8330 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Directory Service Access diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md index 1a962ee86f..f81b20e2a5 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Directory Service Changes diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md index dffea817d4..df8ddc7f12 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Directory Service Replication diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md index 2bacdbe3a1..352eea4cfe 100644 --- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md +++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Distribution Group Management diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md index fc94d79d95..7c346e1e52 100644 --- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md +++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit DPAPI Activity diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md index ccab879b4f..88b51b6a3f 100644 --- a/windows/security/threat-protection/auditing/audit-file-share.md +++ b/windows/security/threat-protection/auditing/audit-file-share.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit File Share diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md index 57ea7bc917..7da7e7d670 100644 --- a/windows/security/threat-protection/auditing/audit-file-system.md +++ b/windows/security/threat-protection/auditing/audit-file-system.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit File System diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md index 52475e4276..e45f321af3 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Filtering Platform Connection diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md index bdaff33b06..fabd2a6b86 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Filtering Platform Packet Drop diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md index 204a9b6320..72b892151f 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Filtering Platform Policy Change diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md index 5775f97220..37a86a6424 100644 --- a/windows/security/threat-protection/auditing/audit-group-membership.md +++ b/windows/security/threat-protection/auditing/audit-group-membership.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Group Membership diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md index 64fd2edce2..e82188ac78 100644 --- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md +++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Handle Manipulation diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md index d396f0ed40..606acf77a3 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 10/02/2018 +ms.technology: mde --- # Audit IPsec Driver diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md index 37421d3b3e..179c4e5e22 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 10/02/2018 +ms.technology: mde --- # Audit IPsec Extended Mode diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md index bf2db28b53..092717cc70 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 10/02/2018 +ms.technology: mde --- # Audit IPsec Main Mode diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md index 290c41687a..fefab72132 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 10/02/2018 +ms.technology: mde --- # Audit IPsec Quick Mode diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md index 529003459d..14495b2794 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Kerberos Authentication Service diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md index 0c95144cb1..555de3229e 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Kerberos Service Ticket Operations diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md index 60f0a374d8..35d10b40fa 100644 --- a/windows/security/threat-protection/auditing/audit-kernel-object.md +++ b/windows/security/threat-protection/auditing/audit-kernel-object.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Kernel Object diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md index 011a5d397c..a07a10fd9a 100644 --- a/windows/security/threat-protection/auditing/audit-logoff.md +++ b/windows/security/threat-protection/auditing/audit-logoff.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 07/16/2018 +ms.technology: mde --- # Audit Logoff diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md index 711c16301c..e87dd6ad1d 100644 --- a/windows/security/threat-protection/auditing/audit-logon.md +++ b/windows/security/threat-protection/auditing/audit-logon.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Logon diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md index d58bafa0de..5107277a3d 100644 --- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit MPSSVC Rule-Level Policy Change diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md index 697ae99b16..78f17fb1a1 100644 --- a/windows/security/threat-protection/auditing/audit-network-policy-server.md +++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Network Policy Server diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md index b75e993891..8cf59016dd 100644 --- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Non-Sensitive Privilege Use diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md index 959a951636..39fa1e83de 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Other Account Logon Events diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md index 2795a0bb73..bb5d7120a3 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Other Account Management Events diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md index 9265129828..d50fe53957 100644 --- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md +++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Other Logon/Logoff Events diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md index 54b132e114..a485aa2d07 100644 --- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md +++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 05/29/2017 +ms.technology: mde --- # Audit Other Object Access Events diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md index 2ceacf7bd7..5f55e34285 100644 --- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md +++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Other Policy Change Events diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index 9adb4cfd74..87c74a4998 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -2,16 +2,17 @@ title: Audit Other Privilege Use Events (Windows 10) description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S). ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c -ms.reviewer: +ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Other Privilege Use Events diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md index 314723a738..7554066d42 100644 --- a/windows/security/threat-protection/auditing/audit-other-system-events.md +++ b/windows/security/threat-protection/auditing/audit-other-system-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Other System Events diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md index 2d1298584a..16b696e3a2 100644 --- a/windows/security/threat-protection/auditing/audit-pnp-activity.md +++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit PNP Activity diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md index 2eb2aa20f8..456c7082b1 100644 --- a/windows/security/threat-protection/auditing/audit-process-creation.md +++ b/windows/security/threat-protection/auditing/audit-process-creation.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Process Creation diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md index 7ba49fbd59..97b0a91741 100644 --- a/windows/security/threat-protection/auditing/audit-process-termination.md +++ b/windows/security/threat-protection/auditing/audit-process-termination.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Process Termination diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 4b0d88838f..8b5fa48820 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Registry diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md index 82d5170b7c..d09d98cb1d 100644 --- a/windows/security/threat-protection/auditing/audit-removable-storage.md +++ b/windows/security/threat-protection/auditing/audit-removable-storage.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Removable Storage diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md index b35eacaf51..59202d82fa 100644 --- a/windows/security/threat-protection/auditing/audit-rpc-events.md +++ b/windows/security/threat-protection/auditing/audit-rpc-events.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit RPC Events diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md index 6e60284ead..2d23fcdcce 100644 --- a/windows/security/threat-protection/auditing/audit-sam.md +++ b/windows/security/threat-protection/auditing/audit-sam.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit SAM diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md index d75b85e522..c80fe834a9 100644 --- a/windows/security/threat-protection/auditing/audit-security-group-management.md +++ b/windows/security/threat-protection/auditing/audit-security-group-management.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 02/28/2019 +ms.technology: mde --- # Audit Security Group Management diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md index c10e8072f7..19614087bb 100644 --- a/windows/security/threat-protection/auditing/audit-security-state-change.md +++ b/windows/security/threat-protection/auditing/audit-security-state-change.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Security State Change diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md index 8c764f65c4..b787507ef4 100644 --- a/windows/security/threat-protection/auditing/audit-security-system-extension.md +++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Security System Extension diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md index 3bdb900b00..2f23c9cbcc 100644 --- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Sensitive Privilege Use diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md index ec7e84c990..b17dccbcb1 100644 --- a/windows/security/threat-protection/auditing/audit-special-logon.md +++ b/windows/security/threat-protection/auditing/audit-special-logon.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit Special Logon diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md index 89d27ff3cb..b461299ea0 100644 --- a/windows/security/threat-protection/auditing/audit-system-integrity.md +++ b/windows/security/threat-protection/auditing/audit-system-integrity.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit System Integrity diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md index bb9d974920..266ab2e3c9 100644 --- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md +++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md @@ -5,7 +5,8 @@ manager: dansimp author: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security +ms.technology: mde --- # Audit Token Right Adjusted diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md index 5b2d45cc98..145e04e477 100644 --- a/windows/security/threat-protection/auditing/audit-user-account-management.md +++ b/windows/security/threat-protection/auditing/audit-user-account-management.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit User Account Management diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md index bea0be45b0..6051e50d2f 100644 --- a/windows/security/threat-protection/auditing/audit-user-device-claims.md +++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md @@ -6,12 +6,13 @@ ms.reviewer: manager: dansimp ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp ms.date: 04/19/2017 +ms.technology: mde --- # Audit User/Device Claims diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md index f345a84336..7e9d098f5d 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md @@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user logging on to o ms.assetid: 84B44181-E325-49A1-8398-AECC3CE0A516 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit account logon events diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index e699a88ac1..10a7cb1c8c 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -4,7 +4,7 @@ description: Determines whether to audit each event of account management on a d ms.assetid: 369197E1-7E0E-45A4-89EA-16D91EF01689 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit account management diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md index 530a4255bc..e52e2e7382 100644 --- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md @@ -4,7 +4,7 @@ description: Determines whether to audit the event of a user accessing an Active ms.assetid: 52F02EED-3CFE-4307-8D06-CF1E27693D09 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit directory service access diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md index 66c1906086..c730790cfa 100644 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md @@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user logging on to o ms.assetid: 78B5AFCB-0BBD-4C38-9FE9-6B4571B94A35 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit logon events diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md index c3bada3ea8..7bb1357af3 100644 --- a/windows/security/threat-protection/auditing/basic-audit-object-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md @@ -4,7 +4,7 @@ description: The policy setting, Audit object access, determines whether to audi ms.assetid: D15B6D67-7886-44C2-9972-3F192D5407EA ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit object access diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md index b80e5788af..a04167e8c2 100644 --- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md @@ -4,7 +4,7 @@ description: Determines whether to audit every incident of a change to user righ ms.assetid: 1025A648-6B22-4C85-9F47-FE0897F1FA31 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit policy change diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md index a3e7893fe6..4b6a28a415 100644 --- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md +++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md @@ -4,7 +4,7 @@ description: Determines whether to audit each instance of a user exercising a us ms.assetid: C5C6DAAF-8B58-4DFB-B1CE-F0675AE0E9F8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit privilege use diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md index 4f02eab9a3..c2e1ff94ca 100644 --- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md +++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md @@ -4,7 +4,7 @@ description: Determines whether to audit detailed tracking information for event ms.assetid: 91AC5C1E-F4DA-4B16-BEE2-C92D66E4CEEA ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit process tracking diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md index 7811de4253..8c5e33028e 100644 --- a/windows/security/threat-protection/auditing/basic-audit-system-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md @@ -4,7 +4,7 @@ description: Determines whether to audit when a user restarts or shuts down the ms.assetid: BF27588C-2AA7-4365-A4BF-3BB377916447 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit system events diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md index 3856637432..fd291c792a 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md @@ -4,7 +4,7 @@ description: Learn about basic security audit policies that specify the categori ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Basic security audit policies diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md index 686cdfdc71..0ddb0a6152 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md @@ -4,7 +4,7 @@ description: Basic security audit policy settings are found under Computer Confi ms.assetid: 31C2C453-2CFC-4D9E-BC88-8CE1C1A8F900 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Basic security audit policy settings diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md index 745c787671..526946d4b5 100644 --- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md +++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md @@ -4,7 +4,7 @@ description: By defining auditing settings for specific event categories, you ca ms.assetid: C9F52751-B40D-482E-BE9D-2C61098249D3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create a basic audit policy for an event category diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md index 251aa8834c..f3fbd46308 100644 --- a/windows/security/threat-protection/auditing/event-1100.md +++ b/windows/security/threat-protection/auditing/event-1100.md @@ -2,7 +2,7 @@ title: 1100(S) The event logging service has shut down. (Windows 10) description: Describes security event 1100(S) The event logging service has shut down. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 1100(S): The event logging service has shut down. diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md index 4a9b1e8b3a..fecf1badde 100644 --- a/windows/security/threat-protection/auditing/event-1102.md +++ b/windows/security/threat-protection/auditing/event-1102.md @@ -2,7 +2,7 @@ title: 1102(S) The audit log was cleared. (Windows 10) description: Though you shouldn't normally see it, this event generates every time Windows Security audit log is cleared. This is for event 1102(S). ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 1102(S): The audit log was cleared. diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md index fbcbb7dad9..8dbb841dce 100644 --- a/windows/security/threat-protection/auditing/event-1104.md +++ b/windows/security/threat-protection/auditing/event-1104.md @@ -1,8 +1,8 @@ --- title: 1104(S) The security log is now full. (Windows 10) -description: This event generates every time Windows security log becomes full and the event log retention method is set to "Do not overwrite events." +description: This event generates every time Windows security log becomes full and the event log retention method is set to Do not overwrite events. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 1104(S): The security log is now full. diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md index bd4e2bb72a..c08fa7be61 100644 --- a/windows/security/threat-protection/auditing/event-1105.md +++ b/windows/security/threat-protection/auditing/event-1105.md @@ -2,7 +2,7 @@ title: 1105(S) Event log automatic backup. (Windows 10) description: This event generates every time Windows security log becomes full and new event log file was created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 1105(S): Event log automatic backup diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md index 0aaa3b6a99..cd3bf45ca4 100644 --- a/windows/security/threat-protection/auditing/event-1108.md +++ b/windows/security/threat-protection/auditing/event-1108.md @@ -2,7 +2,7 @@ title: The event logging service encountered an error (Windows 10) description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 1108(S): The event logging service encountered an error while processing an incoming event published from %1. diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 5f0730407d..6372e6acc2 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -2,7 +2,7 @@ title: 4608(S) Windows is starting up. (Windows 10) description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4608(S): Windows is starting up. diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md index c9be68814f..b85a2d5918 100644 --- a/windows/security/threat-protection/auditing/event-4610.md +++ b/windows/security/threat-protection/auditing/event-4610.md @@ -2,7 +2,7 @@ title: 4610(S) An authentication package has been loaded by the Local Security Authority. (Windows 10) description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4610(S): An authentication package has been loaded by the Local Security Authority. diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md index 6862a8d6a8..c3174b766e 100644 --- a/windows/security/threat-protection/auditing/event-4611.md +++ b/windows/security/threat-protection/auditing/event-4611.md @@ -2,7 +2,7 @@ title: 4611(S) A trusted logon process has been registered with the Local Security Authority. (Windows 10) description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4611(S): A trusted logon process has been registered with the Local Security Authority. diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md index 2ca7cca35a..c4561550d5 100644 --- a/windows/security/threat-protection/auditing/event-4612.md +++ b/windows/security/threat-protection/auditing/event-4612.md @@ -2,7 +2,7 @@ title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. (Windows 10) description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md index f86b22408c..5bc966978c 100644 --- a/windows/security/threat-protection/auditing/event-4614.md +++ b/windows/security/threat-protection/auditing/event-4614.md @@ -2,7 +2,7 @@ title: 4614(S) A notification package has been loaded by the Security Account Manager. (Windows 10) description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4614(S): A notification package has been loaded by the Security Account Manager. diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index 0490e0ae3e..6c8f9cd7ac 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -2,7 +2,7 @@ title: 4615(S) Invalid use of LPC port. (Windows 10) description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4615(S): Invalid use of LPC port. diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 3f700f0719..690bde945f 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -2,7 +2,7 @@ title: 4616(S) The system time was changed. (Windows 10) description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4616(S): The system time was changed. diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md index 4155868172..c1bc41f942 100644 --- a/windows/security/threat-protection/auditing/event-4618.md +++ b/windows/security/threat-protection/auditing/event-4618.md @@ -2,7 +2,7 @@ title: 4618(S) A monitored security event pattern has occurred. (Windows 10) description: Describes security event 4618(S) A monitored security event pattern has occurred. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4618(S): A monitored security event pattern has occurred. diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md index f3365acf99..8868b9b584 100644 --- a/windows/security/threat-protection/auditing/event-4621.md +++ b/windows/security/threat-protection/auditing/event-4621.md @@ -2,7 +2,7 @@ title: 4621(S) Administrator recovered system from CrashOnAuditFail. (Windows 10) description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4621(S): Administrator recovered system from CrashOnAuditFail. diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md index 385f508b09..3579709147 100644 --- a/windows/security/threat-protection/auditing/event-4622.md +++ b/windows/security/threat-protection/auditing/event-4622.md @@ -2,7 +2,7 @@ title: 4622(S) A security package has been loaded by the Local Security Authority. (Windows 10) description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4622(S): A security package has been loaded by the Local Security Authority. diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index b310cd06ca..49f1a0d83c 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -2,7 +2,7 @@ title: 4624(S) An account was successfully logged on. (Windows 10) description: Describes security event 4624(S) An account was successfully logged on. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4624(S): An account was successfully logged on. @@ -156,7 +157,7 @@ This event generates when a logon session is created (on destination machine). I | `9` | `NewCredentials` | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | | `10` | `RemoteInteractive` | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | | `11` | `CachedInteractive` | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | -| `12` | `CashedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. | +| `12` | `CachedRemoteInteractive` | Same as RemoteInteractive. This is used for internal auditing. | | `13` | `CachedUnlock` | Workstation logon. | - **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10. diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 293e52c57f..9dcf332398 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -2,7 +2,7 @@ title: 4625(F) An account failed to log on. (Windows 10) description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4625(F): An account failed to log on. diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md index 2adc4b2f1b..667de4c561 100644 --- a/windows/security/threat-protection/auditing/event-4626.md +++ b/windows/security/threat-protection/auditing/event-4626.md @@ -2,7 +2,7 @@ title: 4626(S) User/Device claims information. (Windows 10) description: Describes security event 4626(S) User/Device claims information. This event is generated for new account logons. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4626(S): User/Device claims information. diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index fb47564ea9..ff63c0c122 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -2,7 +2,7 @@ title: 4627(S) Group membership information. (Windows 10) description: Describes security event 4627(S) Group membership information. This event is generated with event 4624(S) An account was successfully logged on. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4627(S): Group membership information. diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md index d76dc2df61..b0541e2dbb 100644 --- a/windows/security/threat-protection/auditing/event-4634.md +++ b/windows/security/threat-protection/auditing/event-4634.md @@ -2,7 +2,7 @@ title: 4634(S) An account was logged off. (Windows 10) description: Describes security event 4634(S) An account was logged off. This event is generated when a logon session is terminated and no longer exists. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 11/20/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4634(S): An account was logged off. diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md index 26bbcd86f8..14dc2a7083 100644 --- a/windows/security/threat-protection/auditing/event-4647.md +++ b/windows/security/threat-protection/auditing/event-4647.md @@ -2,7 +2,7 @@ title: 4647(S) User initiated logoff. (Windows 10) description: Describes security event 4647(S) User initiated logoff. This event is generated when a logoff is initiated. No further user-initiated activity can occur. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4647(S): User initiated logoff. diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md index 5a44bd38f1..8483ee08ac 100644 --- a/windows/security/threat-protection/auditing/event-4648.md +++ b/windows/security/threat-protection/auditing/event-4648.md @@ -2,7 +2,7 @@ title: 4648(S) A logon was attempted using explicit credentials. (Windows 10) description: Describes security event 4648(S) A logon was attempted using explicit credentials. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4648(S): A logon was attempted using explicit credentials. diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md index dce0305250..06ae9ca1aa 100644 --- a/windows/security/threat-protection/auditing/event-4649.md +++ b/windows/security/threat-protection/auditing/event-4649.md @@ -2,7 +2,7 @@ title: 4649(S) A replay attack was detected. (Windows 10) description: Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4649(S): A replay attack was detected. diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md index 918d665121..f0ce074332 100644 --- a/windows/security/threat-protection/auditing/event-4656.md +++ b/windows/security/threat-protection/auditing/event-4656.md @@ -2,7 +2,7 @@ title: 4656(S, F) A handle to an object was requested. (Windows 10) description: Describes security event 4656(S, F) A handle to an object was requested. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4656(S, F): A handle to an object was requested. diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md index cb009c97df..f7ebcac31c 100644 --- a/windows/security/threat-protection/auditing/event-4657.md +++ b/windows/security/threat-protection/auditing/event-4657.md @@ -2,7 +2,7 @@ title: 4657(S) A registry value was modified. (Windows 10) description: Describes security event 4657(S) A registry value was modified. This event is generated when a registry key value is modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4657(S): A registry value was modified. diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md index c461aa3d20..85b56fb6d0 100644 --- a/windows/security/threat-protection/auditing/event-4658.md +++ b/windows/security/threat-protection/auditing/event-4658.md @@ -2,7 +2,7 @@ title: 4658(S) The handle to an object was closed. (Windows 10) description: Describes security event 4658(S) The handle to an object was closed. This event is generated when the handle to an object is closed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4658(S): The handle to an object was closed. diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md index 0823b6ae3e..db4a9fd649 100644 --- a/windows/security/threat-protection/auditing/event-4660.md +++ b/windows/security/threat-protection/auditing/event-4660.md @@ -2,7 +2,7 @@ title: 4660(S) An object was deleted. (Windows 10) description: Describes security event 4660(S) An object was deleted. This event is generated when an object is deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4660(S): An object was deleted. diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md index 13513c1eb8..1fd43e2292 100644 --- a/windows/security/threat-protection/auditing/event-4661.md +++ b/windows/security/threat-protection/auditing/event-4661.md @@ -2,7 +2,7 @@ title: 4661(S, F) A handle to an object was requested. (Windows 10) description: Describes security event 4661(S, F) A handle to an object was requested. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4661(S, F): A handle to an object was requested. diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md index 31fd7fd716..8998dbb81a 100644 --- a/windows/security/threat-protection/auditing/event-4662.md +++ b/windows/security/threat-protection/auditing/event-4662.md @@ -2,7 +2,7 @@ title: 4662(S, F) An operation was performed on an object. (Windows 10) description: Describes security event 4662(S, F) An operation was performed on an object. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4662(S, F): An operation was performed on an object. diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md index 44da729457..367e5eb029 100644 --- a/windows/security/threat-protection/auditing/event-4663.md +++ b/windows/security/threat-protection/auditing/event-4663.md @@ -2,7 +2,7 @@ title: 4663(S) An attempt was made to access an object. (Windows 10) description: Describes security event 4663(S) An attempt was made to access an object. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4663(S): An attempt was made to access an object. diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md index 6f60cce3a7..9c99e5f2bc 100644 --- a/windows/security/threat-protection/auditing/event-4664.md +++ b/windows/security/threat-protection/auditing/event-4664.md @@ -2,7 +2,7 @@ title: 4664(S) An attempt was made to create a hard link. (Windows 10) description: Describes security event 4664(S) An attempt was made to create a hard link. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4664(S): An attempt was made to create a hard link. diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index bc6d20907b..c52b274d4f 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -2,7 +2,7 @@ title: 4670(S) Permissions on an object were changed. (Windows 10) description: Describes security event 4670(S) Permissions on an object were changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4670(S): Permissions on an object were changed. diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md index 3e81e5f2f6..fb46f1fb5a 100644 --- a/windows/security/threat-protection/auditing/event-4671.md +++ b/windows/security/threat-protection/auditing/event-4671.md @@ -2,7 +2,7 @@ title: 4671(-) An application attempted to access a blocked ordinal through the TBS. (Windows 10) description: Describes security event 4671(-) An application attempted to access a blocked ordinal through the TBS. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4671(-): An application attempted to access a blocked ordinal through the TBS. diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index 81b9fd94a0..60e95bde44 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -2,7 +2,7 @@ title: 4672(S) Special privileges assigned to new logon. (Windows 10) description: Describes security event 4672(S) Special privileges assigned to new logon. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 12/20/2018 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4672(S): Special privileges assigned to new logon. diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md index c647485d66..579be30565 100644 --- a/windows/security/threat-protection/auditing/event-4673.md +++ b/windows/security/threat-protection/auditing/event-4673.md @@ -2,7 +2,7 @@ title: 4673(S, F) A privileged service was called. (Windows 10) description: Describes security event 4673(S, F) A privileged service was called. This event is generated for an attempt to perform privileged system service operations. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4673(S, F): A privileged service was called. diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md index 5781254277..5eecd1f2b5 100644 --- a/windows/security/threat-protection/auditing/event-4674.md +++ b/windows/security/threat-protection/auditing/event-4674.md @@ -2,7 +2,7 @@ title: 4674(S, F) An operation was attempted on a privileged object. (Windows 10) description: Describes security event 4674(S, F) An operation was attempted on a privileged object. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4674(S, F): An operation was attempted on a privileged object. diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md index 978d25bf39..0af7742f2c 100644 --- a/windows/security/threat-protection/auditing/event-4675.md +++ b/windows/security/threat-protection/auditing/event-4675.md @@ -2,7 +2,7 @@ title: 4675(S) SIDs were filtered. (Windows 10) description: Describes security event 4675(S) SIDs were filtered. This event is generated when SIDs were filtered for a specific Active Directory trust. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4675(S): SIDs were filtered. diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 4c48e4623a..31baef1ba5 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -2,7 +2,7 @@ title: 4688(S) A new process has been created. (Windows 10) description: Describes security event 4688(S) A new process has been created. This event is generated when a new process starts. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4688(S): A new process has been created. diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md index 81c27d0423..99bee451d9 100644 --- a/windows/security/threat-protection/auditing/event-4689.md +++ b/windows/security/threat-protection/auditing/event-4689.md @@ -2,7 +2,7 @@ title: 4689(S) A process has exited. (Windows 10) description: Describes security event 4689(S) A process has exited. This event is generates when a process exits. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4689(S): A process has exited. diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md index be4ce4de7c..d7a23d1da4 100644 --- a/windows/security/threat-protection/auditing/event-4690.md +++ b/windows/security/threat-protection/auditing/event-4690.md @@ -2,7 +2,7 @@ title: 4690(S) An attempt was made to duplicate a handle to an object. (Windows 10) description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4690(S): An attempt was made to duplicate a handle to an object. diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md index 001cce1266..cadefa2220 100644 --- a/windows/security/threat-protection/auditing/event-4691.md +++ b/windows/security/threat-protection/auditing/event-4691.md @@ -2,7 +2,7 @@ title: 4691(S) Indirect access to an object was requested. (Windows 10) description: Describes security event 4691(S) Indirect access to an object was requested. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4691(S): Indirect access to an object was requested. diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md index dc84c4c3d6..5d421a4e9f 100644 --- a/windows/security/threat-protection/auditing/event-4692.md +++ b/windows/security/threat-protection/auditing/event-4692.md @@ -2,7 +2,7 @@ title: 4692(S, F) Backup of data protection master key was attempted. (Windows 10) description: Describes security event 4692(S, F) Backup of data protection master key was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4692(S, F): Backup of data protection master key was attempted. diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md index 72c5473fe1..705ede7a61 100644 --- a/windows/security/threat-protection/auditing/event-4693.md +++ b/windows/security/threat-protection/auditing/event-4693.md @@ -2,7 +2,7 @@ title: 4693(S, F) Recovery of data protection master key was attempted. (Windows 10) description: Describes security event 4693(S, F) Recovery of data protection master key was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4693(S, F): Recovery of data protection master key was attempted. diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md index 9d96a529ac..3d9e4f51cf 100644 --- a/windows/security/threat-protection/auditing/event-4694.md +++ b/windows/security/threat-protection/auditing/event-4694.md @@ -2,7 +2,7 @@ title: 4694(S, F) Protection of auditable protected data was attempted. (Windows 10) description: Describes security event 4694(S, F) Protection of auditable protected data was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4694(S, F): Protection of auditable protected data was attempted. diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md index 675ba33601..cbca831957 100644 --- a/windows/security/threat-protection/auditing/event-4695.md +++ b/windows/security/threat-protection/auditing/event-4695.md @@ -2,7 +2,7 @@ title: 4695(S, F) Unprotection of auditable protected data was attempted. (Windows 10) description: Describes security event 4695(S, F) Unprotection of auditable protected data was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4695(S, F): Unprotection of auditable protected data was attempted. diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md index 0268cd25a8..520d0d5d1e 100644 --- a/windows/security/threat-protection/auditing/event-4696.md +++ b/windows/security/threat-protection/auditing/event-4696.md @@ -2,7 +2,7 @@ title: 4696(S) A primary token was assigned to process. (Windows 10) description: Describes security event 4696(S) A primary token was assigned to process. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4696(S): A primary token was assigned to process. diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md index d454c05905..090b2436e1 100644 --- a/windows/security/threat-protection/auditing/event-4697.md +++ b/windows/security/threat-protection/auditing/event-4697.md @@ -2,7 +2,7 @@ title: 4697(S) A service was installed in the system. (Windows 10) description: Describes security event 4697(S) A service was installed in the system. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4697(S): A service was installed in the system. diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md index a6f3256c16..567815e3b8 100644 --- a/windows/security/threat-protection/auditing/event-4698.md +++ b/windows/security/threat-protection/auditing/event-4698.md @@ -2,7 +2,7 @@ title: 4698(S) A scheduled task was created. (Windows 10) description: Describes security event 4698(S) A scheduled task was created. This event is generated when a scheduled task is created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4698(S): A scheduled task was created. diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md index 48148e6246..5b2861c4d1 100644 --- a/windows/security/threat-protection/auditing/event-4699.md +++ b/windows/security/threat-protection/auditing/event-4699.md @@ -2,7 +2,7 @@ title: 4699(S) A scheduled task was deleted. (Windows 10) description: Describes security event 4699(S) A scheduled task was deleted. This event is generated every time a scheduled task is deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4699(S): A scheduled task was deleted. diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md index 8d39b0e38d..90e9f7b574 100644 --- a/windows/security/threat-protection/auditing/event-4700.md +++ b/windows/security/threat-protection/auditing/event-4700.md @@ -2,7 +2,7 @@ title: 4700(S) A scheduled task was enabled. (Windows 10) description: Describes security event 4700(S) A scheduled task was enabled. This event is generated every time a scheduled task is enabled. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4700(S): A scheduled task was enabled. diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md index ef24c397fc..bc81734079 100644 --- a/windows/security/threat-protection/auditing/event-4701.md +++ b/windows/security/threat-protection/auditing/event-4701.md @@ -2,7 +2,7 @@ title: 4701(S) A scheduled task was disabled. (Windows 10) description: Describes security event 4701(S) A scheduled task was disabled. This event is generated every time a scheduled task is disabled. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4701(S): A scheduled task was disabled. diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md index 393a0619d6..f6d5b753e4 100644 --- a/windows/security/threat-protection/auditing/event-4702.md +++ b/windows/security/threat-protection/auditing/event-4702.md @@ -2,7 +2,7 @@ title: 4702(S) A scheduled task was updated. (Windows 10) description: Describes security event 4702(S) A scheduled task was updated. This event is generated when a scheduled task is updated/changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4702(S): A scheduled task was updated. diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md index 7483483ea2..e0a624d4fb 100644 --- a/windows/security/threat-protection/auditing/event-4703.md +++ b/windows/security/threat-protection/auditing/event-4703.md @@ -2,7 +2,7 @@ title: 4703(S) A user right was adjusted. (Windows 10) description: Describes security event 4703(S) A user right was adjusted. This event is generated when token privileges are enabled or disabled for a specific account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4703(S): A user right was adjusted. diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index bc3e9d5c3a..d1d045bb0d 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -2,7 +2,7 @@ title: 4704(S) A user right was assigned. (Windows 10) description: Describes security event 4704(S) A user right was assigned. This event is generated when a user right is assigned to an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4704(S): A user right was assigned. diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index 5b337c9941..317b3b23fb 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -2,7 +2,7 @@ title: 4705(S) A user right was removed. (Windows 10) description: Describes security event 4705(S) A user right was removed. This event is generated when a user right is removed from an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4705(S): A user right was removed. diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md index 2a57c47db5..d39473364c 100644 --- a/windows/security/threat-protection/auditing/event-4706.md +++ b/windows/security/threat-protection/auditing/event-4706.md @@ -2,7 +2,7 @@ title: 4706(S) A new trust was created to a domain. (Windows 10) description: Describes security event 4706(S) A new trust was created to a domain. This event is generated when a new trust is created for a domain. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4706(S): A new trust was created to a domain. diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md index dc7e2f5419..f16f66bdcd 100644 --- a/windows/security/threat-protection/auditing/event-4707.md +++ b/windows/security/threat-protection/auditing/event-4707.md @@ -2,7 +2,7 @@ title: 4707(S) A trust to a domain was removed. (Windows 10) description: Describes security event 4707(S) A trust to a domain was removed. This event is generated when a domain trust is removed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4707(S): A trust to a domain was removed. diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md index 69c6f2f153..3c7ada997e 100644 --- a/windows/security/threat-protection/auditing/event-4713.md +++ b/windows/security/threat-protection/auditing/event-4713.md @@ -2,7 +2,7 @@ title: 4713(S) Kerberos policy was changed. (Windows 10) description: Describes security event 4713(S) Kerberos policy was changed. This event is generated when Kerberos policy is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4713(S): Kerberos policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md index c81891ffc9..36dec3a969 100644 --- a/windows/security/threat-protection/auditing/event-4714.md +++ b/windows/security/threat-protection/auditing/event-4714.md @@ -2,7 +2,7 @@ title: 4714(S) Encrypted data recovery policy was changed. (Windows 10) description: Describes security event 4714(S) Encrypted data recovery policy was changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4714(S): Encrypted data recovery policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md index c51f51c999..d4e9d14839 100644 --- a/windows/security/threat-protection/auditing/event-4715.md +++ b/windows/security/threat-protection/auditing/event-4715.md @@ -2,7 +2,7 @@ title: 4715(S) The audit policy (SACL) on an object was changed. (Windows 10) description: Describes security event 4715(S) The audit policy (SACL) on an object was changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4715(S): The audit policy (SACL) on an object was changed. diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md index 4ab122d7f1..35b1bfc9d2 100644 --- a/windows/security/threat-protection/auditing/event-4716.md +++ b/windows/security/threat-protection/auditing/event-4716.md @@ -2,7 +2,7 @@ title: 4716(S) Trusted domain information was modified. (Windows 10) description: Describes security event 4716(S) Trusted domain information was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/04/2019 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4716(S): Trusted domain information was modified. diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index ffe87e87e0..ddbd9f66db 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -2,7 +2,7 @@ title: 4717(S) System security access was granted to an account. (Windows 10) description: Describes security event 4717(S) System security access was granted to an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4717(S): System security access was granted to an account. diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index ecef74c71a..0e7892c9c8 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -2,7 +2,7 @@ title: 4718(S) System security access was removed from an account. (Windows 10) description: Describes security event 4718(S) System security access was removed from an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4718(S): System security access was removed from an account. diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md index e634cf0bbf..98469b6945 100644 --- a/windows/security/threat-protection/auditing/event-4719.md +++ b/windows/security/threat-protection/auditing/event-4719.md @@ -2,7 +2,7 @@ title: 4719(S) System audit policy was changed. (Windows 10) description: Describes security event 4719(S) System audit policy was changed. This event is generated when the computer audit policy changes. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4719(S): System audit policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md index d18fd86200..1569aebb53 100644 --- a/windows/security/threat-protection/auditing/event-4720.md +++ b/windows/security/threat-protection/auditing/event-4720.md @@ -2,7 +2,7 @@ title: 4720(S) A user account was created. (Windows 10) description: Describes security event 4720(S) A user account was created. This event is generated a user object is created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4720(S): A user account was created. diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md index 97a958aba9..e156a9bedf 100644 --- a/windows/security/threat-protection/auditing/event-4722.md +++ b/windows/security/threat-protection/auditing/event-4722.md @@ -2,7 +2,7 @@ title: 4722(S) A user account was enabled. (Windows 10) description: Describes security event 4722(S) A user account was enabled. This event is generated when a user or computer object is enabled. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4722(S): A user account was enabled. diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md index 4622d802a2..8a2eb1aa9b 100644 --- a/windows/security/threat-protection/auditing/event-4723.md +++ b/windows/security/threat-protection/auditing/event-4723.md @@ -2,7 +2,7 @@ title: 4723(S, F) An attempt was made to change an account's password. (Windows 10) description: Describes security event 4723(S, F) An attempt was made to change an account's password. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4723(S, F): An attempt was made to change an account's password. diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md index 3d9bbc1a0d..f360a13828 100644 --- a/windows/security/threat-protection/auditing/event-4724.md +++ b/windows/security/threat-protection/auditing/event-4724.md @@ -2,7 +2,7 @@ title: 4724(S, F) An attempt was made to reset an account's password. (Windows 10) description: Describes security event 4724(S, F) An attempt was made to reset an account's password. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4724(S, F): An attempt was made to reset an account's password. diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md index c1bdc4c1f4..5be795b261 100644 --- a/windows/security/threat-protection/auditing/event-4725.md +++ b/windows/security/threat-protection/auditing/event-4725.md @@ -2,7 +2,7 @@ title: 4725(S) A user account was disabled. (Windows 10) description: Describes security event 4725(S) A user account was disabled. This event is generated when a user or computer object is disabled. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4725(S): A user account was disabled. diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md index ae0997e85e..f8f7ffba8c 100644 --- a/windows/security/threat-protection/auditing/event-4726.md +++ b/windows/security/threat-protection/auditing/event-4726.md @@ -2,7 +2,7 @@ title: 4726(S) A user account was deleted. (Windows 10) description: Describes security event 4726(S) A user account was deleted. This event is generated when a user object is deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4726(S): A user account was deleted. diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md index 5fcdcba641..78d8e0e0c8 100644 --- a/windows/security/threat-protection/auditing/event-4731.md +++ b/windows/security/threat-protection/auditing/event-4731.md @@ -2,7 +2,7 @@ title: 4731(S) A security-enabled local group was created. (Windows 10) description: Describes security event 4731(S) A security-enabled local group was created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4731(S): A security-enabled local group was created. diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md index 65ba0ae840..94a84c0054 100644 --- a/windows/security/threat-protection/auditing/event-4732.md +++ b/windows/security/threat-protection/auditing/event-4732.md @@ -2,7 +2,7 @@ title: 4732(S) A member was added to a security-enabled local group. (Windows 10) description: Describes security event 4732(S) A member was added to a security-enabled local group. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4732(S): A member was added to a security-enabled local group. diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md index b970a918bc..b23bf184d3 100644 --- a/windows/security/threat-protection/auditing/event-4733.md +++ b/windows/security/threat-protection/auditing/event-4733.md @@ -2,7 +2,7 @@ title: 4733(S) A member was removed from a security-enabled local group. (Windows 10) description: Describes security event 4733(S) A member was removed from a security-enabled local group. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4733(S): A member was removed from a security-enabled local group. diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md index 5e439c5e46..144c20c935 100644 --- a/windows/security/threat-protection/auditing/event-4734.md +++ b/windows/security/threat-protection/auditing/event-4734.md @@ -2,7 +2,7 @@ title: 4734(S) A security-enabled local group was deleted. (Windows 10) description: Describes security event 4734(S) A security-enabled local group was deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4734(S): A security-enabled local group was deleted. diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md index 07ff8c48cf..98843abaa0 100644 --- a/windows/security/threat-protection/auditing/event-4735.md +++ b/windows/security/threat-protection/auditing/event-4735.md @@ -2,7 +2,7 @@ title: 4735(S) A security-enabled local group was changed. (Windows 10) description: Describes security event 4735(S) A security-enabled local group was changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4735(S): A security-enabled local group was changed. diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index 3ad4e0bb93..6262726e51 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -2,7 +2,7 @@ title: 4738(S) A user account was changed. (Windows 10) description: Describes security event 4738(S) A user account was changed. This event is generated when a user object is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4738(S): A user account was changed. diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md index 644aa94187..900d034c18 100644 --- a/windows/security/threat-protection/auditing/event-4739.md +++ b/windows/security/threat-protection/auditing/event-4739.md @@ -2,7 +2,7 @@ title: 4739(S) Domain Policy was changed. (Windows 10) description: Describes security event 4739(S) Domain Policy was changed. This event is generated when certain changes are made to the local computer security policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4739(S): Domain Policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md index 68838caedf..db7139e935 100644 --- a/windows/security/threat-protection/auditing/event-4740.md +++ b/windows/security/threat-protection/auditing/event-4740.md @@ -2,7 +2,7 @@ title: 4740(S) A user account was locked out. (Windows 10) description: Describes security event 4740(S) A user account was locked out. This event is generated every time a user account is locked out. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4740(S): A user account was locked out. diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index 22809b4f8f..466e46e06b 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -2,7 +2,7 @@ title: 4741(S) A computer account was created. (Windows 10) description: Describes security event 4741(S) A computer account was created. This event is generated every time a computer object is created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4741(S): A computer account was created. diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index 0d9f50526b..c692aef6e1 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -2,7 +2,7 @@ title: 4742(S) A computer account was changed. (Windows 10) description: Describes security event 4742(S) A computer account was changed. This event is generated every time a computer object is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4742(S): A computer account was changed. diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md index 3cc90698fb..3402a5e1d7 100644 --- a/windows/security/threat-protection/auditing/event-4743.md +++ b/windows/security/threat-protection/auditing/event-4743.md @@ -2,7 +2,7 @@ title: 4743(S) A computer account was deleted. (Windows 10) description: Describes security event 4743(S) A computer account was deleted. This event is generated every time a computer object is deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4743(S): A computer account was deleted. diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md index cb2cbe96a6..478ae9e021 100644 --- a/windows/security/threat-protection/auditing/event-4749.md +++ b/windows/security/threat-protection/auditing/event-4749.md @@ -2,7 +2,7 @@ title: 4749(S) A security-disabled global group was created. (Windows 10) description: Describes security event 4749(S) A security-disabled global group was created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4749(S): A security-disabled global group was created. diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md index 7d5ba9d12e..4bdfe79f69 100644 --- a/windows/security/threat-protection/auditing/event-4750.md +++ b/windows/security/threat-protection/auditing/event-4750.md @@ -2,7 +2,7 @@ title: 4750(S) A security-disabled global group was changed. (Windows 10) description: Describes security event 4750(S) A security-disabled global group was changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4750(S): A security-disabled global group was changed. diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md index e72bc3b3a0..c86b86e123 100644 --- a/windows/security/threat-protection/auditing/event-4751.md +++ b/windows/security/threat-protection/auditing/event-4751.md @@ -2,7 +2,7 @@ title: 4751(S) A member was added to a security-disabled global group. (Windows 10) description: Describes security event 4751(S) A member was added to a security-disabled global group. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4751(S): A member was added to a security-disabled global group. diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md index b1fc1df98f..791b2886aa 100644 --- a/windows/security/threat-protection/auditing/event-4752.md +++ b/windows/security/threat-protection/auditing/event-4752.md @@ -2,7 +2,7 @@ title: 4752(S) A member was removed from a security-disabled global group. (Windows 10) description: Describes security event 4752(S) A member was removed from a security-disabled global group. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4752(S): A member was removed from a security-disabled global group. diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md index 0eef2ab038..501018ce26 100644 --- a/windows/security/threat-protection/auditing/event-4753.md +++ b/windows/security/threat-protection/auditing/event-4753.md @@ -2,7 +2,7 @@ title: 4753(S) A security-disabled global group was deleted. (Windows 10) description: Describes security event 4753(S) A security-disabled global group was deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4753(S): A security-disabled global group was deleted. diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md index 86df9d9645..1697b853f9 100644 --- a/windows/security/threat-protection/auditing/event-4764.md +++ b/windows/security/threat-protection/auditing/event-4764.md @@ -1,8 +1,8 @@ --- title: 4764(S) A group's type was changed. (Windows 10) -description: "Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed." +description: Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4764(S): A group’s type was changed. diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md index 3ea2c4e756..3a23558650 100644 --- a/windows/security/threat-protection/auditing/event-4765.md +++ b/windows/security/threat-protection/auditing/event-4765.md @@ -2,7 +2,7 @@ title: 4765(S) SID History was added to an account. (Windows 10) description: Describes security event 4765(S) SID History was added to an account. This event is generated when SID History is added to an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4765(S): SID History was added to an account. diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md index d8dab9d004..afac5f0fe1 100644 --- a/windows/security/threat-protection/auditing/event-4766.md +++ b/windows/security/threat-protection/auditing/event-4766.md @@ -2,7 +2,7 @@ title: 4766(F) An attempt to add SID History to an account failed. (Windows 10) description: Describes security event 4766(F) An attempt to add SID History to an account failed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4766(F): An attempt to add SID History to an account failed. diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md index 87baefbc54..cf7b13e4f0 100644 --- a/windows/security/threat-protection/auditing/event-4767.md +++ b/windows/security/threat-protection/auditing/event-4767.md @@ -2,7 +2,7 @@ title: 4767(S) A user account was unlocked. (Windows 10) description: Describes security event 4767(S) A user account was unlocked. This event is generated every time a user account is unlocked. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4767(S): A user account was unlocked. diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index 1da086eb93..22df11d465 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -2,7 +2,7 @@ title: 4768(S, F) A Kerberos authentication ticket (TGT) was requested. (Windows 10) description: Describes security event 4768(S, F) A Kerberos authentication ticket (TGT) was requested. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4768(S, F): A Kerberos authentication ticket (TGT) was requested. diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index 64f7bf4503..522068cbbb 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -2,7 +2,7 @@ title: 4769(S, F) A Kerberos service ticket was requested. (Windows 10) description: Describes security event 4769(S, F) A Kerberos service ticket was requested. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4769(S, F): A Kerberos service ticket was requested. diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md index 0085dcf3ff..8ec543b090 100644 --- a/windows/security/threat-protection/auditing/event-4770.md +++ b/windows/security/threat-protection/auditing/event-4770.md @@ -2,7 +2,7 @@ title: 4770(S) A Kerberos service ticket was renewed. (Windows 10) description: Describes security event 4770(S) A Kerberos service ticket was renewed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4770(S): A Kerberos service ticket was renewed. diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 9c6cb7f55a..840d05eefb 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -2,7 +2,7 @@ title: 4771(F) Kerberos pre-authentication failed. (Windows 10) description: Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 07/23/2020 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4771(F): Kerberos pre-authentication failed. diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md index 1119135008..2124b16bb1 100644 --- a/windows/security/threat-protection/auditing/event-4772.md +++ b/windows/security/threat-protection/auditing/event-4772.md @@ -2,7 +2,7 @@ title: 4772(F) A Kerberos authentication ticket request failed. (Windows 10) description: Describes security event 4772(F) A Kerberos authentication ticket request failed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4772(F): A Kerberos authentication ticket request failed. diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md index 7a307bbea1..ba672478d8 100644 --- a/windows/security/threat-protection/auditing/event-4773.md +++ b/windows/security/threat-protection/auditing/event-4773.md @@ -2,7 +2,7 @@ title: 4773(F) A Kerberos service ticket request failed. (Windows 10) description: Describes security event 4773(F) A Kerberos service ticket request failed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4773(F): A Kerberos service ticket request failed. diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md index 21a33e20a2..08eb0fe72f 100644 --- a/windows/security/threat-protection/auditing/event-4774.md +++ b/windows/security/threat-protection/auditing/event-4774.md @@ -2,7 +2,7 @@ title: 4774(S, F) An account was mapped for logon. (Windows 10) description: Describes security event 4774(S, F) An account was mapped for logon. This event is generated when an account is mapped for logon. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4774(S, F): An account was mapped for logon. diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md index e444e1c1bd..cf27ccdf2a 100644 --- a/windows/security/threat-protection/auditing/event-4775.md +++ b/windows/security/threat-protection/auditing/event-4775.md @@ -2,7 +2,7 @@ title: 4775(F) An account could not be mapped for logon. (Windows 10) description: Describes security event 4775(F) An account could not be mapped for logon. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4775(F): An account could not be mapped for logon. diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index 2e759dcb4e..18bd592d00 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -2,7 +2,7 @@ title: 4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10) description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4776(S, F): The computer attempted to validate the credentials for an account. diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md index 4cdf40b163..28a4b42d08 100644 --- a/windows/security/threat-protection/auditing/event-4777.md +++ b/windows/security/threat-protection/auditing/event-4777.md @@ -2,7 +2,7 @@ title: 4777(F) The domain controller failed to validate the credentials for an account. (Windows 10) description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4777(F): The domain controller failed to validate the credentials for an account. diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index 265b39dbcf..53c1eac2d8 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -2,7 +2,7 @@ title: 4778(S) A session was reconnected to a Window Station. (Windows 10) description: Describes security event 4778(S) A session was reconnected to a Window Station. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4778(S): A session was reconnected to a Window Station. diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index bd733289bb..76337cfdf8 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -2,7 +2,7 @@ title: 4779(S) A session was disconnected from a Window Station. (Windows 10) description: Describes security event 4779(S) A session was disconnected from a Window Station. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4779(S): A session was disconnected from a Window Station. diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md index 4a521896e8..dafa5d3ff1 100644 --- a/windows/security/threat-protection/auditing/event-4780.md +++ b/windows/security/threat-protection/auditing/event-4780.md @@ -2,7 +2,7 @@ title: 4780(S) The ACL was set on accounts which are members of administrators groups. (Windows 10) description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4780(S): The ACL was set on accounts which are members of administrators groups. diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md index a48651e686..2adb3bcac5 100644 --- a/windows/security/threat-protection/auditing/event-4781.md +++ b/windows/security/threat-protection/auditing/event-4781.md @@ -2,7 +2,7 @@ title: 4781(S) The name of an account was changed. (Windows 10) description: Describes security event 4781(S) The name of an account was changed. This event is generated every time a user or computer account name is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4781(S): The name of an account was changed. diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md index 571fdf3a93..a7907aed15 100644 --- a/windows/security/threat-protection/auditing/event-4782.md +++ b/windows/security/threat-protection/auditing/event-4782.md @@ -2,7 +2,7 @@ title: 4782(S) The password hash of an account was accessed. (Windows 10) description: Describes security event 4782(S) The password hash of an account was accessed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4782(S): The password hash of an account was accessed. diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md index f2bdc2b09f..d6fecbdbdf 100644 --- a/windows/security/threat-protection/auditing/event-4793.md +++ b/windows/security/threat-protection/auditing/event-4793.md @@ -2,7 +2,7 @@ title: 4793(S) The Password Policy Checking API was called. (Windows 10) description: Describes security event 4793(S) The Password Policy Checking API was called. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4793(S): The Password Policy Checking API was called. diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md index 9ecf3cfcb7..6e585048c1 100644 --- a/windows/security/threat-protection/auditing/event-4794.md +++ b/windows/security/threat-protection/auditing/event-4794.md @@ -2,7 +2,7 @@ title: 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. (Windows 10) description: Describes security event 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password. diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md index 76e806ffcf..3fddfd9b65 100644 --- a/windows/security/threat-protection/auditing/event-4798.md +++ b/windows/security/threat-protection/auditing/event-4798.md @@ -2,7 +2,7 @@ title: 4798(S) A user's local group membership was enumerated. (Windows 10) description: Describes security event 4798(S) A user's local group membership was enumerated. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4798(S): A user's local group membership was enumerated. diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md index c9963afbb0..18b337fcdc 100644 --- a/windows/security/threat-protection/auditing/event-4799.md +++ b/windows/security/threat-protection/auditing/event-4799.md @@ -2,7 +2,7 @@ title: 4799(S) A security-enabled local group membership was enumerated. (Windows 10) description: Describes security event 4799(S) A security-enabled local group membership was enumerated. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4799(S): A security-enabled local group membership was enumerated. diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md index b0be9a0f3a..92c543f8b0 100644 --- a/windows/security/threat-protection/auditing/event-4800.md +++ b/windows/security/threat-protection/auditing/event-4800.md @@ -2,7 +2,7 @@ title: 4800(S) The workstation was locked. (Windows 10) description: Describes security event 4800(S) The workstation was locked. This event is generated when a workstation is locked. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4800(S): The workstation was locked. diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md index 61e2682379..ed7c8ec85c 100644 --- a/windows/security/threat-protection/auditing/event-4801.md +++ b/windows/security/threat-protection/auditing/event-4801.md @@ -2,7 +2,7 @@ title: 4801(S) The workstation was unlocked. (Windows 10) description: Describes security event 4801(S) The workstation was unlocked. This event is generated when workstation is unlocked. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4801(S): The workstation was unlocked. diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md index a00ead7497..9f5fa2b8e3 100644 --- a/windows/security/threat-protection/auditing/event-4802.md +++ b/windows/security/threat-protection/auditing/event-4802.md @@ -2,7 +2,7 @@ title: 4802(S) The screen saver was invoked. (Windows 10) description: Describes security event 4802(S) The screen saver was invoked. This event is generated when screen saver is invoked. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4802(S): The screen saver was invoked. diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md index 0354849e13..20304e4527 100644 --- a/windows/security/threat-protection/auditing/event-4803.md +++ b/windows/security/threat-protection/auditing/event-4803.md @@ -2,7 +2,7 @@ title: 4803(S) The screen saver was dismissed. (Windows 10) description: Describes security event 4803(S) The screen saver was dismissed. This event is generated when screen saver is dismissed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4803(S): The screen saver was dismissed. diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md index 1efa9756ec..9e36c52bb1 100644 --- a/windows/security/threat-protection/auditing/event-4816.md +++ b/windows/security/threat-protection/auditing/event-4816.md @@ -2,7 +2,7 @@ title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. (Windows 10) description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4816(S): RPC detected an integrity violation while decrypting an incoming message. diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md index efdf01da8a..48757706f8 100644 --- a/windows/security/threat-protection/auditing/event-4817.md +++ b/windows/security/threat-protection/auditing/event-4817.md @@ -2,7 +2,7 @@ title: 4817(S) Auditing settings on object were changed. (Windows 10) description: Describes security event 4817(S) Auditing settings on object were changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4817(S): Auditing settings on object were changed. diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md index 1134b02c0b..7da8723ef4 100644 --- a/windows/security/threat-protection/auditing/event-4818.md +++ b/windows/security/threat-protection/auditing/event-4818.md @@ -2,7 +2,7 @@ title: 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. (Windows 10) description: Describes security event 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md index c2de9d1e36..58fa2fcf24 100644 --- a/windows/security/threat-protection/auditing/event-4819.md +++ b/windows/security/threat-protection/auditing/event-4819.md @@ -2,7 +2,7 @@ title: 4819(S) Central Access Policies on the machine have been changed. (Windows 10) description: Describes security event 4819(S) Central Access Policies on the machine have been changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4819(S): Central Access Policies on the machine have been changed. diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md index 3729924d93..29f4675931 100644 --- a/windows/security/threat-protection/auditing/event-4826.md +++ b/windows/security/threat-protection/auditing/event-4826.md @@ -2,7 +2,7 @@ title: 4826(S) Boot Configuration Data loaded. (Windows 10) description: Describes security event 4826(S) Boot Configuration Data loaded. This event is generated every time system starts and loads Boot Configuration Data settings. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4826(S): Boot Configuration Data loaded. diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md index 5556b207b5..ca1995291e 100644 --- a/windows/security/threat-protection/auditing/event-4864.md +++ b/windows/security/threat-protection/auditing/event-4864.md @@ -2,7 +2,7 @@ title: 4864(S) A namespace collision was detected. (Windows 10) description: Describes security event 4864(S) A namespace collision was detected. This event is generated when a namespace collision is detected. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4864(S): A namespace collision was detected. diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md index 15e738f7be..e1ff8e242a 100644 --- a/windows/security/threat-protection/auditing/event-4865.md +++ b/windows/security/threat-protection/auditing/event-4865.md @@ -2,7 +2,7 @@ title: 4865(S) A trusted forest information entry was added. (Windows 10) description: Describes security event 4865(S) A trusted forest information entry was added. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4865(S): A trusted forest information entry was added. diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md index e0f05fbf3e..f189e60e01 100644 --- a/windows/security/threat-protection/auditing/event-4866.md +++ b/windows/security/threat-protection/auditing/event-4866.md @@ -2,7 +2,7 @@ title: 4866(S) A trusted forest information entry was removed. (Windows 10) description: Describes security event 4866(S) A trusted forest information entry was removed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4866(S): A trusted forest information entry was removed. diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md index ae2bf03bb6..9635b1cd74 100644 --- a/windows/security/threat-protection/auditing/event-4867.md +++ b/windows/security/threat-protection/auditing/event-4867.md @@ -2,7 +2,7 @@ title: 4867(S) A trusted forest information entry was modified. (Windows 10) description: Describes security event 4867(S) A trusted forest information entry was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4867(S): A trusted forest information entry was modified. diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md index c8b89b375c..d5a7640b84 100644 --- a/windows/security/threat-protection/auditing/event-4902.md +++ b/windows/security/threat-protection/auditing/event-4902.md @@ -2,7 +2,7 @@ title: 4902(S) The Per-user audit policy table was created. (Windows 10) description: Describes security event 4902(S) The Per-user audit policy table was created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4902(S): The Per-user audit policy table was created. diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md index cfd3f1c0fe..d22ff00643 100644 --- a/windows/security/threat-protection/auditing/event-4904.md +++ b/windows/security/threat-protection/auditing/event-4904.md @@ -2,7 +2,7 @@ title: 4904(S) An attempt was made to register a security event source. (Windows 10) description: Describes security event 4904(S) An attempt was made to register a security event source. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4904(S): An attempt was made to register a security event source. diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md index bfc9d5bbb9..aa98ea5517 100644 --- a/windows/security/threat-protection/auditing/event-4905.md +++ b/windows/security/threat-protection/auditing/event-4905.md @@ -2,7 +2,7 @@ title: 4905(S) An attempt was made to unregister a security event source. (Windows 10) description: Describes security event 4905(S) An attempt was made to unregister a security event source. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4905(S): An attempt was made to unregister a security event source. diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md index 7782a6571d..617b7a2597 100644 --- a/windows/security/threat-protection/auditing/event-4906.md +++ b/windows/security/threat-protection/auditing/event-4906.md @@ -2,7 +2,7 @@ title: 4906(S) The CrashOnAuditFail value has changed. (Windows 10) description: Describes security event 4906(S) The CrashOnAuditFail value has changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4906(S): The CrashOnAuditFail value has changed. diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index 6610d670eb..74edaaa9a3 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -2,7 +2,7 @@ title: 4907(S) Auditing settings on object were changed. (Windows 10) description: Describes security event 4907(S) Auditing settings on object were changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4907(S): Auditing settings on object were changed. diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md index 7573adb5f7..3a12a949e0 100644 --- a/windows/security/threat-protection/auditing/event-4908.md +++ b/windows/security/threat-protection/auditing/event-4908.md @@ -2,7 +2,7 @@ title: 4908(S) Special Groups Logon table modified. (Windows 10) description: Describes security event 4908(S) Special Groups Logon table modified. This event is generated when the Special Groups Logon table is modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4908(S): Special Groups Logon table modified. diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md index 2acda55983..9c3b067418 100644 --- a/windows/security/threat-protection/auditing/event-4909.md +++ b/windows/security/threat-protection/auditing/event-4909.md @@ -2,7 +2,7 @@ title: 4909(-) The local policy settings for the TBS were changed. (Windows 10) description: Describes security event 4909(-) The local policy settings for the TBS were changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4909(-): The local policy settings for the TBS were changed. diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md index 8b90247c65..948c3a6dab 100644 --- a/windows/security/threat-protection/auditing/event-4910.md +++ b/windows/security/threat-protection/auditing/event-4910.md @@ -2,7 +2,7 @@ title: 4910(-) The group policy settings for the TBS were changed. (Windows 10) description: Describes security event 4910(-) The group policy settings for the TBS were changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4910(-): The group policy settings for the TBS were changed. diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index bbd17b1660..cf47c889e0 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -2,7 +2,7 @@ title: 4911(S) Resource attributes of the object were changed. (Windows 10) description: Describes security event 4911(S) Resource attributes of the object were changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4911(S): Resource attributes of the object were changed. diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md index cf141b9a2d..e4bc6d9d43 100644 --- a/windows/security/threat-protection/auditing/event-4912.md +++ b/windows/security/threat-protection/auditing/event-4912.md @@ -2,7 +2,7 @@ title: 4912(S) Per User Audit Policy was changed. (Windows 10) description: Describes security event 4912(S) Per User Audit Policy was changed. This event is generated every time Per User Audit Policy is changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4912(S): Per User Audit Policy was changed. diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index 3be7e9bec3..95f0aa8b70 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -2,7 +2,7 @@ title: 4913(S) Central Access Policy on the object was changed. (Windows 10) description: Describes security event 4913(S) Central Access Policy on the object was changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4913(S): Central Access Policy on the object was changed. diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md index 664b36c1ca..45fa768785 100644 --- a/windows/security/threat-protection/auditing/event-4928.md +++ b/windows/security/threat-protection/auditing/event-4928.md @@ -2,7 +2,7 @@ title: 4928(S, F) An Active Directory replica source naming context was established. (Windows 10) description: Describes security event 4928(S, F) An Active Directory replica source naming context was established. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4928(S, F): An Active Directory replica source naming context was established. diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md index b5a1ba430e..9e126439a2 100644 --- a/windows/security/threat-protection/auditing/event-4929.md +++ b/windows/security/threat-protection/auditing/event-4929.md @@ -2,7 +2,7 @@ title: 4929(S, F) An Active Directory replica source naming context was removed. (Windows 10) description: Describes security event 4929(S, F) An Active Directory replica source naming context was removed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4929(S, F): An Active Directory replica source naming context was removed. diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md index f7b993d3a9..42d488915d 100644 --- a/windows/security/threat-protection/auditing/event-4930.md +++ b/windows/security/threat-protection/auditing/event-4930.md @@ -2,7 +2,7 @@ title: 4930(S, F) An Active Directory replica source naming context was modified. (Windows 10) description: Describes security event 4930(S, F) An Active Directory replica source naming context was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4930(S, F): An Active Directory replica source naming context was modified. diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md index 3f02d54421..fc3a7fc61f 100644 --- a/windows/security/threat-protection/auditing/event-4931.md +++ b/windows/security/threat-protection/auditing/event-4931.md @@ -2,7 +2,7 @@ title: 4931(S, F) An Active Directory replica destination naming context was modified. (Windows 10) description: Describes security event 4931(S, F) An Active Directory replica destination naming context was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4931(S, F): An Active Directory replica destination naming context was modified. diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md index 615a83328d..4450fb0acc 100644 --- a/windows/security/threat-protection/auditing/event-4932.md +++ b/windows/security/threat-protection/auditing/event-4932.md @@ -2,7 +2,7 @@ title: 4932(S) Synchronization of a replica of an Active Directory naming context has begun. (Windows 10) description: Describes security event 4932(S) Synchronization of a replica of an Active Directory naming context has begun. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4932(S): Synchronization of a replica of an Active Directory naming context has begun. diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md index b5fbe33942..1143269597 100644 --- a/windows/security/threat-protection/auditing/event-4933.md +++ b/windows/security/threat-protection/auditing/event-4933.md @@ -2,7 +2,7 @@ title: 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. (Windows 10) description: Describes security event 4933(S, F) Synchronization of a replica of an Active Directory naming context has ended. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended. diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md index 4a5890af24..ffc4b9b4a3 100644 --- a/windows/security/threat-protection/auditing/event-4934.md +++ b/windows/security/threat-protection/auditing/event-4934.md @@ -2,7 +2,7 @@ title: 4934(S) Attributes of an Active Directory object were replicated. (Windows 10) description: Describes security event 4934(S) Attributes of an Active Directory object were replicated. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4934(S): Attributes of an Active Directory object were replicated. diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md index c9e2159bc0..f2910784e6 100644 --- a/windows/security/threat-protection/auditing/event-4935.md +++ b/windows/security/threat-protection/auditing/event-4935.md @@ -2,7 +2,7 @@ title: 4935(F) Replication failure begins. (Windows 10) description: Describes security event 4935(F) Replication failure begins. This event is generated when Active Directory replication failure begins. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4935(F): Replication failure begins. diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md index d9d60e43be..3f808bf11d 100644 --- a/windows/security/threat-protection/auditing/event-4936.md +++ b/windows/security/threat-protection/auditing/event-4936.md @@ -2,7 +2,7 @@ title: 4936(S) Replication failure ends. (Windows 10) description: Describes security event 4936(S) Replication failure ends. This event is generated when Active Directory replication failure ends. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4936(S): Replication failure ends. diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md index 8fb915289b..2775be1c5d 100644 --- a/windows/security/threat-protection/auditing/event-4937.md +++ b/windows/security/threat-protection/auditing/event-4937.md @@ -2,7 +2,7 @@ title: 4937(S) A lingering object was removed from a replica. (Windows 10) description: Describes security event 4937(S) A lingering object was removed from a replica. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4937(S): A lingering object was removed from a replica. diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md index ca2c97045e..1b6522a256 100644 --- a/windows/security/threat-protection/auditing/event-4944.md +++ b/windows/security/threat-protection/auditing/event-4944.md @@ -2,7 +2,7 @@ title: 4944(S) The following policy was active when the Windows Firewall started. (Windows 10) description: Describes security event 4944(S) The following policy was active when the Windows Firewall started. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4944(S): The following policy was active when the Windows Firewall started. diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md index 74d3f7c688..da8105bffc 100644 --- a/windows/security/threat-protection/auditing/event-4945.md +++ b/windows/security/threat-protection/auditing/event-4945.md @@ -2,7 +2,7 @@ title: 4945(S) A rule was listed when the Windows Firewall started. (Windows 10) description: Describes security event 4945(S) A rule was listed when the Windows Firewall started. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4945(S): A rule was listed when the Windows Firewall started. diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md index 4ff3dd9f1d..30ae25fd28 100644 --- a/windows/security/threat-protection/auditing/event-4946.md +++ b/windows/security/threat-protection/auditing/event-4946.md @@ -2,7 +2,7 @@ title: 4946(S) A change has been made to Windows Firewall exception list. A rule was added. (Windows 10) description: Describes security event 4946(S) A change has been made to Windows Firewall exception list. A rule was added. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4946(S): A change has been made to Windows Firewall exception list. A rule was added. diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md index a4906d1dbc..b38eef6371 100644 --- a/windows/security/threat-protection/auditing/event-4947.md +++ b/windows/security/threat-protection/auditing/event-4947.md @@ -2,7 +2,7 @@ title: 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. (Windows 10) description: Describes security event 4947(S) A change has been made to Windows Firewall exception list. A rule was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4947(S): A change has been made to Windows Firewall exception list. A rule was modified. diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md index 5c86cb55c9..5f92a37c6a 100644 --- a/windows/security/threat-protection/auditing/event-4948.md +++ b/windows/security/threat-protection/auditing/event-4948.md @@ -2,7 +2,7 @@ title: 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. (Windows 10) description: Describes security event 4948(S) A change has been made to Windows Firewall exception list. A rule was deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted. diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md index 983159d9e8..e304844bc8 100644 --- a/windows/security/threat-protection/auditing/event-4949.md +++ b/windows/security/threat-protection/auditing/event-4949.md @@ -2,7 +2,7 @@ title: 4949(S) Windows Firewall settings were restored to the default values. (Windows 10) description: Describes security event 4949(S) Windows Firewall settings were restored to the default values. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4949(S): Windows Firewall settings were restored to the default values. diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md index eb6c3770c9..54ead99c65 100644 --- a/windows/security/threat-protection/auditing/event-4950.md +++ b/windows/security/threat-protection/auditing/event-4950.md @@ -2,7 +2,7 @@ title: 4950(S) A Windows Firewall setting has changed. (Windows 10) description: Describes security event 4950(S) A Windows Firewall setting has changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4950(S): A Windows Firewall setting has changed. diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md index ff8ed88bdb..4a2c32b9e2 100644 --- a/windows/security/threat-protection/auditing/event-4951.md +++ b/windows/security/threat-protection/auditing/event-4951.md @@ -2,7 +2,7 @@ title: 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. (Windows 10) description: Describes security event 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall. diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md index 0bd8a3b9b6..150a0ac97d 100644 --- a/windows/security/threat-protection/auditing/event-4952.md +++ b/windows/security/threat-protection/auditing/event-4952.md @@ -2,7 +2,7 @@ title: 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. (Windows 10) description: Security event 4952(F) Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md index 1e9dcd7898..38d9aa6a3d 100644 --- a/windows/security/threat-protection/auditing/event-4953.md +++ b/windows/security/threat-protection/auditing/event-4953.md @@ -2,7 +2,7 @@ title: 4953(F) Windows Firewall ignored a rule because it could not be parsed. (Windows 10) description: Describes security event 4953(F) Windows Firewall ignored a rule because it could not be parsed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4953(F): Windows Firewall ignored a rule because it could not be parsed. diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md index b58926388b..99bb6457e2 100644 --- a/windows/security/threat-protection/auditing/event-4954.md +++ b/windows/security/threat-protection/auditing/event-4954.md @@ -2,7 +2,7 @@ title: 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. (Windows 10) description: Describes security event 4954(S) Windows Firewall Group Policy settings have changed. The new settings have been applied. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied. diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md index 6af6a50864..34d36fa5d0 100644 --- a/windows/security/threat-protection/auditing/event-4956.md +++ b/windows/security/threat-protection/auditing/event-4956.md @@ -2,7 +2,7 @@ title: 4956(S) Windows Firewall has changed the active profile. (Windows 10) description: Describes security event 4956(S) Windows Firewall has changed the active profile. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4956(S): Windows Firewall has changed the active profile. diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index 396a5b587d..8b822ee84c 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -2,7 +2,7 @@ title: 4957(F) Windows Firewall did not apply the following rule. (Windows 10) description: Describes security event 4957(F) Windows Firewall did not apply the following rule. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4957(F): Windows Firewall did not apply the following rule. diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index 14d3b2ad4b..05922fd7a7 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -2,7 +2,7 @@ title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10) description: Describes security event 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md index 4cd9707147..0ee97ac194 100644 --- a/windows/security/threat-protection/auditing/event-4964.md +++ b/windows/security/threat-protection/auditing/event-4964.md @@ -2,7 +2,7 @@ title: 4964(S) Special groups have been assigned to a new logon. (Windows 10) description: Describes security event 4964(S) Special groups have been assigned to a new logon. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4964(S): Special groups have been assigned to a new logon. diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md index 2a98d42db6..9b3680639b 100644 --- a/windows/security/threat-protection/auditing/event-4985.md +++ b/windows/security/threat-protection/auditing/event-4985.md @@ -2,7 +2,7 @@ title: 4985(S) The state of a transaction has changed. (Windows 10) description: Describes security event 4985(S) The state of a transaction has changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 4985(S): The state of a transaction has changed. diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md index 9dede9c866..b24cd95e31 100644 --- a/windows/security/threat-protection/auditing/event-5024.md +++ b/windows/security/threat-protection/auditing/event-5024.md @@ -2,7 +2,7 @@ title: 5024(S) The Windows Firewall Service has started successfully. (Windows 10) description: Describes security event 5024(S) The Windows Firewall Service has started successfully. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5024(S): The Windows Firewall Service has started successfully. diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md index d6a60c5da2..a9a3c5e14b 100644 --- a/windows/security/threat-protection/auditing/event-5025.md +++ b/windows/security/threat-protection/auditing/event-5025.md @@ -2,7 +2,7 @@ title: 5025(S) The Windows Firewall Service has been stopped. (Windows 10) description: Describes security event 5025(S) The Windows Firewall Service has been stopped. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5025(S): The Windows Firewall Service has been stopped. diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md index 23bf6e5c30..4ea2177c6b 100644 --- a/windows/security/threat-protection/auditing/event-5027.md +++ b/windows/security/threat-protection/auditing/event-5027.md @@ -1,8 +1,8 @@ --- title: 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. (Windows 10) -description: Details on security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. +description: Details on security event 5027(F) The Windows Firewall Service was unable to retrieve the security policy from the local storage. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md index 8929b86d33..9ab51ca985 100644 --- a/windows/security/threat-protection/auditing/event-5028.md +++ b/windows/security/threat-protection/auditing/event-5028.md @@ -2,7 +2,7 @@ title: 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. (Windows 10) description: Describes security event 5028(F) The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md index dcdda6a60f..46d9b7b3e7 100644 --- a/windows/security/threat-protection/auditing/event-5029.md +++ b/windows/security/threat-protection/auditing/event-5029.md @@ -2,7 +2,7 @@ title: 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. (Windows 10) description: Describes security event 5029(F) The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md index 37d3844e1f..de68bc30db 100644 --- a/windows/security/threat-protection/auditing/event-5030.md +++ b/windows/security/threat-protection/auditing/event-5030.md @@ -2,7 +2,7 @@ title: 5030(F) The Windows Firewall Service failed to start. (Windows 10) description: Describes security event 5030(F) The Windows Firewall Service failed to start. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5030(F): The Windows Firewall Service failed to start. diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index e6bcd4a68c..7453df6988 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -5,11 +5,12 @@ manager: dansimp ms.author: dansimp description: Describes security event 5031(F) The Windows Firewall Service blocked an application from accepting incoming connections on the network. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp +ms.technology: mde --- # 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network. diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md index 02b5e5768f..a356c6ba72 100644 --- a/windows/security/threat-protection/auditing/event-5032.md +++ b/windows/security/threat-protection/auditing/event-5032.md @@ -2,7 +2,7 @@ title: 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. (Windows 10) description: Describes security event 5032(F) Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md index 834f4c95b8..05552da629 100644 --- a/windows/security/threat-protection/auditing/event-5033.md +++ b/windows/security/threat-protection/auditing/event-5033.md @@ -2,7 +2,7 @@ title: 5033(S) The Windows Firewall Driver has started successfully. (Windows 10) description: Describes security event 5033(S) The Windows Firewall Driver has started successfully. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5033(S): The Windows Firewall Driver has started successfully. diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md index c3f04488fa..7cef4c54e0 100644 --- a/windows/security/threat-protection/auditing/event-5034.md +++ b/windows/security/threat-protection/auditing/event-5034.md @@ -2,7 +2,7 @@ title: 5034(S) The Windows Firewall Driver was stopped. (Windows 10) description: Describes security event 5034(S) The Windows Firewall Driver was stopped. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5034(S): The Windows Firewall Driver was stopped. diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md index 2815638be4..6b9d8a9488 100644 --- a/windows/security/threat-protection/auditing/event-5035.md +++ b/windows/security/threat-protection/auditing/event-5035.md @@ -2,7 +2,7 @@ title: 5035(F) The Windows Firewall Driver failed to start. (Windows 10) description: Describes security event 5035(F) The Windows Firewall Driver failed to start. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5035(F): The Windows Firewall Driver failed to start. diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md index 026d2c2985..a189ce3f21 100644 --- a/windows/security/threat-protection/auditing/event-5037.md +++ b/windows/security/threat-protection/auditing/event-5037.md @@ -2,7 +2,7 @@ title: 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. (Windows 10) description: Describes security event 5037(F) The Windows Firewall Driver detected critical runtime error. Terminating. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5037(F): The Windows Firewall Driver detected critical runtime error. Terminating. diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index 15bd4ad7e1..eac7f9eea0 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -2,7 +2,7 @@ title: 5038(F) Code integrity determined that the image hash of a file is not valid. (Windows 10) description: Describes security event 5038(F) Code integrity determined that the image hash of a file is not valid. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md index 1f6c100b8d..fda19e5f16 100644 --- a/windows/security/threat-protection/auditing/event-5039.md +++ b/windows/security/threat-protection/auditing/event-5039.md @@ -2,7 +2,7 @@ title: 5039(-) A registry key was virtualized. (Windows 10) description: Describes security event 5039(-) A registry key was virtualized. This event is generated when a registry key is virtualized using LUAFV. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5039(-): A registry key was virtualized. diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md index 0bf8362113..3ac07671d2 100644 --- a/windows/security/threat-protection/auditing/event-5051.md +++ b/windows/security/threat-protection/auditing/event-5051.md @@ -2,7 +2,7 @@ title: 5051(-) A file was virtualized. (Windows 10) description: Describes security event 5051(-) A file was virtualized. This event is generated when a file is virtualized using LUAFV. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5051(-): A file was virtualized. diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index 96e278db56..a717d05e4a 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -2,7 +2,7 @@ title: 5056(S) A cryptographic self-test was performed. (Windows 10) description: Describes security event 5056(S) A cryptographic self-test was performed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5056(S): A cryptographic self-test was performed. diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index eb3cc568ab..c83ca8bd2e 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -2,7 +2,7 @@ title: 5057(F) A cryptographic primitive operation failed. (Windows 10) description: Describes security event 5057(F) A cryptographic primitive operation failed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5057(F): A cryptographic primitive operation failed. diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md index 008ecb3292..5f999b36d1 100644 --- a/windows/security/threat-protection/auditing/event-5058.md +++ b/windows/security/threat-protection/auditing/event-5058.md @@ -2,7 +2,7 @@ title: 5058(S, F) Key file operation. (Windows 10) description: Describes security event 5058(S, F) Key file operation. This event is generated when an operation is performed on a file that contains a KSP key. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5058(S, F): Key file operation. diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md index 096fcfe2c9..e7c0a1264b 100644 --- a/windows/security/threat-protection/auditing/event-5059.md +++ b/windows/security/threat-protection/auditing/event-5059.md @@ -2,7 +2,7 @@ title: 5059(S, F) Key migration operation. (Windows 10) description: Describes security event 5059(S, F) Key migration operation. This event is generated when a cryptographic key is exported/imported using a Key Storage Provider. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5059(S, F): Key migration operation. diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index e24e71d924..11b9903d5d 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -2,7 +2,7 @@ title: 5060(F) Verification operation failed. (Windows 10) description: Describes security event 5060(F) Verification operation failed. This event is generated when the CNG verification operation fails. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5060(F): Verification operation failed. diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md index d283324906..a7f832d34b 100644 --- a/windows/security/threat-protection/auditing/event-5061.md +++ b/windows/security/threat-protection/auditing/event-5061.md @@ -2,7 +2,7 @@ title: 5061(S, F) Cryptographic operation. (Windows 10) description: Describes security event 5061(S, F) Cryptographic operation. This event is generated when a cryptographic operation is performed using a Key Storage Provider. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5061(S, F): Cryptographic operation. diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md index 0d9e37b259..e397844d41 100644 --- a/windows/security/threat-protection/auditing/event-5062.md +++ b/windows/security/threat-protection/auditing/event-5062.md @@ -2,7 +2,7 @@ title: 5062(S) A kernel-mode cryptographic self-test was performed. (Windows 10) description: Describes security event 5062(S) A kernel-mode cryptographic self-test was performed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5062(S): A kernel-mode cryptographic self-test was performed. diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md index 159cda1e2b..e06e3118a6 100644 --- a/windows/security/threat-protection/auditing/event-5063.md +++ b/windows/security/threat-protection/auditing/event-5063.md @@ -2,7 +2,7 @@ title: 5063(S, F) A cryptographic provider operation was attempted. (Windows 10) description: Describes security event 5063(S, F) A cryptographic provider operation was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5063(S, F): A cryptographic provider operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md index a5c3c577e0..77da8c5596 100644 --- a/windows/security/threat-protection/auditing/event-5064.md +++ b/windows/security/threat-protection/auditing/event-5064.md @@ -2,7 +2,7 @@ title: 5064(S, F) A cryptographic context operation was attempted. (Windows 10) description: Describes security event 5064(S, F) A cryptographic context operation was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5064(S, F): A cryptographic context operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index 0f5d4dd997..7c46971bc8 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -2,7 +2,7 @@ title: 5065(S, F) A cryptographic context modification was attempted. (Windows 10) description: Describes security event 5065(S, F) A cryptographic context modification was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5065(S, F): A cryptographic context modification was attempted. diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md index 9c5f389dcf..c78b0bd513 100644 --- a/windows/security/threat-protection/auditing/event-5066.md +++ b/windows/security/threat-protection/auditing/event-5066.md @@ -2,7 +2,7 @@ title: 5066(S, F) A cryptographic function operation was attempted. (Windows 10) description: Describes security event 5066(S, F) A cryptographic function operation was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5066(S, F): A cryptographic function operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md index 6ab1f5a7c1..eae3eb2038 100644 --- a/windows/security/threat-protection/auditing/event-5067.md +++ b/windows/security/threat-protection/auditing/event-5067.md @@ -2,7 +2,7 @@ title: 5067(S, F) A cryptographic function modification was attempted. (Windows 10) description: Describes security event 5067(S, F) A cryptographic function modification was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5067(S, F): A cryptographic function modification was attempted. diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md index fb084fd8dd..1cb02be991 100644 --- a/windows/security/threat-protection/auditing/event-5068.md +++ b/windows/security/threat-protection/auditing/event-5068.md @@ -2,7 +2,7 @@ title: 5068(S, F) A cryptographic function provider operation was attempted. (Windows 10) description: Describes security event 5068(S, F) A cryptographic function provider operation was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5068(S, F): A cryptographic function provider operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md index 64dbd91086..104d55f067 100644 --- a/windows/security/threat-protection/auditing/event-5069.md +++ b/windows/security/threat-protection/auditing/event-5069.md @@ -2,7 +2,7 @@ title: 5069(S, F) A cryptographic function property operation was attempted. (Windows 10) description: Describes security event 5069(S, F) A cryptographic function property operation was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5069(S, F): A cryptographic function property operation was attempted. diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md index ce069a495c..0cb592e4d4 100644 --- a/windows/security/threat-protection/auditing/event-5070.md +++ b/windows/security/threat-protection/auditing/event-5070.md @@ -2,7 +2,7 @@ title: 5070(S, F) A cryptographic function property modification was attempted. (Windows 10) description: Describes security event 5070(S, F) A cryptographic function property modification was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5070(S, F): A cryptographic function property modification was attempted. diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index a5708a86f6..58301baf30 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -2,7 +2,7 @@ title: 5136(S) A directory service object was modified. (Windows 10) description: Describes security event 5136(S) A directory service object was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5136(S): A directory service object was modified. diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md index 8d1d729333..959ae8dbd8 100644 --- a/windows/security/threat-protection/auditing/event-5137.md +++ b/windows/security/threat-protection/auditing/event-5137.md @@ -2,7 +2,7 @@ title: 5137(S) A directory service object was created. (Windows 10) description: Describes security event 5137(S) A directory service object was created. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5137(S): A directory service object was created. diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md index 75cebe45a7..54582252c1 100644 --- a/windows/security/threat-protection/auditing/event-5138.md +++ b/windows/security/threat-protection/auditing/event-5138.md @@ -2,7 +2,7 @@ title: 5138(S) A directory service object was undeleted. (Windows 10) description: Describes security event 5138(S) A directory service object was undeleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5138(S): A directory service object was undeleted. diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md index fe3921db6f..2860791322 100644 --- a/windows/security/threat-protection/auditing/event-5139.md +++ b/windows/security/threat-protection/auditing/event-5139.md @@ -2,7 +2,7 @@ title: 5139(S) A directory service object was moved. (Windows 10) description: Describes security event 5139(S) A directory service object was moved. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5139(S): A directory service object was moved. diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index 3d3d5152cc..199e5a4cd7 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -2,7 +2,7 @@ title: 5140(S, F) A network share object was accessed. (Windows 10) description: Describes security event 5140(S, F) A network share object was accessed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5140(S, F): A network share object was accessed. diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md index 221a5c56cf..09e46f5b1b 100644 --- a/windows/security/threat-protection/auditing/event-5141.md +++ b/windows/security/threat-protection/auditing/event-5141.md @@ -2,7 +2,7 @@ title: 5141(S) A directory service object was deleted. (Windows 10) description: Describes security event 5141(S) A directory service object was deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5141(S): A directory service object was deleted. diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md index fdb2fe2741..d29c26ddc4 100644 --- a/windows/security/threat-protection/auditing/event-5142.md +++ b/windows/security/threat-protection/auditing/event-5142.md @@ -2,7 +2,7 @@ title: 5142(S) A network share object was added. (Windows 10) description: Describes security event 5142(S) A network share object was added. This event is generated when a network share object is added. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5142(S): A network share object was added. diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index a62699a745..bc8f827e03 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -2,7 +2,7 @@ title: 5143(S) A network share object was modified. (Windows 10) description: Describes security event 5143(S) A network share object was modified. This event is generated when a network share object is modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5143(S): A network share object was modified. diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md index 581c19e3c9..886dc70759 100644 --- a/windows/security/threat-protection/auditing/event-5144.md +++ b/windows/security/threat-protection/auditing/event-5144.md @@ -2,7 +2,7 @@ title: 5144(S) A network share object was deleted. (Windows 10) description: Describes security event 5144(S) A network share object was deleted. This event is generated when a network share object is deleted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5144(S): A network share object was deleted. diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index f5ec73669e..dee8d57794 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -2,7 +2,7 @@ title: 5145(S, F) A network share object was checked to see whether client can be granted desired access. (Windows 10) description: Describes security event 5145(S, F) A network share object was checked to see whether client can be granted desired access. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5145(S, F): A network share object was checked to see whether client can be granted desired access. diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md index 6787ac6329..23a31eb1a6 100644 --- a/windows/security/threat-protection/auditing/event-5148.md +++ b/windows/security/threat-protection/auditing/event-5148.md @@ -2,7 +2,7 @@ title: 5148(F) The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. (Windows 10) description: Details on Security event 5148(F), The Windows Filtering Platform has detected a DoS attack and entered a defensive mode. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 05/29/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md index 59386a8ef4..04f6c8747a 100644 --- a/windows/security/threat-protection/auditing/event-5149.md +++ b/windows/security/threat-protection/auditing/event-5149.md @@ -2,7 +2,7 @@ title: 5149(F) The DoS attack has subsided and normal processing is being resumed. (Windows 10) description: Describes security event 5149(F) The DoS attack has subsided and normal processing is being resumed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 05/29/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5149(F): The DoS attack has subsided and normal processing is being resumed. diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md index c1f8d98680..018894b1cf 100644 --- a/windows/security/threat-protection/auditing/event-5150.md +++ b/windows/security/threat-protection/auditing/event-5150.md @@ -2,7 +2,7 @@ title: 5150(-) The Windows Filtering Platform blocked a packet. (Windows 10) description: Describes security event 5150(-) The Windows Filtering Platform blocked a packet. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5150(-): The Windows Filtering Platform blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md index 699a093def..1b55b64d41 100644 --- a/windows/security/threat-protection/auditing/event-5151.md +++ b/windows/security/threat-protection/auditing/event-5151.md @@ -2,7 +2,7 @@ title: 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10) description: Describes security event 5151(-) A more restrictive Windows Filtering Platform filter has blocked a packet. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md index ece1e4566d..d89a240a64 100644 --- a/windows/security/threat-protection/auditing/event-5152.md +++ b/windows/security/threat-protection/auditing/event-5152.md @@ -2,7 +2,7 @@ title: 5152(F) The Windows Filtering Platform blocked a packet. (Windows 10) description: Describes security event 5152(F) The Windows Filtering Platform blocked a packet. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5152(F): The Windows Filtering Platform blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md index 8751b40002..ce3f53f60d 100644 --- a/windows/security/threat-protection/auditing/event-5153.md +++ b/windows/security/threat-protection/auditing/event-5153.md @@ -2,7 +2,7 @@ title: 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. (Windows 10) description: Describes security event 5153(S) A more restrictive Windows Filtering Platform filter has blocked a packet. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet. diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md index b464c877d6..5083012650 100644 --- a/windows/security/threat-protection/auditing/event-5154.md +++ b/windows/security/threat-protection/auditing/event-5154.md @@ -2,7 +2,7 @@ title: 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. (Windows 10) description: Describes security event 5154(S) The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index 9964b6f390..7d6eac1919 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -2,7 +2,7 @@ title: 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. (Windows 10) description: Describes security event 5155(F) The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md index d44b9a921f..8c1116cba5 100644 --- a/windows/security/threat-protection/auditing/event-5156.md +++ b/windows/security/threat-protection/auditing/event-5156.md @@ -2,7 +2,7 @@ title: 5156(S) The Windows Filtering Platform has permitted a connection. (Windows 10) description: Describes security event 5156(S) The Windows Filtering Platform has permitted a connection. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5156(S): The Windows Filtering Platform has permitted a connection. diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md index 88bc5b1315..2f2b2cd8fd 100644 --- a/windows/security/threat-protection/auditing/event-5157.md +++ b/windows/security/threat-protection/auditing/event-5157.md @@ -2,7 +2,7 @@ title: 5157(F) The Windows Filtering Platform has blocked a connection. (Windows 10) description: Describes security event 5157(F) The Windows Filtering Platform has blocked a connection. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5157(F): The Windows Filtering Platform has blocked a connection. diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md index 76bb82efef..63753bbc2b 100644 --- a/windows/security/threat-protection/auditing/event-5158.md +++ b/windows/security/threat-protection/auditing/event-5158.md @@ -2,7 +2,7 @@ title: 5158(S) The Windows Filtering Platform has permitted a bind to a local port. (Windows 10) description: Describes security event 5158(S) The Windows Filtering Platform has permitted a bind to a local port. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5158(S): The Windows Filtering Platform has permitted a bind to a local port. diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index 460e244dd8..b5b867bc47 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -2,7 +2,7 @@ title: 5159(F) The Windows Filtering Platform has blocked a bind to a local port. (Windows 10) description: Describes security event 5159(F) The Windows Filtering Platform has blocked a bind to a local port. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5159(F): The Windows Filtering Platform has blocked a bind to a local port. diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md index fcc35ba385..819d9f191e 100644 --- a/windows/security/threat-protection/auditing/event-5168.md +++ b/windows/security/threat-protection/auditing/event-5168.md @@ -2,7 +2,7 @@ title: 5168(F) SPN check for SMB/SMB2 failed. (Windows 10) description: Describes security event 5168(F) SPN check for SMB/SMB2 failed. This event is generated when an SMB SPN check fails. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5168(F): SPN check for SMB/SMB2 failed. diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md index f888db6fb2..3d7cc2e623 100644 --- a/windows/security/threat-protection/auditing/event-5376.md +++ b/windows/security/threat-protection/auditing/event-5376.md @@ -2,7 +2,7 @@ title: 5376(S) Credential Manager credentials were backed up. (Windows 10) description: Describes security event 5376(S) Credential Manager credentials were backed up. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5376(S): Credential Manager credentials were backed up. diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md index 1ed830b074..98ccff769a 100644 --- a/windows/security/threat-protection/auditing/event-5377.md +++ b/windows/security/threat-protection/auditing/event-5377.md @@ -2,7 +2,7 @@ title: 5377(S) Credential Manager credentials were restored from a backup. (Windows 10) description: Describes security event 5377(S) Credential Manager credentials were restored from a backup. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5377(S): Credential Manager credentials were restored from a backup. diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md index bb48a36562..04395a702b 100644 --- a/windows/security/threat-protection/auditing/event-5378.md +++ b/windows/security/threat-protection/auditing/event-5378.md @@ -2,7 +2,7 @@ title: 5378(F) The requested credentials delegation was disallowed by policy. (Windows 10) description: Describes security event 5378(F) The requested credentials delegation was disallowed by policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5378(F): The requested credentials delegation was disallowed by policy. diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md index 89dd2b5bf0..a647b4c565 100644 --- a/windows/security/threat-protection/auditing/event-5447.md +++ b/windows/security/threat-protection/auditing/event-5447.md @@ -2,7 +2,7 @@ title: 5447(S) A Windows Filtering Platform filter has been changed. (Windows 10) description: Describes security event 5447(S) A Windows Filtering Platform filter has been changed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5447(S): A Windows Filtering Platform filter has been changed. diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md index 756db4ebbf..0870e6a7fc 100644 --- a/windows/security/threat-protection/auditing/event-5632.md +++ b/windows/security/threat-protection/auditing/event-5632.md @@ -2,7 +2,7 @@ title: 5632(S, F) A request was made to authenticate to a wireless network. (Windows 10) description: Describes security event 5632(S, F) A request was made to authenticate to a wireless network. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5632(S, F): A request was made to authenticate to a wireless network. diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md index d85599c157..1bb8d2d300 100644 --- a/windows/security/threat-protection/auditing/event-5633.md +++ b/windows/security/threat-protection/auditing/event-5633.md @@ -2,7 +2,7 @@ title: 5633(S, F) A request was made to authenticate to a wired network. (Windows 10) description: Describes security event 5633(S, F) A request was made to authenticate to a wired network. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5633(S, F): A request was made to authenticate to a wired network. diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md index 2fae83e65f..5bb81e6f09 100644 --- a/windows/security/threat-protection/auditing/event-5712.md +++ b/windows/security/threat-protection/auditing/event-5712.md @@ -2,7 +2,7 @@ title: 5712(S) A Remote Procedure Call (RPC) was attempted. (Windows 10) description: Describes security event 5712(S) A Remote Procedure Call (RPC) was attempted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5712(S): A Remote Procedure Call (RPC) was attempted. diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md index 43f79ed55d..8531945a54 100644 --- a/windows/security/threat-protection/auditing/event-5888.md +++ b/windows/security/threat-protection/auditing/event-5888.md @@ -2,7 +2,7 @@ title: 5888(S) An object in the COM+ Catalog was modified. (Windows 10) description: Describes security event 5888(S) An object in the COM+ Catalog was modified. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5888(S): An object in the COM+ Catalog was modified. diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md index 5daae37ce0..3fe376f85c 100644 --- a/windows/security/threat-protection/auditing/event-5889.md +++ b/windows/security/threat-protection/auditing/event-5889.md @@ -2,7 +2,7 @@ title: 5889(S) An object was deleted from the COM+ Catalog. (Windows 10) description: Describes security event 5889(S) An object was deleted from the COM+ Catalog. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5889(S): An object was deleted from the COM+ Catalog. diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md index f5f0c81561..9a90b1a6a3 100644 --- a/windows/security/threat-protection/auditing/event-5890.md +++ b/windows/security/threat-protection/auditing/event-5890.md @@ -2,7 +2,7 @@ title: 5890(S) An object was added to the COM+ Catalog. (Windows 10) description: Describes security event 5890(S) An object was added to the COM+ Catalog. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 5890(S): An object was added to the COM+ Catalog. diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md index 7f0df8a521..7565e8f794 100644 --- a/windows/security/threat-protection/auditing/event-6144.md +++ b/windows/security/threat-protection/auditing/event-6144.md @@ -2,7 +2,7 @@ title: 6144(S) Security policy in the group policy objects has been applied successfully. (Windows 10) description: Describes security event 6144(S) Security policy in the group policy objects has been applied successfully. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6144(S): Security policy in the group policy objects has been applied successfully. diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md index c9a27526cd..8b541749d6 100644 --- a/windows/security/threat-protection/auditing/event-6145.md +++ b/windows/security/threat-protection/auditing/event-6145.md @@ -2,7 +2,7 @@ title: 6145(F) One or more errors occurred while processing security policy in the group policy objects. (Windows 10) description: Describes security event 6145(F) One or more errors occurred while processing security policy in the group policy objects. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6145(F): One or more errors occurred while processing security policy in the group policy objects. diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md index e8dfb2d7cf..b4d79cbbdb 100644 --- a/windows/security/threat-protection/auditing/event-6281.md +++ b/windows/security/threat-protection/auditing/event-6281.md @@ -2,7 +2,7 @@ title: 6281(F) Code Integrity determined that the page hashes of an image file are not valid. (Windows 10) description: Describes security event 6281(F) Code Integrity determined that the page hashes of an image file are not valid. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md index 7a379132bc..acefc262d9 100644 --- a/windows/security/threat-protection/auditing/event-6400.md +++ b/windows/security/threat-protection/auditing/event-6400.md @@ -2,7 +2,7 @@ title: 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. (Windows 10) description: Describes security event 6400(-) BranchCache Received an incorrectly formatted response while discovering availability of content. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content. diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md index 1ce4c083dd..1b442d10d9 100644 --- a/windows/security/threat-protection/auditing/event-6401.md +++ b/windows/security/threat-protection/auditing/event-6401.md @@ -2,7 +2,7 @@ title: 6401(-) BranchCache Received invalid data from a peer. Data discarded. (Windows 10) description: Describes security event 6401(-) BranchCache Received invalid data from a peer. Data discarded. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6401(-): BranchCache: Received invalid data from a peer. Data discarded. diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md index dde20455d3..77a10ac4dc 100644 --- a/windows/security/threat-protection/auditing/event-6402.md +++ b/windows/security/threat-protection/auditing/event-6402.md @@ -2,7 +2,7 @@ title: 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. (Windows 10) description: Describes security event 6402(-) BranchCache The message to the hosted cache offering it data is incorrectly formatted. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted. diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md index e8020581ad..d730acb9d3 100644 --- a/windows/security/threat-protection/auditing/event-6403.md +++ b/windows/security/threat-protection/auditing/event-6403.md @@ -2,7 +2,7 @@ title: 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. (Windows 10) description: Describes security event 6403(-) BranchCache The hosted cache sent an incorrectly formatted response to the client. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client. diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md index 43228f26be..808c8e4264 100644 --- a/windows/security/threat-protection/auditing/event-6404.md +++ b/windows/security/threat-protection/auditing/event-6404.md @@ -2,7 +2,7 @@ title: 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. (Windows 10) description: Describes security event 6404(-) BranchCache Hosted cache could not be authenticated using the provisioned SSL certificate. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md index ea59bc3fc7..2638753673 100644 --- a/windows/security/threat-protection/auditing/event-6405.md +++ b/windows/security/threat-protection/auditing/event-6405.md @@ -2,7 +2,7 @@ title: 6405(-) BranchCache %2 instance(s) of event id %1 occurred. (Windows 10) description: Describes security event 6405(-) BranchCache %2 instance(s) of event id %1 occurred. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6405(-): BranchCache: %2 instance(s) of event id %1 occurred. diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md index d70fac0adb..11cef9058e 100644 --- a/windows/security/threat-protection/auditing/event-6406.md +++ b/windows/security/threat-protection/auditing/event-6406.md @@ -2,7 +2,7 @@ title: 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. (Windows 10) description: Describes security event 6406(-) %1 registered to Windows Firewall to control filtering for the following %2. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2. diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md index ca5e8e02d6..1e3d0cbd85 100644 --- a/windows/security/threat-protection/auditing/event-6407.md +++ b/windows/security/threat-protection/auditing/event-6407.md @@ -2,7 +2,7 @@ title: 6407(-) 1%. (Windows 10) description: Describes security event 6407(-) 1%. This is a BranchCache event, which is outside the scope of this document. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6407(-): 1%. diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md index ffb33ccdee..d3bd29901c 100644 --- a/windows/security/threat-protection/auditing/event-6408.md +++ b/windows/security/threat-protection/auditing/event-6408.md @@ -2,7 +2,7 @@ title: 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. (Windows 10) description: Describes security event 6408(-) Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2. diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md index e1f76dbf69..97d212be9a 100644 --- a/windows/security/threat-protection/auditing/event-6409.md +++ b/windows/security/threat-protection/auditing/event-6409.md @@ -2,7 +2,7 @@ title: 6409(-) BranchCache A service connection point object could not be parsed. (Windows 10) description: Describes security event 6409(-) BranchCache A service connection point object could not be parsed. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6409(-): BranchCache: A service connection point object could not be parsed. diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md index b13bbde8fc..a8980cfb49 100644 --- a/windows/security/threat-protection/auditing/event-6410.md +++ b/windows/security/threat-protection/auditing/event-6410.md @@ -2,7 +2,7 @@ title: 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. (Windows 10) description: Describes security event 6410(F) Code integrity determined that a file does not meet the security requirements to load into a process. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process. diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md index 6e4c4af309..4b85673aa7 100644 --- a/windows/security/threat-protection/auditing/event-6416.md +++ b/windows/security/threat-protection/auditing/event-6416.md @@ -2,7 +2,7 @@ title: 6416(S) A new external device was recognized by the System. (Windows 10) description: Describes security event 6416(S) A new external device was recognized by the System. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6416(S): A new external device was recognized by the System. diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md index e5c1d7fab1..90c145ff77 100644 --- a/windows/security/threat-protection/auditing/event-6419.md +++ b/windows/security/threat-protection/auditing/event-6419.md @@ -2,7 +2,7 @@ title: 6419(S) A request was made to disable a device. (Windows 10) description: Describes security event 6419(S) A request was made to disable a device. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6419(S): A request was made to disable a device. diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md index 2ede6f7fce..51570d3ab3 100644 --- a/windows/security/threat-protection/auditing/event-6420.md +++ b/windows/security/threat-protection/auditing/event-6420.md @@ -2,7 +2,7 @@ title: 6420(S) A device was disabled. (Windows 10) description: Describes security event 6420(S) A device was disabled. This event is generated when a specific device is disabled. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6420(S): A device was disabled. diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md index 4994eafbd7..ef4e0b856f 100644 --- a/windows/security/threat-protection/auditing/event-6421.md +++ b/windows/security/threat-protection/auditing/event-6421.md @@ -2,7 +2,7 @@ title: 6421(S) A request was made to enable a device. (Windows 10) description: Describes security event 6421(S) A request was made to enable a device. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6421(S): A request was made to enable a device. diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md index 606f0228a6..2b2f45d1b8 100644 --- a/windows/security/threat-protection/auditing/event-6422.md +++ b/windows/security/threat-protection/auditing/event-6422.md @@ -2,7 +2,7 @@ title: 6422(S) A device was enabled. (Windows 10) description: Describes security event 6422(S) A device was enabled. This event is generated when a specific device is enabled. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6422(S): A device was enabled. diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md index 67b96baef5..3332a01011 100644 --- a/windows/security/threat-protection/auditing/event-6423.md +++ b/windows/security/threat-protection/auditing/event-6423.md @@ -2,7 +2,7 @@ title: 6423(S) The installation of this device is forbidden by system policy. (Windows 10) description: Describes security event 6423(S) The installation of this device is forbidden by system policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6423(S): The installation of this device is forbidden by system policy. diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md index 4e21756137..8ca1ce36d6 100644 --- a/windows/security/threat-protection/auditing/event-6424.md +++ b/windows/security/threat-protection/auditing/event-6424.md @@ -2,7 +2,7 @@ title: 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. (Windows 10) description: Describes security event 6424(S) The installation of this device was allowed, after having previously been forbidden by policy. ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none @@ -11,6 +11,7 @@ ms.date: 04/19/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # 6424(S): The installation of this device was allowed, after having previously been forbidden by policy. diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md index c9d3a1c9ba..1093140e38 100644 --- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md @@ -4,7 +4,7 @@ description: The policy setting, File System (Global Object Access Auditing), en ms.assetid: 4f215d61-0e23-46e4-9e58-08511105d25b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # File System (Global Object Access Auditing) diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md index 58bd7574f2..1efc819647 100644 --- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -1,7 +1,7 @@ --- title: How to get a list of XML data name elements in Example: `c:\sample\sample.test` |The specified file is skipped by Microsoft Defender Antivirus. | -|**Folder** |Location Example: `c:\test\sample` |All items in the specified folder are skipped by Microsoft Defender Antivirus. | -|**File type** |File extension Example: `.test` |All files with the specified extension anywhere on your device are skipped by Microsoft Defender Antivirus. | -|**Process** |Executable file path Example: `c:\test\process.exe` |The specified process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. | - -To learn more, see: -- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus) -- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus) - -## Related articles - -[What is Microsoft Defender for Endpoint?](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) - -[Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md index 586598290d..53cc0585bb 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -3,7 +3,7 @@ title: Collect diagnostic data for Update Compliance and Windows Defender Micros description: Use a tool to collect data to troubleshoot Update Compliance issues when using the Microsoft Defender Antivirus Assessment add in keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Collect Update Compliance diagnostic data for Microsoft Defender AV Assessment diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md index b98d9268b6..db2a7a7f8e 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md @@ -3,7 +3,7 @@ title: Collect diagnostic data of Microsoft Defender Antivirus description: Use a tool to collect data to troubleshoot Microsoft Defender Antivirus keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender av, group policy object, setting, diagnostic data search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 06/29/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Collect Microsoft Defender AV diagnostic data diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md index f6c285389b..04a84573cc 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md @@ -3,16 +3,17 @@ title: Use the command line to manage Microsoft Defender Antivirus description: Run Microsoft Defender Antivirus scans and configure next-generation protection with a dedicated command-line utility. keywords: run windows defender scan, run antivirus scan from command line, run windows defender scan from command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: ksarens +ms.reviewer: ksarens manager: dansimp ms.date: 08/17/2020 +ms.technology: mde --- # Configure and manage Microsoft Defender Antivirus with the mpcmdrun.exe command-line tool diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md index 58cd36777d..3108c5ea6b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Common mistakes to avoid when defining exclusions description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans. keywords: exclusions, files, extension, file type, folder name, file name, scans search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Common mistakes to avoid when defining exclusions @@ -21,136 +22,38 @@ manager: dansimp You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. -This topic describes some common mistake that you should avoid when defining exclusions. +This article describes some common mistake that you should avoid when defining exclusions. Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions). ## Excluding certain trusted items -There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning. -**Do not add exclusions for the following folder locations:** +Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. -- %systemdrive% -- C: -- C:\ -- C:\* -- %ProgramFiles%\Java -- C:\Program Files\Java -- %ProgramFiles%\Contoso\ -- C:\Program Files\Contoso\ -- %ProgramFiles(x86)%\Contoso\ -- C:\Program Files (x86)\Contoso\ -- C:\Temp -- C:\Temp\ -- C:\Temp\* -- C:\Users\ -- C:\Users\* -- C:\Users\ `C:` `C:\` `C:\*` `%ProgramFiles%\Java` `C:\Program Files\Java` `%ProgramFiles%\Contoso\` `C:\Program Files\Contoso\` `%ProgramFiles(x86)%\Contoso\` `C:\Program Files (x86)\Contoso\` `C:\Temp` `C:\Temp\` `C:\Temp\*` `C:\Users\` `C:\Users\*` `C:\Users\ `C:\Users\ `C:\Users\ `%Windir%\Prefetch` `C:\Windows\Prefetch` `C:\Windows\Prefetch\` `C:\Windows\Prefetch\*` `%Windir%\System32\Spool` `C:\Windows\System32\Spool` `C:\Windows\System32\CatRoot2` `%Windir%\Temp` `C:\Windows\Temp` `C:\Windows\Temp\` `C:\Windows\Temp\*` | `.7zip` `.bat` `.bin` `.cab` `.cmd` `.com` `.cpl` `.dll` `.exe` `.fla` `.gif` `.gz` `.hta` `.inf` `.java` `.jar` `.job` `.jpeg` `.jpg` `.js` `.ko` `.ko.gz` `.msi` `.ocx` `.png` `.ps1` `.py` `.rar` `.reg` `.scr` `.sys` `.tar` `.tmp` `.url` `.vbe` `.vbs` `.wsf` `.zip` | `AcroRd32.exe` `bitsadmin.exe` `excel.exe` `iexplore.exe` `java.exe` `outlook.exe` `psexec.exe` `powerpnt.exe` `powershell.exe` `schtasks.exe` `svchost.exe` `wmic.exe` `winword.exe` `wuauclt.exe` `addinprocess.exe` `addinprocess32.exe` `addinutil.exe` `bash.exe` `bginfo.exe`[1] `cdb.exe` `csi.exe` `dbghost.exe` `dbgsvc.exe` `dnx.exe` `fsi.exe` `fsiAnyCpu.exe` `kd.exe` `ntkd.exe` `lxssmanager.dll` `msbuild.exe`[2] `mshta.exe` `ntsd.exe` `rcsi.exe` `system.management.automation.dll` `windbg.exe` | >[!NOTE] -> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities. - -**Do not add exclusions for the following processes:** -- AcroRd32.exe -- bitsadmin.exe -- excel.exe -- iexplore.exe -- java.exe -- outlook.exe -- psexec.exe -- powerpnt.exe -- powershell.exe -- schtasks.exe -- svchost.exe -- wmic.exe -- winword.exe -- wuauclt.exe -- addinprocess.exe -- addinprocess32.exe -- addinutil.exe -- bash.exe -- bginfo.exe[1] -- cdb.exe -- csi.exe -- dbghost.exe -- dbgsvc.exe -- dnx.exe -- fsi.exe -- fsiAnyCpu.exe -- kd.exe -- ntkd.exe -- lxssmanager.dll -- msbuild.exe[2] -- mshta.exe -- ntsd.exe -- rcsi.exe -- system.management.automation.dll -- windbg.exe +> You can chose to exclude file types, such as `.gif`, `.jpg`, `.jpeg`, or `.png` if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities. ## Using just the file name in the exclusion list -A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**. + +A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`. ## Using a single exclusion list for multiple server workloads + Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload. ## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists + Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables. + See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists. -## Related topics +## Related articles - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md index 756111f940..060cddd476 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Manage Windows Defender in your business description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Microsoft Defender AV keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 12/16/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Manage Microsoft Defender Antivirus in your business diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md index 5d559f0d89..7782d63b95 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md @@ -4,7 +4,7 @@ description: You can configure Microsoft Defender AV to scan email storage files keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp - +ms.technology: mde --- # Configure Microsoft Defender Antivirus scanning options @@ -29,9 +29,9 @@ manager: dansimp See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details. -## Use Microsoft Endpoint Configuration Manager to configure scanning options +## Use Microsoft Endpoint Manager to configure scanning options -See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Manager (current branch). ## Use Group Policy to configure scanning options diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index 43aa53b445..801001d7ef 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Enable block at first sight to detect malware in seconds description: Turn on the block at first sight feature to detect and block malware within seconds. keywords: scan, BAFS, malware, first seen, first sight, cloud, defender search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: high @@ -13,6 +13,7 @@ ms.reviewer: manager: dansimp ms.custom: nextgen ms.date: 10/22/2020 +ms.technology: mde --- # Turn on block at first sight @@ -22,7 +23,7 @@ ms.date: 10/22/2020 **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md index 4be673460a..fc9ab62d48 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure the Microsoft Defender AV cloud block timeout period description: You can configure how long Microsoft Defender Antivirus will block a file from running while waiting for a cloud determination. keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure the cloud block timeout period @@ -23,7 +24,7 @@ manager: dansimp **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md index 93e3d5c543..91d207c1bc 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure how users can interact with Microsoft Defender AV description: Configure how end-users interact with Microsoft Defender AV, what notifications they see, and if they can override settings. keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure end-user interaction with Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md index 4d3ba69753..beb6882a8b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md @@ -3,16 +3,16 @@ title: Set up exclusions for Microsoft Defender AV scans description: You can exclude files (including files modified by specified processes) and folders from being scanned by Microsoft Defender AV. Validate your exclusions with PowerShell. keywords: search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 03/12/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure and validate exclusions for Microsoft Defender Antivirus scans @@ -41,8 +41,11 @@ Defining exclusions lowers the protection offered by Microsoft Defender Antiviru The following is a list of recommendations that you should keep in mind when defining exclusions: - Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc. + - Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process. + - Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate. + - Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded. ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index 88a2e71534..49091cb89b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure and validate exclusions based on extension, name, or location description: Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location. keywords: exclusions, files, extension, file type, folder name, file name, scans search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,7 +12,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp -ms.date: 10/21/2020 +ms.technology: mde --- # Configure and validate exclusions based on file extension and folder location @@ -29,40 +29,37 @@ ms.date: 10/21/2020 ## Exclusion lists -You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. +You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations. > [!NOTE] > Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell. This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. -Exclusion | Examples | Exclusion list ----|---|--- -Any file with a specific extension | All files with the specified extension, anywhere on the machine. Valid syntax: `.test` and `test` | Extension exclusions -Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions -A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions -A specific process | The executable file `c:\test\process.exe` | File and folder exclusions +| Exclusion | Examples | Exclusion list | +|:---|:---|:---| +|Any file with a specific extension | All files with the specified extension, anywhere on the machine. Valid syntax: `.test` and `test` | Extension exclusions | +|Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions | +| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions | +| A specific process | The executable file `c:\test\process.exe` | File and folder exclusions | Exclusion lists have the following characteristics: - Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately. - File extensions apply to any file name with the defined extension if a path or folder is not defined. ->[!IMPORTANT] ->Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. -> ->You cannot exclude mapped network drives. You must specify the actual network path. -> ->Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. +> [!IMPORTANT] +> - Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work. +> - You cannot exclude mapped network drives. You must specify the actual network path. +> - Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target. To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md). ->[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). -> ->Changes made in the Windows Security app **will not show** in the Group Policy lists. +> [!IMPORTANT] +> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). +> Changes made in the Windows Security app **will not show** in the Group Policy lists. By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts. @@ -78,39 +75,37 @@ See the following articles: ### Use Configuration Manager to configure file name, folder, or file extension exclusions -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Manager (current branch). ### Use Group Policy to configure folder or file extension exclusions >[!NOTE] >If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded. -1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. -3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**. +3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**. -4. Double-click the **Path Exclusions** setting and add the exclusions. +4. Open the **Path Exclusions** setting for editing, and add your exclusions. - Set the option to **Enabled**. - Under the **Options** section, click **Show...**. - Specify each folder on its own line under the **Value name** column. - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. -5. Click **OK**. +5. Choose **OK**.  -6. Double-click the **Extension Exclusions** setting and add the exclusions. +6. Open the **Extension Exclusions** setting for editing and add your exclusions. - Set the option to **Enabled**. - - Under the **Options** section, click **Show...**. + - Under the **Options** section, select **Show...**. - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. -7. Click **OK**. - -  +7. Choose **OK**. @@ -126,21 +121,21 @@ The format for the cmdlets is as follows: The following are allowed as the ` In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt` `C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders` `C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | |`?` (question mark) In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?` would include `C:\MyData\my1.zip` `C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | |Environment variables The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` | ->[!IMPORTANT] ->If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. -> ->For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`. -> ->This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. +> [!IMPORTANT] +> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. +> For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`. +> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. @@ -205,273 +197,68 @@ The following table describes how the wildcards can be used and provides some ex The following table lists and describes the system account environment variables. -
`*.vhdx` `*.avhd` `*.avhdx` `*.vsv` `*.iso` `*.rct` `*.vmcx` `*.vmrs` | `%ProgramData%\Microsoft\Windows\Hyper-V` `%ProgramFiles%\Hyper-V` `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` `%Public%\Documents\Hyper-V\Virtual Hard Disks` | `%systemroot%\System32\Vmms.exe` `%systemroot%\System32\Vmwp.exe` | #### SYSVOL files diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md index 0651cae7a7..10b6622a43 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Run and customize scheduled and on-demand scans description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network. keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index 6b950c1ad9..a2a610032c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -3,7 +3,7 @@ title: Run and customize scheduled and on-demand scans description: Customize and initiate Microsoft Defender Antivirus scans on endpoints across your network. keywords: scan, schedule, customize, exclusions, exclude files, remediation, scan results, quarantine, remove threat, quick scan, full scan, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Customize, initiate, and review the results of Microsoft Defender Antivirus scans & remediation diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md index d2339875a5..01a88d64d7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Deploy, manage, and report on Microsoft Defender Antivirus description: You can deploy and manage Microsoft Defender Antivirus with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell, or WMI keywords: deploy, manage, update, protection, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Deploy, manage, and report on Microsoft Defender Antivirus @@ -42,13 +43,13 @@ You'll also see additional links for: Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ---|---|---|--- Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management) -Microsoft Endpoint Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] +Microsoft Endpoint Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Microsoft Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Microsoft Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] PowerShell|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference] and [Update-MpSignature] cmdlets available in the Defender module.|Use the appropriate [Get- cmdlets available in the Defender module][] Windows Management Instrumentation|Deploy with Group Policy, Microsoft Endpoint Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Defender*](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#enable-and-configure-antimalware-using-powershell-cmdlets) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Microsoft Defender Antivirus events][] and add that tool as an app in AAD. -1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Configuration Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) +1. The availability of some functions and features, especially related to cloud-delivered protection, differ between Microsoft Endpoint Manager (Current Branch) and System Center 2012 Configuration Manager. In this library, we've focused on Windows 10, Windows Server 2016, and Microsoft Endpoint Manager (Current Branch). See [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) 2. In Windows 10, Microsoft Defender Antivirus is a component available without installation or deployment of an additional client or service. It will automatically be enabled when third-party antivirus products are either uninstalled or out of date ([except on Windows Server 2016](microsoft-defender-antivirus-on-windows-server-2016.md)). Traditional deployment therefore is not required. Deployment here refers to ensuring the Microsoft Defender Antivirus component is available and enabled on endpoints or servers. [(Return to table)](#ref2) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md index 97eeac6ba1..c27135a1f6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- -title: Deploy and enable Microsoft Defender Antivirus +title: Deploy and enable Microsoft Defender Antivirus description: Deploy Microsoft Defender Antivirus for protection of your endpoints with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or WMI. keywords: deploy, enable, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,10 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 01/06/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Deploy and enable Microsoft Defender Antivirus @@ -29,11 +30,11 @@ Depending on the management tool you are using, you may need to specifically ena See the table in [Deploy, manage, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md#ref2) for instructions on how to enable protection with Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, Active Directory, Microsoft Azure, PowerShell cmdlets, and Windows Management Instruction (WMI). -Some scenarios require additional guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. +Some scenarios require more guidance on how to successfully deploy or configure Microsoft Defender Antivirus protection, such as Virtual Desktop Infrastructure (VDI) environments. -The remaining topic in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md). +The remaining article in this section provides end-to-end advice and best practices for [setting up Microsoft Defender Antivirus on virtual machines (VMs) in a VDI or Remote Desktop Services (RDS) environment](deployment-vdi-microsoft-defender-antivirus.md). -## Related topics +## Related articles - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - [Deploy, manage updates, and report on Microsoft Defender Antivirus](deploy-manage-report-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md index 172fb7952f..3849774f8b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus Virtual Desktop Infrastructure deployment gu description: Learn how to deploy Microsoft Defender Antivirus in a virtual desktop environment for the best balance between protection and performance. keywords: vdi, hyper-v, vm, virtual machine, windows defender, antivirus, av, virtual desktop, rds, remote desktop search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ ms.custom: nextgen ms.date: 12/28/2020 ms.reviewer: jesquive manager: dansimp +ms.technology: mde --- # Deployment guide for Microsoft Defender Antivirus in a virtual desktop infrastructure (VDI) environment diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md index cb05c08abe..f56820cf7f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Block potentially unwanted applications with Microsoft Defender Antivirus description: Enable the potentially unwanted application (PUA) antivirus feature to block unwanted software such as adware. keywords: pua, enable, unwanted software, unwanted apps, adware, browser toolbar, detect, block, Microsoft Defender Antivirus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: detect ms.sitesec: library ms.localizationpriority: medium @@ -11,9 +11,10 @@ author: denisebmsft ms.author: deniseb ms.custom: nextgen audience: ITPro -ms.date: 11/30/2020 +ms.date: 02/03/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Detect and block potentially unwanted applications @@ -61,13 +62,13 @@ Although potentially unwanted application protection in Microsoft Edge (Chromium ### Blocking URLs with Microsoft Defender SmartScreen -In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen will protect you from PUA-associated URLs. +In Chromium-based Edge with PUA protection turned on, Microsoft Defender SmartScreen protects you from PUA-associated URLs. Admins can [configure](https://docs.microsoft.com/DeployEdge/configure-microsoft-edge) how Microsoft Edge and Microsoft Defender SmartScreen work together to protect groups of users from PUA-associated URLs. There are several [group policy settings](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreen-settings) explicitly for Microsoft Defender SmartScreen available, including [one for blocking PUA](https://docs.microsoft.com/DeployEdge/microsoft-edge-policies#smartscreenpuaenabled). In addition, admins can [configure Microsoft Defender SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/available-policies?source=docs#configure-windows-defender-smartscreen) as a whole, using group policy settings to turn Microsoft Defender SmartScreen on or off. -Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen will respect the new settings. +Although Microsoft Defender for Endpoint has its own block list based upon a data set managed by Microsoft, you can customize this list based on your own threat intelligence. If you [create and manage indicators](../microsoft-defender-atp/manage-indicators.md) in the Microsoft Defender for Endpoint portal, Microsoft Defender SmartScreen respects the new settings. ## Microsoft Defender Antivirus @@ -86,7 +87,7 @@ The notification appears in the usual [quarantine list within the Windows Securi You can enable PUA protection with [Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/device-protect), [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection), [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy), or via [PowerShell cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve-view=true). -You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections will be captured in the Windows event log. +You can also use PUA protection in audit mode to detect potentially unwanted applications without blocking them. The detections are captured in the Windows event log. > [!TIP] > Visit the Microsoft Defender for Endpoint demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com/Page/UrlRep) to confirm that the feature is working, and see it in action. @@ -99,9 +100,9 @@ See [Configure device restriction settings in Microsoft Intune](https://docs.mic #### Use Configuration Manager to configure PUA protection -PUA protection is enabled by default in the Microsoft Endpoint Configuration Manager (Current Branch). +PUA protection is enabled by default in the Microsoft Endpoint Manager (Current Branch). -See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Configuration Manager (Current Branch). +See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring Microsoft Endpoint Manager (Current Branch). For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). @@ -110,50 +111,64 @@ For System Center 2012 Configuration Manager, see [How to Deploy Potentially Unw #### Use Group Policy to configure PUA protection -1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure, and select **Edit**. - -2. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. - -3. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. - -4. Double-click **Configure detection for potentially unwanted applications**. - -5. Select **Enabled** to enable PUA protection. - -6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Select **OK**. - -7. Deploy your Group Policy object as you usually do. +1. Download and install [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) +2. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)). +3. Select the Group Policy Object you want to configure, and then choose **Edit**. +4. In the **Group Policy Management Editor**, go to **Computer configuration** and select **Administrative templates**. +5. Expand the tree to **Windows Components** > **Microsoft Defender Antivirus**. +6. Double-click **Configure detection for potentially unwanted applications**. +7. Select **Enabled** to enable PUA protection. +8. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting works in your environment. Select **OK**. +9. Deploy your Group Policy object as you usually do. #### Use PowerShell cmdlets to configure PUA protection ##### To enable PUA protection ```PowerShell -Set-MpPreference -PUAProtection enable +Set-MpPreference -PUAProtection Enabled ``` -Setting the value for this cmdlet to `Enabled` will turn the feature on if it has been disabled. + +Setting the value for this cmdlet to `Enabled` turns the feature on if it has been disabled. ##### To set PUA protection to audit mode ```PowerShell -Set-MpPreference -PUAProtection auditmode +Set-MpPreference -PUAProtection AuditMode ``` -Setting `AuditMode` will detect PUAs without blocking them. + +Setting `AuditMode` detects PUAs without blocking them. ##### To disable PUA protection We recommend keeping PUA protection turned on. However, you can turn it off by using the following cmdlet: ```PowerShell -Set-MpPreference -PUAProtection disable +Set-MpPreference -PUAProtection Disabled ``` -Setting the value for this cmdlet to `Disabled` will turn the feature off if it has been enabled. + +Setting the value for this cmdlet to `Disabled` turns the feature off if it has been enabled. See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus. ### View PUA events -PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Configuration Manager or in Intune. +PUA events are reported in the Windows Event Viewer, but not in Microsoft Endpoint Manager or in Intune. You can also use the `Get-MpThreat` cmdlet to view threats that Microsoft Defender Antivirus handled. Here's an example: + +```console +CategoryID : 27 +DidThreatExecute : False +IsActive : False +Resources : {webfile:_q:\Builds\Dalton_Download_Manager_3223905758.exe|http://d18yzm5yb8map8.cloudfront.net/ + fo4yue@kxqdw/Dalton_Download_Manager.exe|pid:14196,ProcessStart:132378130057195714} +RollupStatus : 33 +SchemaVersion : 1.0.0.0 +SeverityID : 1 +ThreatID : 213927 +ThreatName : PUA:Win32/InstallCore +TypeID : 0 +PSComputerName : +``` You can turn on email notifications to receive mail about PUA detections. @@ -161,11 +176,11 @@ See [Troubleshoot event IDs](troubleshoot-microsoft-defender-antivirus.md) for d ### Allow-listing apps -Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. +Sometimes a file is erroneously blocked by PUA protection, or a feature of a PUA is required to complete a task. In these cases, a file can be allow-listed. For more information, see [Recommended antivirus exclusions for Configuration Manager site servers, site systems, and clients](https://docs.microsoft.com/troubleshoot/mem/configmgr/recommended-antivirus-exclusions#exclusions). -## Related articles +## See also - [Next-generation protection](microsoft-defender-antivirus-in-windows-10.md) - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md index 2dfddb6de2..483ca94393 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Turn on cloud-delivered protection in Microsoft Defender Antivirus description: Turn on cloud-delivered protection to benefit from fast and advanced protection features. keywords: Microsoft Defender Antivirus, antimalware, security, cloud, block at first sight search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ ms.date: 11/13/2020 ms.reviewer: manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Turn on cloud-delivered protection @@ -21,7 +22,7 @@ ms.custom: nextgen **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) > [!NOTE] > The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md index 0cba7e0b50..e56c78b8f3 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Evaluate Microsoft Defender Antivirus description: Businesses of all sizes can use this guide to evaluate and test the protection offered by Microsoft Defender Antivirus in Windows 10. keywords: Microsoft Defender Antivirus, cloud protection, cloud, antimalware, security, defender, evaluate, test, protection, compare, real-time protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Evaluate Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md index 1edd31f232..0e6a552e4c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Enable the limited periodic Microsoft Defender Antivirus scanning feature description: Limited periodic scanning lets you use Microsoft Defender Antivirus in addition to your other installed AV providers keywords: lps, limited, periodic, scan, scanning, compatibility, 3rd party, other av, disable search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md index efb0cb995d..8dc17adfac 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Apply Microsoft Defender Antivirus updates after certain events description: Manage how Microsoft Defender Antivirus applies security intelligence updates after startup or receiving cloud-delivered detection reports. keywords: updates, protection, force updates, events, startup, check for latest, notifications search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/17/2018 ms.reviewer: pahuijbr manager: dansimp +ms.technology: mde --- # Manage event-based forced updates @@ -33,7 +34,7 @@ You can use Microsoft Endpoint Configuration Manager, Group Policy, PowerShell c ### Use Configuration Manager to check for protection updates before running a scan -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Scheduled scans** section and set **Check for the latest security intelligence updates before running a scan** to **Yes**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md index b6b1f9f8bb..668830b824 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Apply Microsoft Defender AV protection updates to out of date endpoints description: Define when and how updates should be applied for endpoints that have not updated in a while. keywords: updates, protection, out-of-date, outdated, old, catch-up search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Manage Microsoft Defender Antivirus updates and scans for endpoints that are out of date @@ -37,7 +38,7 @@ If Microsoft Defender Antivirus did not download protection updates for a specif ### Use Configuration Manager to configure catch-up protection updates -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Security intelligence updates** section and configure the following settings: @@ -166,7 +167,7 @@ See the following for more information and allowed parameters: ### Use Configuration Manager to configure catch-up scans -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Scheduled scans** section and **Force a scan of the selected scan type if client computer is offline...** to **Yes**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md index add2af0433..494811e6e8 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- title: Schedule Microsoft Defender Antivirus protection updates -description: Schedule the day, time, and interval for when protection updates should be downloaded +description: Schedule the day, time, and interval for when protection updates should be downloaded keywords: updates, security baselines, schedule updates search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security search.appverid: met150 ms.mktglfcycl: manage ms.sitesec: library @@ -12,8 +12,9 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp +ms.technology: mde --- # Manage the schedule for when protection updates should be downloaded and applied @@ -37,7 +38,7 @@ You can also randomize the times when each endpoint checks and downloads protect ## Use Configuration Manager to schedule protection updates -1. On your Microsoft Endpoint Configuration Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) +1. On your Microsoft Endpoint Manager console, open the antimalware policy you want to change (click **Assets and Compliance** in the navigation pane on the left, then expand the tree to **Overview** > **Endpoint Protection** > **Antimalware Policies**) 2. Go to the **Security intelligence updates** section. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md index 613d0bb3b1..acd96cc68b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md @@ -1,18 +1,19 @@ --- -title: Manage how and where Microsoft Defender AV receives updates +title: Manage how and where Microsoft Defender Antivirus receives updates description: Manage the fallback order for how Microsoft Defender Antivirus receives protection updates. keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Manage the sources for Microsoft Defender Antivirus protection updates @@ -71,7 +72,7 @@ Each source has typical scenarios that depend on how your network is configured, |Windows Server Update Service | You are using Windows Server Update Service to manage updates for your network.| |Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use Windows Server Update Service to manage your updates.| |File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-microsoft-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments.| -|Microsoft Endpoint Configuration Manager | You are using Microsoft Endpoint Configuration Manager to update your endpoints.| +|Microsoft Endpoint Manager | You are using Microsoft Endpoint Manager to update your endpoints.| |Security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware (formerly referred to as MMPC) |[Make sure your devices are updated to support SHA-2](https://support.microsoft.com/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus). Microsoft Defender Antivirus Security intelligence updates are delivered through Windows Update, and starting Monday October 21, 2019 security intelligence updates will be SHA-2 signed exclusively. Download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-microsoft-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from Windows Server Update Service or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date).| You can manage the order in which update sources are used with Group Policy, Microsoft Endpoint Configuration Manager, PowerShell cmdlets, and WMI. @@ -111,7 +112,7 @@ The procedures in this article first describe how to set the order, and then how ## Use Configuration Manager to manage the update location -See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Configuration Manager (current branch). +See [Configure Security intelligence Updates for Endpoint Protection](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-definition-updates) for details on configuring Microsoft Endpoint Manager (current branch). ## Use PowerShell cmdlets to manage the update location @@ -170,7 +171,7 @@ Set up a network file share (UNC/mapped drive) to download security intelligence MD C:\Temp\TempSigs\x86 ``` -3. Download the Powershell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4). +3. Download the PowerShell script from [www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4). 4. Click **Manual Download**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index 9700678379..a93bfb03a8 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Manage Microsoft Defender Antivirus updates and apply baselines description: Manage how Microsoft Defender Antivirus receives protection and product updates. keywords: updates, security baselines, protection, schedule updates, force updates, mobile updates, wsus search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,10 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.reviewer: +ms.reviewer: pahuijbr manager: dansimp -ms.date: 12/05/2020 +ms.date: 01/07/2021 +ms.technology: mde --- # Manage Microsoft Defender Antivirus updates and apply baselines @@ -47,7 +48,7 @@ Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft Cloud-delivered protection is always on and requires an active connection to the Internet to function. Security intelligence updates occur on a scheduled cadence (configurable via policy). For more information, see [Use Microsoft cloud-provided protection in Microsoft Defender Antivirus](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md). -For a list of recent security intelligence updates, please visit: [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes). +For a list of recent security intelligence updates, see [Antimalware updates change log - Microsoft Security Intelligence](https://www.microsoft.com/wdsi/definitions/antimalware-definition-release-notes). Engine updates are included with security intelligence updates and are released on a monthly cadence. @@ -64,17 +65,17 @@ You can manage the distribution of updates through one of the following methods: For more information, see [Manage the sources for Microsoft Defender Antivirus protection updates](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus). > [!NOTE] -> We release these monthly updates in phases. This results in multiple packages visible in your WSUS server. +> Monthly updates are released in phases, resulting in multiple packages visible in your [Window Server Update Services](https://docs.microsoft.com/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). ## Monthly platform and engine versions -For information how to update or how to install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). +For information how to update or install the platform update, see [Update for Windows Defender antimalware platform](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform). All our updates contain - performance improvements; - serviceability improvements; and - integration improvements (Cloud, Microsoft 365 Defender). - +
@@ -87,6 +88,7 @@ All our updates contain
Support phase: **Security and Critical Updates**
### What's new
+
- Improved SmartScreen status support logging
- Apply CPU throttling policy to manually initiated scans
@@ -103,12 +105,14 @@ No known issues
Support phase: **Security and Critical Updates**
### What's new
+
- New descriptions for special threat categories
- Improved emulation capabilities
- Improved host address allow/block capabilities
- New option in Defender CSP to Ignore merging of local user exclusions
### Known Issues
+
No known issues
@@ -121,6 +125,7 @@ No known issues
Support phase: **Security and Critical Updates**
### What's new
+
- Admin permissions are required to restore files in quarantine
- XML formatted events are now supported
- CSP support for ignoring exclusion merges
@@ -132,9 +137,16 @@ No known issues
- Improved Office VBA module scanning
### Known Issues
+
No known issues
+
+### Previous version updates: Technical upgrade support only
+
+After a new package version is released, support for the previous two versions is reduced to technical support only. Versions older than that are listed in this section, and are provided for technical upgrade support only.
++ August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)@@ -142,7 +154,6 @@ No known issues Released: **August 27, 2020** Platform: **4.18.2008.9** Engine: **1.1.17400.5** - Support phase: **Security and Critical Updates** ### What's new @@ -166,11 +177,12 @@ No known issues Released: **July 28, 2020** Platform: **4.18.2007.8** Engine: **1.1.17300.4** - Support phase: **Security and Critical Updates** + Support phase: **Technical upgrade support (only)** ### What's new -* Improved telemetry for BITS -* Improved Authenticode code signing certificate validation + +- Improved telemetry for BITS +- Improved Authenticode code signing certificate validation ### Known Issues No known issues @@ -184,15 +196,16 @@ No known issues Released: **June 22, 2020** Platform: **4.18.2006.10** Engine: **1.1.17200.2** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) -* Skipping aggressive catchup scan in Passive mode. -* Allow Defender to update on metered connections -* Fixed performance tuning when caching is disabled -* Fixed registry query -* Fixed scantime randomization in ADMX + +- Possibility to specify the [location of the support logs](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data) +- Skipping aggressive catchup scan in Passive mode. +- Allow Defender to update on metered connections +- Fixed performance tuning when caching is disabled +- Fixed registry query +- Fixed scantime randomization in ADMX ### Known Issues No known issues @@ -206,15 +219,16 @@ No known issues Released: **May 26, 2020** Platform: **4.18.2005.4** Engine: **1.1.17100.2** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* Improved logging for scan events -* Improved user mode crash handling. -* Added event tracing for Tamper protection -* Fixed AMSI Sample submission -* Fixed AMSI Cloud blocking -* Fixed Security update install log + +- Improved logging for scan events +- Improved user mode crash handling. +- Added event tracing for Tamper protection +- Fixed AMSI Sample submission +- Fixed AMSI Cloud blocking +- Fixed Security update install log ### Known Issues No known issues @@ -228,16 +242,16 @@ No known issues Released: **April 30, 2020** Platform: **4.18.2004.6** Engine: **1.1.17000.2** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* WDfilter improvements -* Add more actionable event data to attack surface reduction detection events -* Fixed version information in diagnostic data and WMI -* Fixed incorrect platform version in UI after platform update -* Dynamic URL intel for Fileless threat protection -* UEFI scan capability -* Extend logging for updates +- WDfilter improvements +- Add more actionable event data to attack surface reduction detection events +- Fixed version information in diagnostic data and WMI +- Fixed incorrect platform version in UI after platform update +- Dynamic URL intel for Fileless threat protection +- UEFI scan capability +- Extend logging for updates ### Known Issues No known issues @@ -251,15 +265,15 @@ No known issues Released: **March 24, 2020** Platform: **4.18.2003.8** Engine: **1.1.16900.4** - Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) -* Improve diagnostic capability -* reduce Security intelligence timeout (5 min) -* Extend AMSI engine internal log capability -* Improve notification for process blocking +- CPU Throttling option added to [MpCmdRun](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus) +- Improve diagnostic capability +- reduce Security intelligence timeout (5 min) +- Extend AMSI engine internal log capability +- Improve notification for process blocking ### Known Issues [**Fixed**] Microsoft Defender Antivirus is skipping files when running a scan. @@ -272,11 +286,11 @@ No known issuesFebruary-2020 (Platform: - | Engine: 1.1.16800.2)- Security intelligence update version: **1.311.4.0** - Released: **February 25, 2020** - Platform/Client: **-** - Engine: **1.1.16800.2** - Support phase: **N/A** + Security intelligence update version: **1.311.4.0** + Released: **February 25, 2020** + Platform/Client: **-** + Engine: **1.1.16800.2** + Support phase: **Technical upgrade support (only)** ### What's new @@ -294,24 +308,26 @@ Security intelligence update version: **1.309.32.0** Released: **January 30, 2020** Platform/Client: **4.18.2001.10** Engine: **1.1.16700.2** -Support phase: **Technical upgrade Support (Only)** + Support phase: **Technical upgrade support (only)** ### What's new -* Fixed BSOD on WS2016 with Exchange -* Support platform updates when TMP is redirected to network path -* Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) -* extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) -* Fix 4.18.1911.3 hang +- Fixed BSOD on WS2016 with Exchange +- Support platform updates when TMP is redirected to network path +- Platform and engine versions are added to [WDSI](https://www.microsoft.com/wdsi/defenderupdates) +- extend Emergency signature update to [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility) +- Fix 4.18.1911.3 hang ### Known Issues [**Fixed**] devices utilizing [modern standby mode](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby) may experience a hang with the Windows Defender filter driver that results in a gap of protection. Affected machines appear to the customer as having not updated to the latest antimalware platform.> [!IMPORTANT] -> This updates is needed by RS1 devices running lower version of the platform to support SHA2. This update has reboot flag for systems that are experiencing the hang issue. the This update is re-released in April 2020 and will not be superseded by newer updates to keep future availability. - -> [!IMPORTANT] -> This update is categorized as an "update" due to its reboot requirement and will only be offered with a [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update) +> This update is: +> - needed by RS1 devices running lower version of the platform to support SHA2; +> - has a reboot flag for systems that have hanging issues; +> - is re-released in April 2020 and will not be superseded by newer updates to keep future availability; +> - is categorized as an update due to the reboot requirement; and +> - is only be offered with [Windows Update](https://support.microsoft.com/help/4027667/windows-10-update). + ## Microsoft Defender Antivirus platform support Platform and engine updates are provided on a monthly cadence. To be fully supported, keep current with the latest platform updates. Our support structure is dynamic, evolving into two phases depending on the availability of the latest platform version: - -* **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. +- **Security and Critical Updates servicing phase** - When running the latest platform version, you will be eligible to receive both Security and Critical updates to the anti-malware platform. - -* **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* +- **Technical Support (Only) phase** - After a new platform version is released, support for older versions (N-2) will reduce to technical support only. Platform versions older than N-2 will no longer be supported.* \* Technical support will continue to be provided for upgrades from the Windows 10 release version (see [Platform version included with Windows 10 releases](#platform-version-included-with-windows-10-releases)) to the latest platform version. @@ -354,22 +369,38 @@ The below table provides the Microsoft Defender Antivirus platform and engine ve |Windows 10 release |Platform version |Engine version |Support phase | |:---|:---|:---|:---| -|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade Support (Only) | -|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade Support (Only) | -|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade Support (Only) | -|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade Support (Only) | -|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade Support (Only) | -|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade Support (Only) | -|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade Support (Only) | -|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade Support (Only) | +|2004 (20H1) |4.18.2004.6 |1.1.17000.2 | Technical upgrade support (only) | +|1909 (19H2) |4.18.1902.5 |1.1.16700.3 | Technical upgrade support (only) | +|1903 (19H1) |4.18.1902.5 |1.1.15600.4 | Technical upgrade support (only) | +|1809 (RS5) |4.18.1807.18075 |1.1.15000.2 | Technical upgrade support (only) | +|1803 (RS4) |4.13.17134.1 |1.1.14600.4 | Technical upgrade support (only) | +|1709 (RS3) |4.12.16299.15 |1.1.14104.0 | Technical upgrade support (only) | +|1703 (RS2) |4.11.15603.2 |1.1.13504.0 | Technical upgrade support (only) | +|1607 (RS1) |4.10.14393.3683 |1.1.12805.0 | Technical upgrade support (only) | -Windows 10 release info: [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). +For Windows 10 release information, see the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet). ## Updates for Deployment Image Servicing and Management (DISM) -We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection. For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images). +We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Windows Server 2019, and Windows Server 2016 OS installation images with the latest antivirus and antimalware updates. Keeping your OS installation images up to date helps avoid a gap in protection. + +For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
+ 1.1.2101.02+ + Package version: **1.1.2101.02** + Platform version: **4.18.2011.6** + Engine version: **1.17700.4** + Signature version: **1.329.1796.0** + +### Fixes +- None + +### Additional information +- None ++ 1.1.2012.01Package version: **1.1.2012.01** @@ -427,12 +458,12 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind|Yes |No |Yes |Yes |Yes | -|Passive mode |Yes |No |Yes |Only during [scheduled or on-demand scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus) |Yes | -|[EDR in block mode enabled](../microsoft-defender-atp/edr-in-block-mode.md) |No |No |Yes |Yes |Yes | -|Automatic disabled mode |No |Yes |No |No |No | +> [!IMPORTANT] +> Do not turn off capabilities, such as real-time protection, cloud-delivered protection, or limited periodic scanning, if you are using Microsoft Defender Antivirus in passive mode or you are using EDR in block mode. -- In Active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). -- In Passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. -- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items. -- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. +|Protection |Active mode |Passive mode |EDR in block mode |Disabled or uninstalled | +|:---|:---|:---|:---|:---| +| [Real-time protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus) and [cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus) | Yes | No [[3](#fn3)] | No | No | +| [Limited periodic scanning availability](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus) | No | No | No | Yes | +| [File scanning and detection information](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus) | Yes | Yes | Yes | No | +| [Threat remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus) | Yes | See note [[4](#fn4)] | Yes | No | +| [Security intelligence updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus) | Yes | Yes | Yes | No | + +(3) In general, when Microsoft Defender Antivirus is in passive mode, real-time protection does not provide any blocking or enforcement, even though it is enabled and in passive mode. + +(4) When Microsoft Defender Antivirus is in passive mode, threat remediation features are active only during scheduled or on-demand scans. + +> [!NOTE] +> [Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) protection continues to operate normally when Microsoft Defender Antivirus is in active or passive mode. ## Keep the following points in mind -If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. +- In active mode, Microsoft Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Microsoft Defender Antivirus app on the machine itself). -When Microsoft Defender Antivirus is automatically disabled, it can automatically re-enabled if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. +- In passive mode, Microsoft Defender Antivirus is not used as the antivirus app, and threats are not remediated by Microsoft Defender Antivirus. Files are scanned and reports are provided for threat detections that are shared with the Microsoft Defender for Endpoint service. Therefore, you might encounter alerts in the Security Center console with Microsoft Defender Antivirus as a source, even when Microsoft Defender Antivirus is in Passive mode. -In passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. +- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) is turned on and Microsoft Defender Antivirus is not the primary antivirus solution, it can still detect and remediate malicious items. -If you uninstall the other product, and choose to use Microsoft Defender Antivirus to provide protection to your endpoints, Microsoft Defender Antivirus will automatically return to its normal active mode. +- When disabled, Microsoft Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. Disabling/uninstalling Microsoft Defender Antivirus is not recommended in general; if possible, keep Microsoft Defender Antivirus in passive mode if you are using a non-Microsoft antimalware/antivirus solution. + +- If you are enrolled in Microsoft Defender for Endpoint and you are using a third-party antimalware product, then passive mode is enabled. [The service requires common information sharing from Microsoft Defender Antivirus service](../microsoft-defender-atp/defender-compatibility.md) in order to properly monitor your devices and network for intrusion attempts and attacks. + +- When Microsoft Defender Antivirus is disabled automatically, it can be re-enabled automatically if the protection offered by a non-Microsoft antivirus product expires or otherwise stops providing real-time protection from viruses, malware, or other threats. Automatic re-enabling helps to ensure that antivirus protection is maintained on your devices. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md), which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app. + +- When Microsoft Defender Antivirus is in passive mode, you can still [manage updates for Microsoft Defender Antivirus](manage-updates-baselines-microsoft-defender-antivirus.md); however, you can't move Microsoft Defender Antivirus into active mode if your devices have an up-to-date, non-Microsoft antivirus product providing real-time protection from malware. + + If you uninstall the non-Microsoft antivirus product, and use Microsoft Defender Antivirus to provide protection to your devices, Microsoft Defender Antivirus will return to its normal active mode automatically. > [!WARNING] -> You should not attempt to disable, stop, or modify any of the associated services used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). +> Do not disable, stop, or modify any of the associated services that are used by Microsoft Defender Antivirus, Microsoft Defender for Endpoint, or the Windows Security app. This recommendation includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and processes. Manually modifying these services can cause severe instability on your devices and can make your network vulnerable. Disabling, stopping, or modifying those services can also cause problems when using non-Microsoft antivirus solutions and how their information is displayed in the [Windows Security app](microsoft-defender-security-center-antivirus.md). ## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) -- [Microsoft Defender Antivirus on Windows Server 2016 and 2019](microsoft-defender-antivirus-on-windows-server-2016.md) +- [Microsoft Defender Antivirus on Windows Server](microsoft-defender-antivirus-on-windows-server-2016.md) - [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) - [Configure Endpoint Protection](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure) -- [Configure Endpoint Protection on a standalone client](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-protection-configure-standalone-client) +- [Address false positives/negatives in Microsoft Defender for Endpoint](../microsoft-defender-atp/defender-endpoint-false-positives-negatives.md) - [Learn about Microsoft 365 Endpoint data loss prevention](https://docs.microsoft.com/microsoft-365/compliance/endpoint-dlp-learn-about) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md index fb9db59528..63a22fd4f7 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md @@ -3,7 +3,7 @@ title: Next-generation protection in Windows 10, Windows Server 2016, and Window description: Learn how to manage, configure, and use Microsoft Defender Antivirus, built-in antimalware and antivirus protection. keywords: Microsoft Defender Antivirus, windows defender, antimalware, scep, system center endpoint protection, system center configuration manager, virus, malware, threat, detection, protection, security search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.date: 12/16/2020 ms.reviewer: manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Next-generation protection in Windows diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md index 8f3a10623e..0f1c9bbc2f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md @@ -1,21 +1,22 @@ --- -title: Microsoft Defender Antivirus on Windows Server 2016 and 2019 +title: Microsoft Defender Antivirus on Windows Server description: Learn how to enable and configure Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019. keywords: windows defender, server, scep, system center endpoint protection, server 2016, current branch, server 2012 search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 12/17/2020 -ms.reviewer: pahuijbr +ms.date: 01/21/2021 +ms.reviewer: pahuijbr, shwjha manager: dansimp +ms.technology: mde --- -# Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 +# Microsoft Defender Antivirus on Windows Server [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -23,9 +24,12 @@ manager: dansimp - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Microsoft Defender Antivirus is available on Windows Server 2016 and 2019. In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. +Microsoft Defender Antivirus is available on the following editions/versions of Windows Server: +- Windows Server 2019 +- Windows Server, version 1803 or later +- Windows Server 2016. -While the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server 2016 and 2019: +In some instances, Microsoft Defender Antivirus is referred to as *Endpoint Protection*; however, the protection engine is the same. Although the functionality, configuration, and management are largely the same for [Microsoft Defender Antivirus on Windows 10](microsoft-defender-antivirus-in-windows-10.md), there are a few key differences on Windows Server: - In Windows Server, [automatic exclusions](configure-server-exclusions-microsoft-defender-antivirus.md) are applied based on your defined Server Role. - In Windows Server, Microsoft Defender Antivirus does not automatically disable itself if you are running another antivirus product. @@ -34,35 +38,29 @@ While the functionality, configuration, and management are largely the same for The process of setting up and running Microsoft Defender Antivirus on a server platform includes several steps: -1. [Enable the interface](#enable-the-user-interface-on-windows-server-2016-or-2019) +1. [Enable the interface](#enable-the-user-interface-on-windows-server). +2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server). +3. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running). +4. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence). +5. (As needed) [Submit samples](#submit-samples). +6. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions). +7. (Only if necessary) [Set Microsoft Defender Antivirus to passive mode](#need-to-set-microsoft-defender-antivirus-to-passive-mode). -2. [Install Microsoft Defender Antivirus](#install-microsoft-defender-antivirus-on-windows-server-2016-or-2019) +## Enable the user interface on Windows Server -2. [Verify Microsoft Defender Antivirus is running](#verify-microsoft-defender-antivirus-is-running) - -3. [Update your antimalware Security intelligence](#update-antimalware-security-intelligence) - -4. (As needed) [Submit samples](#submit-samples) - -5. (As needed) [Configure automatic exclusions](#configure-automatic-exclusions) - -6. (Only if necessary) [Uninstall Microsoft Defender Antivirus](#need-to-uninstall-microsoft-defender-antivirus) - -## Enable the user interface on Windows Server 2016 or 2019 - -By default, Microsoft Defender Antivirus is installed and functional on Windows Server 2016 and 2019. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. And if the GUI is not installed on your server, you can add it by using the Add Roles and Features Wizard or by using PowerShell. +By default, Microsoft Defender Antivirus is installed and functional on Windows Server. The user interface (GUI) is installed by default on some SKUs, but is not required because you can use PowerShell or other methods to manage Microsoft Defender Antivirus. If the GUI is not installed on your server, you can add it by using the **Add Roles and Features** wizard, or by using PowerShell cmdlets. ### Turn on the GUI using the Add Roles and Features Wizard -1. Refer to [this article](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. +1. See [Install roles, role services, and features by using the add Roles and Features Wizard](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features#install-roles-role-services-and-features-by-using-the-add-roles-and-features-wizard), and use the **Add Roles and Features Wizard**. 2. When you get to the **Features** step of the wizard, under **Windows Defender Features**, select the **GUI for Windows Defender** option. -In Windows Server 2016, the **Add Roles and Features Wizard** looks like this: + In Windows Server 2016, the **Add Roles and Features Wizard** looks like this: - +  -In Windows Server 2019, the **Add Roles and Feature Wizard** looks much the same. + In Windows Server 2019, the **Add Roles and Feature Wizard** is similar. ### Turn on the GUI using PowerShell @@ -72,7 +70,7 @@ The following PowerShell cmdlet will enable the interface: Install-WindowsFeature -Name Windows-Defender-GUI ``` -## Install Microsoft Defender Antivirus on Windows Server 2016 or 2019 +## Install Microsoft Defender Antivirus on Windows Server You can use either the **Add Roles and Features Wizard** or PowerShell to install Microsoft Defender Antivirus. @@ -117,7 +115,7 @@ The `sc query` command returns information about the Microsoft Defender Antiviru ## Update antimalware Security intelligence -In order to get updated antimalware Security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. +To get updated antimalware security intelligence, you must have the Windows Update service running. If you use an update management service, like Windows Server Update Services (WSUS), make sure that updates for Microsoft Defender Antivirus Security intelligence are approved for the computers you manage. By default, Windows Update does not download and install updates automatically on Windows Server 2019 or Windows Server 2016. You can change this configuration by using one of the following methods: @@ -171,11 +169,11 @@ To help ensure security and performance, certain exclusions are automatically ad See [Configure exclusions in Microsoft Defender Antivirus on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md). -## Need to uninstall Microsoft Defender Antivirus? +## Need to set Microsoft Defender Antivirus to passive mode? -If you are using a non-Microsoft antivirus product as your primary antivirus solution, you can either disable Microsoft Defender Antivirus, or set it to passive mode, as described in the following procedures. +If you are using a non-Microsoft antivirus product as your primary antivirus solution, set Microsoft Defender Antivirus to passive mode. -### Set Microsoft Defender Antivirus to passive mode +### Set Microsoft Defender Antivirus to passive mode using a registry key If you are using Windows Server, version 1803 or Windows Server 2019, you can set Microsoft Defender Antivirus to passive mode by setting the following registry key: - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection` @@ -193,17 +191,6 @@ If you are using Windows Server, version 1803 or Windows Server 2019, you can se Microsoft Defender Antivirus will still run normally without the user interface, but the user interface cannot be enabled if you disable the core **Windows Defender** feature. -### Disable Microsoft Defender Antivirus using PowerShell - ->[!NOTE] ->You can't uninstall the Windows Security app, but you can disable the interface with these instructions. - -The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016 or 2019: - -```PowerShell -Uninstall-WindowsFeature -Name Windows-Defender -``` - ### Turn off the Microsoft Defender Antivirus user interface using PowerShell To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell cmdlet: @@ -212,10 +199,22 @@ To turn off the Microsoft Defender Antivirus GUI, use the following PowerShell c Uninstall-WindowsFeature -Name Windows-Defender-GUI ``` +### Are you using Windows Server 2016? + +If you are using Windows Server 2016 and a third-party antimalware/antivirus product that is not offered or developed by Microsoft, you'll need to disable/uninstall Microsoft Defender Antivirus. + +> [!NOTE] +> You can't uninstall the Windows Security app, but you can disable the interface with these instructions. + +The following PowerShell cmdlet uninstalls Microsoft Defender Antivirus on Windows Server 2016: + +```PowerShell +Uninstall-WindowsFeature -Name Windows-Defender +``` + ## See also - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) - -- [Configure exclusions in Microsoft Defender AV on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) +- [Microsoft Defender Antivirus compatibility](microsoft-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md index 355705569c..b22545f7af 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md @@ -3,7 +3,7 @@ title: Microsoft Defender Offline in Windows 10 description: You can use Microsoft Defender Offline straight from the Windows Defender Antivirus app. You can also manage how it is deployed in your network. keywords: scan, defender, offline search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Run and review the results of a Microsoft Defender Offline scan @@ -58,7 +59,7 @@ See the [Manage Microsoft Defender Antivirus Security intelligence updates](man In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Microsoft Defender Offline needs to run, it will prompt the user on the endpoint. -The need to perform an offline scan will also be revealed in Microsoft Endpoint Configuration Manager if you're using it to manage your endpoints. +The need to perform an offline scan will also be revealed in Microsoft Endpoint Manager if you're using it to manage your endpoints. The prompt can occur via a notification, similar to the following: @@ -70,7 +71,7 @@ In Configuration Manager, you can identify the status of endpoints by navigating Microsoft Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. - + ## Configure notifications diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md index e4f4d4c952..427ebf59db 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md @@ -3,7 +3,7 @@ title: Microsoft Defender Antivirus in the Windows Security app description: With Microsoft Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks. keywords: wdav, antivirus, firewall, security, windows search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Microsoft Defender Antivirus in the Windows Security app diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md index eb9a31fb16..7f35ddf666 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md @@ -1,21 +1,22 @@ --- -title: "Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats" -description: "Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more." +title: Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats +description: Office 365, which includes OneDrive, goes together wonderfully with Microsoft Defender Antivirus. Read this article to learn more. keywords: windows defender, antivirus, office 365, onedrive, restore, ransomware search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -ms.topic: article +audience: ITPro +ms.topic: article author: denisebmsft ms.author: deniseb ms.custom: nextgen ms.date: 03/04/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Better together: Microsoft Defender Antivirus and Office 365 @@ -24,9 +25,9 @@ manager: dansimp **Applies to:** - +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - Microsoft Defender Antivirus -- Office 365 +- Microsoft 365 You might already know that: diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index 567fc845b6..4a620da214 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -6,7 +6,7 @@ description: Use tamper protection to prevent malicious apps from changing impor keywords: malware, defender, antivirus, tamper protection search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -14,7 +14,8 @@ audience: ITPro author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 11/19/2020 +ms.date: 01/07/2021 +ms.technology: mde --- # Protect security settings with tamper protection @@ -24,8 +25,12 @@ ms.date: 11/19/2020 **Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +Tamper protection is available on devices running the following versions of Windows: + - Windows 10 -- Windows Server 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)) +- Windows Server 2016 and 2019 (if using tenant attach with [Configuration Manager, version 2006](#manage-tamper-protection-with-configuration-manager-version-2006)) ## Overview @@ -74,7 +79,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And, If you are a home user, or you are not subject to settings managed by a security team, you can use the Windows Security app to turn tamper protection on or off. You must have appropriate admin permissions on your machine to do change security settings, such as tamper protection. -1. Click **Start**, and start typing *Defender*. In the search results, select **Windows Security**. +1. Click **Start**, and start typing *Security*. In the search results, select **Windows Security**. 2. Select **Virus & threat protection** > **Virus & threat protection settings**. @@ -90,7 +95,7 @@ If you are part of your organization's security team, and your subscription incl You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations, to perform the following task. -1. Make sure your organization meets all of the following requirements to manage tamper protection using Intune: +1. Make sure your organization meets all of the following requirements to use Intune to manage tamper protection: - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.) - Your Windows machines must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/).) @@ -101,15 +106,15 @@ You must have appropriate [permissions](../microsoft-defender-atp/assign-portal- 3. Select **Devices** > **Configuration Profiles**. -4. Create a profile as follows: +4. Create a profile that includes the following settings: - - Platform: **Windows 10 and later** + - **Platform: Windows 10 and later** - - Profile type: **Endpoint protection** + - **Profile type: Endpoint protection** - - Category: **Microsoft Defender Security Center** + - **Category: Microsoft Defender Security Center** - - Tamper Protection: **Enabled** + - **Tamper Protection: Enabled**  @@ -132,7 +137,7 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release > [!IMPORTANT] > The procedure can be used to extend tamper protection to devices running Windows 10 and Windows Server 2019. Make sure to review the prerequisites and other information in the resources mentioned in this procedure. -If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10 and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. +If you're using [version 2006 of Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/plan-design/changes/whats-new-in-version-2006), you can manage tamper protection settings on Windows 10, Windows Server 2016, and Windows Server 2019 by using a method called *tenant attach*. Tenant attach enables you to sync your on-premises-only Configuration Manager devices into the Microsoft Endpoint Manager admin center, and then deliver your endpoint security configuration policies to your on-premises collections & devices. 1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions). @@ -209,7 +214,7 @@ Your regular group policy doesn’t apply to tamper protection, and changes to M ### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only? -Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups. +Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization and to specific devices and user groups. ### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager? diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md index bc77598593..93d033b274 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Hide the Microsoft Defender Antivirus interface description: You can hide virus and threat protection tile in the Windows Security app. keywords: ui lockdown, headless mode, hide app, hide settings, hide interface search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Prevent users from seeing or interacting with the Microsoft Defender Antivirus user interface diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md index 4280ec563b..f6c46b93b9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Monitor and report on Microsoft Defender Antivirus protection description: Use Configuration Manager or security information and event management (SIEM) tools to consume reports, and monitor Microsoft Defender AV with PowerShell and WMI. keywords: siem, monitor, report, Microsoft Defender AV search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 12/07/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Report on Microsoft Defender Antivirus @@ -27,7 +28,7 @@ manager: dansimp Microsoft Defender Antivirus is built into Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus is of your next-generation protection in Microsoft Defender for Endpoint. Next-generation protection helps protect your devices from software threats like viruses, malware, and spyware across email, apps, the cloud, and the web. -With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Configuration Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). +With Microsoft Defender Antivirus, you have several options for reviewing protection status and alerts. You can use Microsoft Endpoint Manager to [monitor Microsoft Defender Antivirus](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-configure-alerts). Or, you can monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Microsoft Defender Antivirus issues, including protection updates and real-time protection settings. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md index e2ce17b208..e3f5c1f0fe 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Restore quarantined files in Microsoft Defender AV description: You can restore files and folders that were quarantined by Microsoft Defender AV. keywords: search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 05/20/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Restore quarantined files in Microsoft Defender AV diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md index 44079dd62b..4168fb1d63 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- -title: Review the results of Microsoft Defender AV scans +title: Review the results of Microsoft Defender AV scans description: Review the results of scans using Microsoft Endpoint Configuration Manager, Microsoft Intune, or the Windows Security app keywords: scan results, remediation, full scan, quick scan search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/28/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Review Microsoft Defender Antivirus scan results diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md index 6b709df330..5a65b6a165 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Run and customize on-demand scans in Microsoft Defender AV description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app keywords: scan, on-demand, dos, intune, instant scan search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 11/13/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Configure and run on-demand Microsoft Defender Antivirus scans @@ -42,7 +43,7 @@ A full scan can be useful on endpoints that have reported a malware threat. The > [!NOTE] > By default, quick scans run on mounted removable devices, such as USB drives. -## Use Microsoft Endpoint Configuration Manager to run a scan +## Use Microsoft Endpoint Manager to run a scan 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. 2. Choose **Endpoint security** > **Antivirus**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md index 153100cb9f..ce888c039c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Schedule regular quick and full scans with Microsoft Defender Antivirus description: Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans keywords: quick scan, full scan, quick vs full, schedule scan, daily, weekly, time, scheduled, recurring, regular search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 11/02/2020 ms.reviewer: pauhijbr manager: dansimp +ms.technology: mde --- # Configure scheduled quick or full Microsoft Defender Antivirus scans diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md index 433c59bb6f..1e4c37caba 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md @@ -4,7 +4,7 @@ description: Set your level of cloud-delivered protection for Microsoft Defender keywords: Microsoft Defender Antivirus, antimalware, security, defender, cloud, aggressiveness, protection level search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -14,6 +14,7 @@ ms.date: 10/26/2020 ms.reviewer: manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Specify the cloud-delivered protection level @@ -23,13 +24,13 @@ ms.custom: nextgen **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy. > [!TIP] > Cloud protection is not simply protection for files that are stored in the cloud. The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and devices (also called endpoints). Cloud protection with Microsoft Defender Antivirus uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional security intelligence updates. -> Microsoft Intune and Microsoft Endpoint Configuration Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). +> Microsoft Intune and Microsoft Endpoint Manager are now part of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). ## Use Microsoft Endpoint Manager to specify the level of cloud-delivered protection diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md index 6c91515428..d0c2933ef9 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md @@ -3,7 +3,7 @@ title: Troubleshoot Microsoft Defender Antivirus while migrating from a third-pa description: Troubleshoot common errors when migrating to Microsoft Defender Antivirus keywords: event, error code, logging, troubleshooting, microsoft defender antivirus, windows defender antivirus, migration search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ ms.custom: nextgen ms.date: 09/11/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Troubleshoot Microsoft Defender Antivirus while migrating from a third-party solution diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md index ba1346ed98..b65212267f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Microsoft Defender AV event IDs and error codes description: Look up the causes and solutions for Microsoft Defender Antivirus event IDs and errors keywords: event, error code, siem, logging, troubleshooting, wef, windows event forwarding search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ ms.custom: nextgen ms.date: 09/11/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Review event logs and error codes to troubleshoot issues with Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md index 4693016f63..0b3b787b77 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md @@ -3,7 +3,7 @@ title: Troubleshoot problems with reporting tools for Microsoft Defender AV description: Identify and solve common problems when attempting to report in Microsoft Defender AV protection status in Update Compliance keywords: troubleshoot, error, fix, update compliance, oms, monitor, report, Microsoft Defender AV search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Troubleshoot Microsoft Defender Antivirus reporting in Update Compliance diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md index 87f46b0cd9..b3383fd1a6 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure Microsoft Defender Antivirus with Group Policy description: Learn how to use a Group Policy to configure and manage Microsoft Defender Antivirus on your endpoints in Microsoft Defender for Endpoint. keywords: group policy, GPO, configuration, settings search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ ms.custom: nextgen ms.date: 10/01/2018 ms.reviewer: ksarens manager: dansimp +ms.technology: mde --- # Use Group Policy settings to configure and manage Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md index 9b5897d363..75f4f1b7cc 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md @@ -1,9 +1,9 @@ --- title: Configure Microsoft Defender Antivirus with Configuration Manager and Intune -description: Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection +description: Use Microsoft Endpoint Manager and Microsoft Intune to configure Microsoft Defender AV and Endpoint Protection keywords: scep, intune, endpoint protection, configuration search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.custom: nextgen ms.date: 10/26/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- -# Use Microsoft Endpoint Configuration Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus +# Use Microsoft Endpoint Manager and Microsoft Intune to configure and manage Microsoft Defender Antivirus [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -25,7 +26,7 @@ manager: dansimp - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -If you were using Microsoft Endpoint Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans. +If you were using Microsoft Endpoint Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans. 1. In the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)), navigate to **Endpoint Security**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md index ae51436faa..078fbf7fab 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Use PowerShell cmdlets to configure and run Microsoft Defender AV description: In Windows 10, you can use PowerShell cmdlets to run scans, update Security intelligence, and change settings in Microsoft Defender Antivirus. keywords: scan, command line, mpcmdrun, defender search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 07/23/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Use PowerShell cmdlets to configure and manage Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md index 51137f3e9e..92f746d03d 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Configure Microsoft Defender Antivirus with WMI description: Learn how to configure and manage Microsoft Defender Antivirus by using WMI scripts to retrieve, modify, and update settings in Microsoft Defender for Endpoint. keywords: wmi, scripts, windows management instrumentation, configuration search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.custom: nextgen ms.date: 09/03/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Use Windows Management Instrumentation (WMI) to configure and manage Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md index da103c7192..5bc184057b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md @@ -3,7 +3,7 @@ title: Use next-generation technologies in Microsoft Defender Antivirus through description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection. keywords: Microsoft Defender Antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ ms.author: deniseb ms.reviewer: shwjha manager: dansimp ms.custom: nextgen +ms.technology: mde --- # Use next-generation technologies in Microsoft Defender Antivirus through cloud-delivered protection @@ -21,7 +22,7 @@ ms.custom: nextgen **Applies to:** -- Microsoft Defender Antivirus +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. @@ -45,11 +46,11 @@ src="https://videoplayercdn.osi.office.net/embed/c2f20f59-ca56-4a7b-ba23-44c60bc Read the following blog posts for detailed protection stories involving cloud-protection and Microsoft AI: -- [Why Microsoft Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-microsoft-defender-antivirus-is-the-most-deployed-in-the-enterprise/) -- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/) -- [How artificial intelligence stopped an Emotet outbreak](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak/) -- [Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine learning defenses](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-microsoft-defender-antivirus-and-layered-machine-learning-defenses/) -- [Microsoft Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://cloudblogs.microsoft.com/microsoftsecure/2017/07/18/microsoft-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware/) +- [Why Microsoft Defender Antivirus is the most deployed in the enterprise](https://www.microsoft.com/security/blog/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise) +- [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign) +- [How artificial intelligence stopped an Emotet outbreak](https://www.microsoft.com/security/blog/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak) +- [Detonating a bad rabbit: Microsoft Defender Antivirus and layered machine learning defenses](https://www.microsoft.com/security/blog/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses) +- [Microsoft Defender Antivirus cloud protection service: Advanced real-time defense against never-before-seen malware](https://www.microsoft.com/security/blog/2017/07/18/windows-defender-antivirus-cloud-protection-service-advanced-real-time-defense-against-never-before-seen-malware) ## Get cloud-delivered protection @@ -68,7 +69,7 @@ The following table describes the differences in cloud-delivered protection betw |Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No | |Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable | |System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable | -|Microsoft Endpoint Configuration Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable | +|Microsoft Endpoint Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable | |Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable | You can also [configure Microsoft Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-microsoft-defender-antivirus.md#cloud-report-updates). @@ -82,6 +83,6 @@ You can also [configure Microsoft Defender Antivirus to automatically receive ne - [Configure and validate network connections for Microsoft Defender Antivirus](configure-network-connections-microsoft-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. -- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. +- [Configure the block at first sight feature](configure-block-at-first-sight-microsoft-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Manager and Group Policy. -- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy. +- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md). Microsoft Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Manager and Group Policy. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md index 56c8f7668f..bf55abf1c4 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md @@ -1,19 +1,20 @@ --- -title: "Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint" -description: "For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings." +title: Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint +description: For best results, use Microsoft Defender Antivirus together with your other Microsoft offerings. keywords: windows defender, antivirus, third party av search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium -audience: ITPro -ms.topic: article +audience: ITPro +ms.topic: article author: denisebmsft ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.technology: mde --- # Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index aa6d77cbd0..bbab8b350a 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -1,7 +1,7 @@ --- title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10) description: Learn about the available Group Policy settings for Microsoft Defender Application Guard. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ ms.date: 10/17/2017 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Configure Microsoft Defender Application Guard policy settings diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index ab42d2eb12..60b5e96c41 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -1,17 +1,18 @@ --- title: FAQ - Microsoft Defender Application Guard (Windows 10) description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 11/03/2020 +ms.date: 01/21/2021 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Frequently asked questions - Microsoft Defender Application Guard @@ -146,7 +147,7 @@ There is a known issue such that if you change the Exploit Protection settings f ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. -1. In the Group Policy setting called, *Prohibit use of Internet Connection Sharing on your DNS domain network*, set it to **Disabled**. +1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. 2. Disable IpNat.sys from ICS load as follows: `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` @@ -159,6 +160,28 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli 5. Reboot the device. +### Why doesn't the container fully load when device control policies are enabled? +Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly. + +Policy: Allow installation of devices that match any of these device IDs +- `SCSI\DiskMsft____Virtual_Disk____` +- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba` +- `VMS_VSF` +- `root\Vpcivsp` +- `root\VMBus` +- `vms_mp` +- `VMS_VSP` +- `ROOT\VKRNLINTVSP` +- `ROOT\VID` +- `root\storvsp` +- `vms_vsmp` +- `VMS_PP` + +Policy: Allow installation of devices using drivers that match these device setup classes +- `{71a27cdd-812a-11d0-bec7-08002be2092f}` + + + ## See also -[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard) \ No newline at end of file +[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index 2ead755621..919fc5c18b 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -1,7 +1,7 @@ --- title: Enable hardware-based isolation for Microsoft Edge (Windows 10) description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ ms.date: 10/21/2020 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Prepare to install Microsoft Defender Application Guard diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md index a84686a871..2731dfe662 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender Application Guard Extension description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ ms.date: 06/12/2020 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Microsoft Defender Application Guard Extension diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 2a63557e33..84ae3ac222 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -1,17 +1,18 @@ --- title: Microsoft Defender Application Guard (Windows 10) description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 12/17/2020 +ms.date: 01/27/2021 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Microsoft Defender Application Guard overview @@ -33,9 +34,9 @@ For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoin Application Guard has been created to target several types of devices: -- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. +- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network. -- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. +- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network. - **Bring your own device (BYOD) mobile laptops**. These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home. @@ -52,3 +53,4 @@ Application Guard has been created to target several types of devices: | [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide | | [Microsoft Defender Application Guard for Microsoft Office](https://docs.microsoft.com/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| +|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 81623005a4..4444817c21 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -1,7 +1,7 @@ --- title: System requirements for Microsoft Defender Application Guard (Windows 10) description: Learn about the system requirements for installing and running Microsoft Defender Application Guard. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ ms.date: 02/11/2020 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # System requirements for Microsoft Defender Application Guard diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index 6ffce8a986..0c7e53c3fb 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -1,7 +1,7 @@ --- title: Testing scenarios with Microsoft Defender Application Guard (Windows 10) description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ ms.reviewer: manager: dansimp ms.date: 09/14/2020 ms.custom: asr +ms.technology: mde --- # Application Guard testing scenarios diff --git a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md index 928df9d3fd..1f03573655 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md +++ b/windows/security/threat-protection/microsoft-defender-atp/Onboard-Windows-10-multi-session-device.md @@ -1,21 +1,22 @@ --- -title: "Onboard Windows 10 multi-session devices in Windows Virtual Desktop" -description: "Read more in this article about Onboarding Windows 10 multi-session devices in Windows Virtual Desktop" +title: Onboard Windows 10 multi-session devices in Windows Virtual Desktop +description: Read more in this article about Onboarding Windows 10 multi-session devices in Windows Virtual Desktop keywords: Windows Virtual Desktop, WVD, microsoft defender, endpoint, onboard search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -audience: ITPro -ms.topic: article +audience: ITPro +ms.topic: article author: dansimp ms.author: dansimp ms.custom: nextgen ms.date: 09/10/2020 ms.reviewer: manager: dansimp +ms.technology: mde --- # Onboard Windows 10 multi-session devices in Windows Virtual Desktop @@ -23,8 +24,6 @@ manager: dansimp Applies to: - Windows 10 multi-session running on Windows Virtual Desktop (WVD) -> [!IMPORTANT] -> Welcome to Microsoft Defender for Endpoint, the new name for Microsoft Defender for Endpoint. Read more about this and other updates here. We'll be updating names in products and in the docs in the near future. > [!WARNING] > Microsoft Defender for Endpoint support for Windows Virtual Desktop multi-session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM. However, single session scenarios on Windows Virtual Desktop are fully supported. @@ -92,7 +91,7 @@ If you plan to manage your machines using a management tool, you can onboard dev For more information, see: [Onboard Windows 10 devices using Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm) > [!WARNING] -> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Configuration Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly. +> If you plan to use [Attack Surface reduction Rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction), please note that rule “[Block process creations originating from PSExec and WMI commands](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction#block-process-creations-originating-from-psexec-and-wmi-commands)" should not be used as it is incompatible with management through Microsoft Endpoint Manager because this rule blocks WMI commands the Configuration Manager client uses to function correctly. > [!TIP] > After onboarding the device, you can choose to run a detection test to verify that the device is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Microsoft Defender for Endpoint device](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test). diff --git a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md index ccf8b5f19e..c2ef3ab727 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md +++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md @@ -4,7 +4,7 @@ description: Access the Microsoft Defender Security Center MSSP customer portal keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Access the Microsoft Defender Security Center MSSP customer portal diff --git a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md index 2cb1370de1..2a992e5e4f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md @@ -3,7 +3,7 @@ title: Add or Remove Machine Tags API description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, tags, machine tags search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Add or Remove Machine Tags API @@ -89,9 +90,11 @@ If successful, this method returns 200 - Ok response code and the updated Machin Here is an example of a request that adds machine tag. -```http +``` POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags -Content-type: application/json +``` + +```json { "Value" : "test Tag 2", "Action": "Add" diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index 725daf0761..20f0d4f434 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -4,7 +4,7 @@ description: Turn on advanced features such as block file in Microsoft Defender keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, azure atp, office 365, azure information protection, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure advanced features in Defender for Endpoint @@ -42,6 +43,12 @@ Turn on this feature so that users with the appropriate permissions can start a For more information about role assignments, see [Create and manage roles](user-roles.md). +## Live response for servers +Turn on this feature so that users with the appropriate permissions can start a live response session on servers. + +For more information about role assignments, see [Create and manage roles](user-roles.md). + + ## Live response unsigned script execution Enabling this feature allows you to run unsigned scripts in a live response session. diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md index 46e60648d1..276a068e26 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md @@ -1,10 +1,10 @@ --- title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection -description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device +description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 09/20/2020 +ms.technology: mde --- # AssignedIPAddresses() diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index bd47d4a12b..a7e13d3cdf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -4,7 +4,7 @@ description: Learn how to construct fast, efficient, and error-free threat hunti keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: m365-security-compliance +ms.collection: m365-security-compliance ms.topic: article +ms.technology: mde --- # Advanced hunting query best practices diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md index 51940745aa..3c5026b44c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md @@ -4,7 +4,7 @@ description: Learn about alert generation events in the DeviceAlertEvents table keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, DeviceAlertEvents, alert, severity, category search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 01/22/2020 +ms.technology: mde --- # DeviceAlertEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md index 82be65bdc4..33c2baedda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md @@ -4,7 +4,7 @@ description: Learn about antivirus, firewall, and other event types in the misce keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, security events, antivirus, firewall, exploit guard, MiscEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md index 20c0ceb254..f939a66576 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md @@ -4,7 +4,7 @@ description: Learn about file signing information in the DeviceFileCertificateIn keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, digital signature, certificate, file signing, DeviceFileCertificateInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 01/14/2020 +ms.technology: mde --- # DeviceFileCertificateInfo diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md index 2a453a4169..f7a83b8132 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md @@ -1,10 +1,10 @@ --- -title: DeviceFileEvents table in the advanced hunting schema +title: DeviceFileEvents table in the advanced hunting schema description: Learn about file-related events in the DeviceFileEvents table of the advanced hunting schema keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicefileevents, files, path, hash, sha1, sha256, md5, FileCreationEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceFileEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md index a00c2ef094..5d5663f9e9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md @@ -4,7 +4,7 @@ description: Learn about DLL loading events in the DeviceImageLoadEvents table o keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceimageloadevents, DLL loading, library, file image, ImageLoadEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceImageLoadEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md index 8c806a1b38..47e3f44b7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md @@ -1,10 +1,10 @@ --- title: DeviceInfo table in the advanced hunting schema description: Learn about OS, computer name, and other device information in the DeviceInfo table of the advanced hunting schema -keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo +keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, deviceinfo, device, OS, platform, users, DeviceInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceInfo diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md index c04883052f..e9062bbd6b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicelogonevents-table.md @@ -4,7 +4,7 @@ description: Learn about authentication or sign-in events in the DeviceLogonEven keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicelogonevents, authentication, logon, sign in, LogonEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceLogonEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md index 467888a9d3..5bbce755a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md @@ -4,7 +4,7 @@ description: Learn about network connection events you can query from the Device keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, devicenetworkevents, network connection, remote ip, local ip, NetworkCommunicationEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceNetworkEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md index 48ae9ead1e..2b9b626fb5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicenetworkinfo-table.md @@ -4,7 +4,7 @@ description: Learn about network configuration information in the DeviceNetworkI keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, description, devicenetworkinfo, device, device, mac, ip, adapter, dns, dhcp, gateway, tunnel, DeviceNetworkInfo search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceNetworkInfo diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md index 921304b30c..cf942a6f36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md @@ -4,7 +4,7 @@ description: Learn about the process spawning or creation events in the DevicePr keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceprocessevents, process id, command line, ProcessCreationEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceProcessEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md index ec6f722e98..eeb92421d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md @@ -4,7 +4,7 @@ description: Learn about registry events you can query from the DeviceRegistryEv keywords: advanced hunting, threat hunting, cyber threat hunting, search, query, telemetry, schema reference, kusto, table, column, data type, deviceregistryevents, registry, key, subkey, value, RegistryEvents search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceRegistryEvents diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md index bf6dc4404d..6dab26214e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md @@ -1,10 +1,10 @@ --- title: DeviceTvmSecureConfigurationAssessment table in the advanced hunting schema -description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment +description: Learn about Threat & Vulnerability Management security assessment events in the DeviceTvmSecureConfigurationAssessment table of the Advanced hunting schema. These events provide device information as well as security configuration details, impact, and compliance information. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, DeviceTvmSecureConfigurationAssessment search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceTvmSecureConfigurationAssessment diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md index 317e6e26c6..26521cd2fd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md @@ -1,10 +1,10 @@ --- title: DeviceTvmSecureConfigurationAssessmentKB table in the advanced hunting schema -description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. +description: Learn about the various secure configurations assessed by Threat & Vulnerability Management in the DeviceTvmSecureConfigurationAssessmentKB table of the Advanced hunting schema. keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, security configuration, MITRE ATT&CK framework, knowledge base, KB, DeviceTvmSecureConfigurationAssessmentKB search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceTvmSecureConfigurationAssessmentKB diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md index d61956dee5..849feba90c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md @@ -4,7 +4,7 @@ description: Learn about the inventory of software in your devices and their vul keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, OS DeviceTvmSoftwareInventoryVulnerabilities search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceTvmSoftwareInventoryVulnerabilities diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md index 0779d7d929..dd82717d64 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md @@ -1,10 +1,10 @@ --- title: DeviceTvmSoftwareVulnerabilitiesKB table in the advanced hunting schema -description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. -keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB +description: Learn about the software vulnerabilities tracked by Threat & Vulnerability Management in the DeviceTvmSoftwareVulnerabilitiesKB table of the advanced hunting schema. +keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, column, data type, description, threat & vulnerability management, TVM, device management, software, inventory, vulnerabilities, CVE ID, CVSS, DeviceTvmSoftwareVulnerabilitiesKB search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # DeviceTvmSoftwareVulnerabilitiesKB diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md index ab53ab3585..a3c2545b6b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-errors.md @@ -4,7 +4,7 @@ description: Understand errors displayed when using advanced hunting keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, m365, search, query, telemetry, schema, kusto, timeout, resources, errors, unknown error search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Handle advanced hunting errors diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md index 60566f53f5..9fb4a8a8d4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-extend-data.md @@ -1,10 +1,10 @@ --- -title: Extend advanced hunting coverage with the right settings -description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting -keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection +title: Extend advanced hunting coverage with the right settings +description: Check auditing settings on Windows devices and other settings to help ensure that you get the most comprehensive data in advanced hunting +keywords: advanced hunting, incident, pivot, entity, audit settings, user account management, security group management, threat hunting, cyber threat hunting, search, query, telemetry, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 10/10/2020 +ms.technology: mde --- # Extend advanced hunting coverage with the right settings diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md index 365f8ef6ba..66e5df0593 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-fileprofile-function.md @@ -1,10 +1,10 @@ --- title: FileProfile() function in advanced hunting for Microsoft Defender Advanced Threat Protection -description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results +description: Learn how to use the FileProfile() to enrich information about files in your advanced hunting query results keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 09/20/2020 +ms.technology: mde --- # FileProfile() diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md index 9b8aed20bc..c16f450428 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-go-hunt.md @@ -1,22 +1,23 @@ --- -title: Get relevant info about an entity with go hunt -description: Learn how to use the "go hunt" tool to quickly query for relevant information about an entity or event using advanced hunting. +title: Get relevant info about an entity with go hunt +description: Learn how to use the go hunt tool to quickly query for relevant information about an entity or event using advanced hunting. keywords: advanced hunting, incident, pivot, entity, go hunt, relevant events, threat hunting, cyber threat hunting, search, query, telemetry, Microsoft Threat Protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -f1.keywords: -- NOCSH +f1.keywords: + - NOCSH ms.author: v-maave author: martyav ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Quickly hunt for entity or event information with go hunt diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md index 0516afc2f2..373fc237b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-limits.md @@ -4,7 +4,7 @@ description: Understand various service limits that keep the advanced hunting se keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, schema, kusto, CPU limit, query limit, resources, maximum results search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Advanced hunting service limits diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index e42dbf4cf3..35fa634bff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -4,7 +4,7 @@ description: Use threat hunting capabilities in Microsoft Defender ATP to build keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp, search, query, telemetry, custom detections, schema, kusto, time zone, UTC search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Proactively hunt for threats with advanced hunting diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md index 76fd2bee7e..6bf8d2fa92 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language.md @@ -4,7 +4,7 @@ description: Create your first threat hunting query and learn about common opera keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, language, learn, first query, telemetry, events, telemetry, custom detections, schema, kusto, operators, data types search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Learn the advanced hunting query language diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md index 34db3e0745..08515a57eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-results.md @@ -4,7 +4,7 @@ description: Make the most of the query results returned by advanced hunting in keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, visualization, chart, filters, drill down search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Work with advanced hunting query results diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md index a0988a90d0..4d15c46f81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference.md @@ -4,7 +4,7 @@ description: Learn about the tables in the advanced hunting schema to understand keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, schema reference, kusto, table, data search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 01/14/2020 +ms.technology: mde --- # Understand the advanced hunting schema diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md index 0daf0cbfda..c3b430655b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-shared-queries.md @@ -4,7 +4,7 @@ description: Start threat hunting immediately with predefined and shared queries keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, github repo, my queries, shared queries search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Use shared queries in advanced hunting diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md index d535b139e2..a0bc9e4540 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-take-action.md @@ -4,7 +4,7 @@ description: Quickly address threats and affected assets in your advanced huntin keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, microsoft defender atp, wdatp search, query, telemetry, custom detections, schema, kusto, avoid timeout, command lines, process id search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 09/20/2020 +ms.technology: mde --- # Take action on advanced hunting query results diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md index 5e96430994..6c96b5ea1e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue-endpoint-detection-response.md @@ -5,7 +5,7 @@ description: View and manage the alerts surfaced in Microsoft Defender Security keywords: search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/03/2018 +ms.technology: mde --- # Alerts queue in Microsoft Defender Security Center diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index e403e8465c..7ac4d17fb3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -4,7 +4,7 @@ description: Learn about how the Microsoft Defender ATP alerts queues work, and keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period, microsoft threat experts alerts search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 03/27/2020 +ms.technology: mde --- # View and organize the Microsoft Defender for Endpoint Alerts queue diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts.md b/windows/security/threat-protection/microsoft-defender-atp/alerts.md index 0668c313a5..da475d40a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts.md @@ -3,7 +3,7 @@ title: Get alerts API description: Learn about the methods and properties of the Alert resource type in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Alert resource type @@ -36,7 +37,7 @@ Method |Return Type |Description :---|:---|:--- [Get alert](get-alert-info-by-id.md) | [Alert](alerts.md) | Get a single [alert](alerts.md) object. [List alerts](get-alerts.md) | [Alert](alerts.md) collection | List [alert](alerts.md) collection. -[Update alert](get-alerts.md) | [Alert](update-alert.md) | Update specific [alert](alerts.md). +[Update alert](update-alert.md) | [Alert](alerts.md) | Update specific [alert](alerts.md). [Create alert](create-alert-by-reference.md)|[Alert](alerts.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md). [List related domains](get-alert-related-domain-info.md)|Domain collection| List URLs associated with the alert. [List related files](get-alert-related-files-info.md) | [File](files.md) collection | List the [file](files.md) entities that are associated with the [alert](alerts.md). @@ -68,45 +69,145 @@ determination | Nullable Enum | Specifies the determination of the alert. Possib category| String | Category of the alert. detectionSource | String | Detection source. threatFamilyName | String | Threat family. +threatName | String | Threat name. machineId | String | ID of a [machine](machine.md) entity that is associated with the alert. computerDnsName | String | [machine](machine.md) fully qualified name. aadTenantId | String | The Azure Active Directory ID. -comments | List of Alert comments | Alert Comment is an object that contains: comment string, createdBy string and createTime date time. +detectorId | String | The ID of the detector that triggered the alert. +comments | List of Alert comments | Alert Comment object contains: comment string, createdBy string and createTime date time. +Evidence | List of Alert evidence | Evidence related to the alert. See example below. ### Response example for getting single alert: -``` -GET https://api.securitycenter.microsoft.com/api/alerts/da637084217856368682_-292920499 +```http +GET https://api.securitycenter.microsoft.com/api/alerts/da637472900382838869_1364969609 ``` ```json { - "id": "da637084217856368682_-292920499", - "incidentId": 66860, - "investigationId": 4416234, - "investigationState": "Running", - "assignedTo": "secop@contoso.com", - "severity": "Low", - "status": "New", - "classification": "TruePositive", - "determination": null, - "detectionSource": "WindowsDefenderAtp", - "category": "CommandAndControl", - "threatFamilyName": null, - "title": "Network connection to a risky host", - "description": "A network connection was made to a risky host which has exhibited malicious activity.", - "alertCreationTime": "2019-11-03T23:49:45.3823185Z", - "firstEventTime": "2019-11-03T23:47:16.2288822Z", - "lastEventTime": "2019-11-03T23:47:51.2966758Z", - "lastUpdateTime": "2019-11-03T23:55:52.6Z", - "resolvedTime": null, - "machineId": "986e5df8b73dacd43c8917d17e523e76b13c75cd", - "comments": [ - { - "comment": "test comment for docs", - "createdBy": "secop@contoso.com", - "createdTime": "2019-11-05T14:08:37.8404534Z" - } - ] + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, + "assignedTo": null, + "severity": "Low", + "status": "New", + "classification": null, + "determination": null, + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", + "resolvedTime": null, + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], + "relatedUser": { + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], + "evidence": [ + { + "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": null, + "sha256": null, + "fileName": null, + "filePath": null, + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + } + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md index f9f5d899e6..c0d3f7f4e0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-configure.md @@ -1,11 +1,11 @@ --- title: Configure Microsoft Defender ATP for Android features -ms.reviewer: -description: Describes how to configure Microsoft Defender ATP for Android +ms.reviewer: +description: Describes how to configure Microsoft Defender ATP for Android keywords: microsoft, defender, atp, android, configuration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Configure Defender for Endpoint for Android features diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md index 52450260ef..dcaf457b37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-intune.md @@ -1,11 +1,11 @@ --- title: Deploy Microsoft Defender ATP for Android with Microsoft Intune -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Android with Microsoft Intune keywords: microsoft, defender, atp, android, installation, deploy, uninstallation, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploy Microsoft Defender for Endpoint for Android with Microsoft Intune diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md index 66ec2fa838..d14d7b7606 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-privacy.md @@ -4,7 +4,7 @@ description: Privacy controls, how to configure policy settings that impact priv keywords: microsoft, defender, atp, android, privacy, diagnostic search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender for Endpoint for Android - Privacy information diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md index 34959bf022..f9fe77aefa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-support-signin.md @@ -1,11 +1,11 @@ --- title: Troubleshoot issues on Microsoft Defender ATP for Android -ms.reviewer: +ms.reviewer: description: Troubleshoot issues for Microsoft Defender ATP for Android keywords: microsoft, defender, atp, android, cloud, connectivity, communication search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Troubleshooting issues on Microsoft Defender for Endpoint for Android diff --git a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md index d8dd335aff..05151f5a7c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/android-terms.md +++ b/windows/security/threat-protection/microsoft-defender-atp/android-terms.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for Android Application license terms -ms.reviewer: +ms.reviewer: description: Describes the Microsoft Defender ATP for Android license terms -keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope, +keywords: microsoft, defender, atp, android,license, terms, application, use, installation, service, feedback, scope, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,6 +17,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual hideEdit: true +ms.technology: mde --- # Microsoft Defender for Endpoint for Android application license terms diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md index c75879bafc..f6ea5a6c0d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-explorer.md @@ -1,11 +1,11 @@ --- -title: API Explorer in Microsoft Defender ATP +title: API Explorer in Microsoft Defender ATP ms.reviewer: description: Use the API Explorer to construct and do API queries, test, and send requests for any available API -keywords: api, explorer, send, request, get, post, +keywords: api, explorer, send, request, get, post, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # API Explorer diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md index 81f125ba22..bf85bfd5d2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-hello-world.md @@ -4,7 +4,7 @@ ms.reviewer: description: Create a practice 'Hello world'-style API call to the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Defender for Endpoint API - Hello World diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md index 44003ec0b9..c789f3dcc8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md @@ -4,7 +4,7 @@ ms.reviewer: description: Use Microsoft Defender ATP Flow connector to automate security and create a flow that will be triggered any time a new alert occurs on your tenant. keywords: flow, supported apis, api, Microsoft flow, query, automation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Power Automate (formerly Microsoft Flow), and Azure Functions diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 2170d310c0..fcaccc4e0e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -4,7 +4,7 @@ description: Understand how the Detections API fields map to the values in Micro keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Defender for Endpoint detections API fields diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md index 9bb4eb7102..c62e574323 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md @@ -4,7 +4,7 @@ ms.reviewer: description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs. keywords: apis, supported apis, Power BI, reports search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create custom reports using Power BI diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md new file mode 100644 index 0000000000..441c3cbd30 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/api-release-notes.md @@ -0,0 +1,73 @@ +--- +title: Microsoft Defender for Endpoint API release notes +description: Release notes for updates made to the Microsoft Defender for Endpoint set of APIs. +keywords: microsoft defender for endpoint api release notes, mde, apis, mdatp api, updates, notes, release +search.product: eADQiWindows 10XVcnh +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde +--- + +# Microsoft Defender for Endpoint API release notes + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +The following information lists the updates made to the Microsoft Defender for Endpoint APIs and the dates they were made. + + +### 25.01.2021 + + +- Updated rate limitations for [Advanced Hunting API](run-advanced-query-api.md) from 15 to 45 requests per minute. + + + +### 21.01.2021 + + +- Added new API: [Find devices by tag](machine-tags.md). +- Added new API: [Import Indicators](import-ti-indicators.md). + + + +### 03.01.2021 + + +- Updated Alert evidence: added ***detectionStatus***, ***parentProcessFilePath*** and ***parentProcessFileName*** properties. +- Updated [Alert entity](alerts.md): added ***detectorId*** property. + + + +### 15.12.2020 + + +- Updated [Device](machine.md) entity: added ***IpInterfaces*** list. See [List devices](get-machines.md). + + + +### 04.11.2020 + + +- Added new API: [Set device value](set-device-value.md). +- Updated [Device](machine.md) entity: added ***deviceValue*** property. + + + +### 01.09.2020 + + +- Added option to expand the Alert entity with its related Evidence. See [List Alerts](get-alerts.md). + + + \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md index 9c8c96f2ea..b4e75388d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-terms-of-use.md @@ -3,7 +3,7 @@ title: Microsoft Defender ATP API license and terms of use description: Description of the license and terms of use for Microsoft Defender APIs keywords: license, terms, apis, legal, notices, code of conduct search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Defender for Endpoint API license and terms of use diff --git a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md index ba3e749a61..7a6ced874a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md +++ b/windows/security/threat-protection/microsoft-defender-atp/apis-intro.md @@ -1,10 +1,10 @@ --- -title: Access the Microsoft Defender Advanced Threat Protection APIs +title: Access the Microsoft Defender Advanced Threat Protection APIs ms.reviewer: description: Learn how you can use APIs to automate workflows and innovate based on Microsoft Defender ATP capabilities keywords: apis, api, wdatp, open api, microsoft defender atp api, public api, supported apis, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Access the Microsoft Defender for Endpoint APIs diff --git a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md index a8bf456da1..66d9bed2d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access.md @@ -4,7 +4,7 @@ description: Assign read and write or read only access to the Microsoft Defender keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 11/28/2018 +ms.technology: mde --- # Assign user access to Microsoft Defender Security Center diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md index 74cc0538fb..4fe5d45a88 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-simulations.md @@ -4,7 +4,7 @@ description: Run the provided attack scenario simulations to experience how Micr keywords: wdatp, test, scenario, attack, simulation, simulated, diy, microsoft defender advanced threat protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 11/20/2018 +ms.technology: mde --- # Experience Microsoft Defender for Endpoint through simulated attacks diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md index 27c2c2db47..d2eec941c7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-faq.md @@ -4,7 +4,7 @@ description: Find answers to frequently asked questions about Microsoft Defender keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -14,6 +14,7 @@ ms.author: v-maave ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Attack surface reduction frequently asked questions (FAQ) diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md index a0586d3024..6bc883ca30 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction.md @@ -3,7 +3,7 @@ title: Use attack surface reduction rules to prevent malware infection description: Attack surface reduction rules can help prevent exploits from using apps and scripts to infect devices with malware. keywords: Attack surface reduction rules, asr, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, Microsoft Defender Advanced Threat Protection, Microsoft Defender ATP search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,7 +14,8 @@ ms.author: deniseb ms.reviewer: sugamar, jcedola manager: dansimp ms.custom: asr -ms.date: 12/10/2020 +ms.technology: mde + --- # Use attack surface reduction rules to prevent malware infection @@ -24,7 +25,7 @@ ms.date: 12/10/2020 **Applies to:** -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ## Why attack surface reduction rules are important @@ -63,8 +64,10 @@ Warn mode helps your organization have attack surface reduction rules in place w Warn mode is supported on devices running the following versions of Windows: - [Windows 10, version 1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) or later - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) or later + +Microsoft Defender Antivirus must be running with real-time protection in [Active mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state). -In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed +In addition, make sure [Microsoft Defender Antivirus and antimalware updates](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus#monthly-platform-and-engine-versions) are installed. - Minimum platform release requirement: `4.18.2008.9` - Minimum engine release requirement: `1.1.17400.5` @@ -124,13 +127,9 @@ DeviceEvents You can review the Windows event log to view events generated by attack surface reduction rules: 1. Download the [Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the device. - 2. Enter the words, *Event Viewer*, into the Start menu to open the Windows Event Viewer. - 3. Under **Actions**, select **Import custom view...**. - 4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views.md). - 5. Select **OK**. You can create a custom view that filters events to only show the following events, all of which are related to controlled folder access: @@ -147,7 +146,7 @@ The "engine version" listed for attack surface reduction events in the event log The following table and subsections describe each of the 15 attack surface reduction rules. The attack surface reduction rules are listed in alphabetical order, by rule name. -If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Configuration Manager or Microsoft Intune, you do not need the GUIDs. +If you are configuring attack surface reduction rules by using Group Policy or PowerShell, you'll need the GUIDs. On the other hand, if you use Microsoft Endpoint Manager or Microsoft Intune, you do not need the GUIDs. | Rule name | GUID | File & folder exclusions | Minimum OS supported | @@ -235,14 +234,20 @@ This rule was introduced in: - [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) - [Windows Server, version 1809](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1809) - [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19) -- [Microsoft Endpoint Configuration Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) +- [Microsoft Endpoint Manager CB 1710](https://docs.microsoft.com/configmgr/core/servers/manage/updates) Intune name: `Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions)` -Microsoft Endpoint Configuration Manager name: `Block executable content from email client and webmail` +Microsoft Endpoint Manager name: `Block executable content from email client and webmail` GUID: `BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550` +> [!NOTE] +> The rule **Block executable content from email client and webmail** has the following alternative descriptions, depending on which application you use: +> - Intune (Configuration Profiles): Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions). +> - Endpoint Manager: Block executable content download from email and webmail clients. +> - Group Policy: Block executable content from email client and webmail. + ### Block executable files from running unless they meet a prevalence, age, or trusted list criterion This rule blocks the following file types from launching unless they meet prevalence or age criteria, or they're in a trusted list or an exclusion list: @@ -457,9 +462,6 @@ GUID: `c1db55ab-c21a-4637-bb3f-a12568109d35` ## See also - [Attack surface reduction FAQ](attack-surface-reduction-faq.md) - - [Enable attack surface reduction rules](enable-attack-surface-reduction.md) - - [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) - -- [Compatibility of Microsoft Defender with other antivirus/antimalware](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) +- [Compatibility of Microsoft Defender Antivirus with other antivirus/antimalware solutions](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md index b442dcb82a..3ebf7ef6a5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md +++ b/windows/security/threat-protection/microsoft-defender-atp/audit-windows-defender.md @@ -3,7 +3,7 @@ title: Test how Microsoft Defender ATP features work in audit mode description: Audit mode lets you use the event log to see how Microsoft Defender ATP would protect your devices if it was enabled. keywords: exploit guard, audit, auditing, mode, enabled, disabled, test, demo, evaluate, lab search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Test how Microsoft Defender for Endpoint features work in audit mode diff --git a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md index 0a77813dd2..0fb359840a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/auto-investigation-action-center.md @@ -3,7 +3,7 @@ title: View details and results of automated investigations description: Use the action center to view details and results following an automated investigation keywords: action, center, autoir, automated, investigation, response, remediation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,11 +13,12 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs ms.date: 09/24/2020 +ms.technology: mde --- # View details and results of automated investigations @@ -169,3 +170,6 @@ When you click on the pending actions link, you'll be taken to the Action center - [See the interactive guide: Investigate and remediate threats with Microsoft Defender for Endpoint](https://aka.ms/MDATP-IR-Interactive-Guide) +## See also + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index fea480df60..93e3809c2a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -4,8 +4,8 @@ description: Understand the automated investigation flow in Microsoft Defender f keywords: automated, investigation, detection, source, threat types, id, tags, devices, duration, filter export, defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,8 +16,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs ms.custom: AIR @@ -93,5 +93,6 @@ All remediation actions, whether pending or completed, can be viewed in the [Act ## See also - [PUA protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) - [Automated investigation and response in Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-air) - [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir) diff --git a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md index 9fa9ebd762..e17539d14a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automation-levels.md @@ -4,8 +4,8 @@ description: Get an overview of automation levels and how they work in Microsoft keywords: automated, investigation, level, defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,8 +16,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs ms.custom: AIR diff --git a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md index fed2ad3911..9846c04523 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/basic-permissions.md @@ -4,7 +4,7 @@ description: Learn how to use basic permissions to access the Microsoft Defender keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Use basic permissions to access the portal @@ -26,28 +27,30 @@ ms.topic: article - Azure Active Directory - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) -Refer to the instructions below to use basic permissions management. +Refer to the instructions below to use basic permissions management. You can use either of the following solutions: - Azure PowerShell -- Azure portal +- Azure portal For granular control over permissions, [switch to role-based access control](rbac.md). ## Assign user access using Azure PowerShell + You can assign users with one of the following levels of permissions: - Full access (Read and Write) - Read-only access ### Before you begin + - Install Azure PowerShell. For more information, see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/documentation/articles/powershell-install-configure/). > [!NOTE] > You need to run the PowerShell cmdlets in an elevated command-line. -- Connect to your Azure Active Directory. For more information, see, [Connect-MsolService](https://msdn.microsoft.com/library/dn194123.aspx). +- Connect to your Azure Active Directory. For more information, see [Connect-MsolService](https://docs.microsoft.com/powershell/module/msonline/connect-msolservice?view=azureadps-1.0). **Full access** Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. @@ -61,19 +64,23 @@ Assigning read-only access rights requires adding the users to the "Security Rea Use the following steps to assign security roles: - For **read and write** access, assign users to the security administrator role by using the following command: - ```text + + ```PowerShell Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" ``` + - For **read-only** access, assign users to the security reader role by using the following command: - ```text + + ```PowerShell Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@Contoso.onmicrosoft.com" ``` -For more information, see, [Add, or remove group memberships](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). +For more information, see [Add or remove group members using Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal). ## Assign user access using the Azure portal -For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). +For more information, see [Assign administrator and non-administrator roles to users with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). ## Related topic + - [Manage portal access using RBAC](rbac.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md index 05ec75c8d0..fb60ac8f53 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -8,16 +8,17 @@ author: denisebmsft ms.author: deniseb manager: dansimp ms.reviewer: shwetaj -audience: ITPro -ms.topic: article -ms.prod: w10 +audience: ITPro +ms.topic: article +ms.prod: m365-security ms.localizationpriority: medium ms.custom: -- next-gen -- edr + - next-gen + - edr ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint +ms.technology: mde --- # Behavioral blocking and containment diff --git a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md index bbff2e68b9..d7e2bcdf23 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md @@ -4,7 +4,7 @@ description: Check the sensor health on devices to identify which ones are misco keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- # Check sensor health state in Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md index ef5d153836..095899b2c9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md +++ b/windows/security/threat-protection/microsoft-defender-atp/client-behavioral-blocking.md @@ -8,16 +8,17 @@ author: denisebmsft ms.author: deniseb manager: dansimp ms.reviewer: shwetaj -audience: ITPro -ms.topic: article -ms.prod: w10 +audience: ITPro +ms.topic: article +ms.prod: m365-security ms.localizationpriority: medium ms.custom: -- next-gen -- edr + - next-gen + - edr ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint +ms.technology: mde --- # Client behavioral blocking diff --git a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md index b3cb7a04fa..dea6142742 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md +++ b/windows/security/threat-protection/microsoft-defender-atp/collect-investigation-package.md @@ -3,7 +3,7 @@ title: Collect investigation package API description: Use this API to create calls related to the collecting an investigation package from a device. keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,9 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article - +ms.technology: mde --- # Collect investigation package API @@ -81,9 +81,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage -Content-type: application/json +``` + +```json { "Comment": "Collect forensics due to alert 1234" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md index c43240cb86..c0c401ff5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/common-errors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/common-errors.md @@ -1,9 +1,9 @@ --- title: Common Microsoft Defender ATP API errors description: List of common Microsoft Defender ATP API errors with descriptions. -keywords: apis, mdatp api, errors, troubleshooting +keywords: apis, mdatp api, errors, troubleshooting search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Common REST API error codes diff --git a/windows/security/threat-protection/microsoft-defender-atp/community.md b/windows/security/threat-protection/microsoft-defender-atp/community.md index f68dcdeab3..d229d8aea0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/community.md +++ b/windows/security/threat-protection/microsoft-defender-atp/community.md @@ -4,7 +4,7 @@ description: Access the Microsoft Defender ATP Community Center to share experie keywords: community, community center, tech community, conversation, announcements search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/24/2018 +ms.technology: mde --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md index a0ace30f14..96b9d372c8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/conditional-access.md @@ -4,7 +4,7 @@ description: Enable Conditional Access to prevent applications from running if a keywords: conditional access, block applications, security level, intune, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Enable Conditional Access to better protect users, devices, and data diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md index aca0be0b19..873f96e24e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-arcsight.md @@ -4,7 +4,7 @@ description: Configure Micro Focus ArcSight to receive and pull detections from keywords: configure Micro Focus ArcSight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure Micro Focus ArcSight to pull Defender for Endpoint detections diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index 736ab0b846..3db29d7045 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -4,7 +4,7 @@ description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, Pow keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Configure attack surface reduction diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md index f8d91cd3e1..c7e2f8158e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-automated-investigations-remediation.md @@ -4,8 +4,8 @@ description: Set up your automated investigation and remediation capabilities in keywords: configure, setup, automated, investigation, detection, alerts, remediation, response search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,7 +14,7 @@ author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 09/24/2020 ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md index 206e5721b3..b6c75e30e5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-conditional-access.md @@ -4,7 +4,7 @@ description: Learn about steps that you need to do in Intune, Microsoft Defender keywords: conditional access, conditional, access, device risk, risk level, integration, intune integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure Conditional Access in Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index f7ccfe871b..834863b741 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -4,7 +4,7 @@ description: You can use Microsoft Defender Advanced Threat Protection to config keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure alert notifications in Microsoft Defender ATP diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index 5360517315..1aef8eda63 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -4,7 +4,7 @@ description: Use Group Policy to deploy the configuration package on Windows 10 keywords: configure devices using group policy, device management, configure Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, group policy search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- # Onboard Windows 10 devices using Group Policy diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index 0a97fbf1e3..a4e70fd9b2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -4,7 +4,7 @@ description: Use Mobile Device Management tools to deploy the configuration pack keywords: onboard devices using mdm, device management, onboard Windows ATP devices, onboard Microsoft Defender Advanced Threat Protection devices, mdm search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard Windows 10 devices using Mobile Device Management tools diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md index ba65815551..460d048802 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows.md @@ -4,7 +4,7 @@ description: Configure non-Windows devices so that they can send sensor data to keywords: onboard non-Windows devices, macos, linux, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard non-Windows devices diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md index aa7a4c498f..32028e17ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm.md @@ -4,7 +4,7 @@ description: Use Configuration Manager to deploy the configuration package on de keywords: onboard devices using sccm, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 02/07/2020 +ms.technology: mde --- # Onboard Windows 10 devices using Configuration Manager @@ -26,7 +27,7 @@ ms.date: 02/07/2020 **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -- Microsoft Endpoint Configuration Manager current branch +- Microsoft Endpoint Manager current branch - System Center 2012 R2 Configuration Manager >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-configureendpointssccm-abovefoldlink) @@ -167,9 +168,9 @@ For security reasons, the package used to Offboard devices will expire 30 days a > [!NOTE] > Onboarding and offboarding policies must not be deployed on the same device at the same time, otherwise this will cause unpredictable collisions. -### Offboard devices using Microsoft Endpoint Configuration Manager current branch +### Offboard devices using Microsoft Endpoint Manager current branch -If you use Microsoft Endpoint Configuration Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file). +If you use Microsoft Endpoint Manager current branch, see [Create an offboarding configuration file](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#create-an-offboarding-configuration-file). ### Offboard devices using System Center 2012 R2 Configuration Manager @@ -195,7 +196,7 @@ If you use Microsoft Endpoint Configuration Manager current branch, see [Create ## Monitor device configuration -If you're using Microsoft Endpoint Configuration Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Defender for Endpoint - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor). +If you're using Microsoft Endpoint Manager current branch, use the built-in Defender for Endpoint dashboard in the Configuration Manager console. For more information, see [Defender for Endpoint - Monitor](https://docs.microsoft.com/configmgr/protect/deploy-use/windows-defender-advanced-threat-protection#monitor). If you're using System Center 2012 R2 Configuration Manager, monitoring consists of two parts: diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md index acfdb668c7..4bfafb3193 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script.md @@ -4,7 +4,7 @@ description: Use a local script to deploy the configuration package on devices s keywords: configure devices using a local script, device management, configure Windows ATP devices, configure Microsoft Defender Advanced Threat Protection devices search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard Windows 10 devices using a local script diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md index fc7c7e1d3c..7eb2606edf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi.md @@ -4,7 +4,7 @@ description: Deploy the configuration package on virtual desktop infrastructure keywords: configure virtual desktop infrastructure (VDI) device, vdi, device management, configure Windows ATP endpoints, configure Microsoft Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 04/16/2020 +ms.technology: mde --- # Onboard non-persistent virtual desktop infrastructure (VDI) devices diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md index 00ee7a17a2..7bf86ff101 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints.md @@ -4,7 +4,7 @@ description: Onboard Windows 10 devices so that they can send sensor data to the keywords: Onboard Windows 10 devices, group policy, endpoint configuration manager, mobile device management, local script, gp, sccm, mdm, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Onboarding tools and methods for Windows 10 devices @@ -41,7 +42,7 @@ The following deployment tools and methods are supported: Topic | Description :---|:--- [Onboard Windows 10 devices using Group Policy](configure-endpoints-gp.md) | Use Group Policy to deploy the configuration package on devices. -[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. +[Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) | You can use either use Microsoft Endpoint Manager (current branch) version 1606 or Microsoft Endpoint Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. [Onboard Windows 10 devices using Mobile Device Management tools](configure-endpoints-mdm.md) | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device. [Onboard Windows 10 devices using a local script](configure-endpoints-script.md) | Learn how to use the local script to deploy the configuration package on endpoints. [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) | Learn how to use the configuration package to configure VDI devices. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md index 17e8cb3039..d42925b857 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md @@ -1,10 +1,10 @@ --- title: Optimize ASR rule deployment and detections -description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits. +description: Optimize your attack surface reduction (ASR) rules to identify and prevent typical malware exploits. keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Optimize ASR rule deployment and detections diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index b207e1fb84..a755aece6d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -4,7 +4,7 @@ description: Track onboarding of Intune-managed devices to Microsoft Defender AT keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get devices onboarded to Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md index e110a3d518..fdb402917b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md @@ -4,7 +4,7 @@ description: The Microsoft Defender ATP security baseline sets Microsoft Defende keywords: Intune management, MDATP, WDATP, Microsoft Defender, advanced threat protection ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Increase compliance to the Microsoft Defender for Endpoint security baseline diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index 9b830a3988..b48a92f312 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -4,7 +4,7 @@ description: Properly configure devices to boost overall resilience against thre keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Ensure your devices are configured properly diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md index 3ce240d781..f961d52e99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-microsoft-threat-experts.md @@ -5,7 +5,7 @@ description: Register to Microsoft Threats Experts to configure, manage, and use keywords: Microsoft Threat Experts, managed threat hunting service, MTE, Microsoft managed hunting service search.product: Windows 10 search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Configure and manage Microsoft Threat Experts capabilities diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md index e75588efda..bb8199f49c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-notifications.md @@ -1,10 +1,10 @@ --- -title: Configure alert notifications that are sent to MSSPs +title: Configure alert notifications that are sent to MSSPs description: Configure alert notifications that are sent to MSSPs keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure alert notifications that are sent to MSSPs diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index dde5d47ec5..f6521931c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -1,10 +1,10 @@ --- title: Configure managed security service provider support -description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP +description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure managed security service provider integration diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 48fd0bee7d..712d30276f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -4,7 +4,7 @@ description: Configure the Microsoft Defender ATP proxy and internet settings to keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Configure device proxy and Internet connectivity settings diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index 6c6a1ea7cc..060c2d575a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -4,7 +4,7 @@ description: Onboard Windows servers so that they can send sensor data to the Mi keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, device management, configure Windows ATP servers, onboard Microsoft Defender Advanced Threat Protection servers search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard Windows servers to the Microsoft Defender for Endpoint service @@ -41,6 +42,7 @@ For a practical guidance on what needs to be in place for licensing and infrastr For guidance on how to download and use Windows Security Baselines for Windows servers, see [Windows Security Baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines). + ## Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows Server 2016 @@ -48,20 +50,20 @@ You can onboard Windows Server 2008 R2 SP1, Windows Server 2012 R2, and Windows - **Option 1**: [Onboard by installing and configuring Microsoft Monitoring Agent (MMA)](#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma) - **Option 2**: [Onboard through Azure Security Center](#option-2-onboard-windows-servers-through-azure-security-center) -- **Option 3**: [Onboard through Microsoft Endpoint Configuration Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-configuration-manager-version-2002-and-later) +- **Option 3**: [Onboard through Microsoft Endpoint Manager version 2002 and later](#option-3-onboard-windows-servers-through-microsoft-endpoint-manager-version-2002-and-later) After completing the onboarding steps using any of the provided options, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). > [!NOTE] -> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Defender Security Center (Option 1), or an Azure Security Center Standard license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). +> Defender for Endpoint standalone server license is required, per node, in order to onboard a Windows server through Microsoft Monitoring Agent (Option 1), or through Microsoft Endpoint Manager (Option 3). Alternatively, an Azure Defender for Servers license is required, per node, in order to onboard a Windows server through Azure Security Center (Option 2), see [Supported features available in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-services). ### Option 1: Onboard by installing and configuring Microsoft Monitoring Agent (MMA) You'll need to install and configure MMA for Windows servers to report sensor data to Defender for Endpoint. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). -If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. +If you're already using System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), attach the Microsoft Monitoring Agent (MMA) to report to your Defender for Endpoint workspace through Multihoming support. In general, you'll need to take the following steps: 1. Fulfill the onboarding requirements outlined in **Before you begin** section. @@ -97,10 +99,13 @@ Perform the following steps to fulfill the onboarding requirements: 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). 2. Using the Workspace ID and Workspace key obtained in the previous procedure, choose any of the following installation methods to install the agent on the Windows server: - - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup) + - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard). On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line). + - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation). +> [!NOTE] +> If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. @@ -133,12 +138,14 @@ After completing the onboarding steps, you'll need to [Configure and update Syst > - Once configured, the appropriate cloud management pack is deployed on the machine and the sensor process (MsSenseS.exe) will be deployed and started. > - This is also required if the server is configured to use an OMS Gateway server as proxy. -### Option 3: Onboard Windows servers through Microsoft Endpoint Configuration Manager version 2002 and later -You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Configuration Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint - in Microsoft Endpoint Configuration Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). +### Option 3: Onboard Windows servers through Microsoft Endpoint Manager version 2002 and later +You can onboard Windows Server 2012 R2 and Windows Server 2016 by using Microsoft Endpoint Manager version 2002 and later. For more information, see [Microsoft Defender for Endpoint + in Microsoft Endpoint Manager current branch](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/defender-advanced-threat-protection). After completing the onboarding steps, you'll need to [Configure and update System Center Endpoint Protection clients](#configure-and-update-system-center-endpoint-protection-clients). + + ## Windows Server (SAC) version 1803, Windows Server 2019, and Windows Server 2019 Core edition You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windows Server 2019 Core edition by using the following deployment methods: @@ -149,7 +156,7 @@ You can onboard Windows Server (SAC) version 1803, Windows Server 2019, or Windo - [VDI onboarding scripts for non-persistent devices](configure-endpoints-vdi.md) > [!NOTE] -> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Configuration Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). +> - The Onboarding package for Windows Server 2019 through Microsoft Endpoint Manager currently ships a script. For more information on how to deploy scripts in Configuration Manager, see [Packages and programs in Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/packages-and-programs). > - A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. Support for Windows Server provides deeper insight into server activities, coverage for kernel and memory attack detection, and enables response actions. @@ -178,12 +185,14 @@ Support for Windows Server provides deeper insight into server activities, cover ```sc.exe query Windefend``` - If the result is 'The specified service does not exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). + If the result is 'The specified service doesn't exist as an installed service', then you'll need to install Microsoft Defender AV. For more information, see [Microsoft Defender Antivirus in Windows 10](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10). For information on how to use Group Policy to configure and manage Microsoft Defender Antivirus on your Windows servers, see [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus). + + ## Integration with Azure Security Center -Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can leverage the power of Defender for Endpoint to provide improved threat detection for Windows Servers. +Defender for Endpoint can integrate with Azure Security Center to provide a comprehensive Windows server protection solution. With this integration, Azure Security Center can use the power of Defender for Endpoint to provide improved threat detection for Windows Servers. The following capabilities are included in this integration: - Automated onboarding - Defender for Endpoint sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). @@ -201,6 +210,7 @@ Data collected by Defender for Endpoint is stored in the geo-location of the ten > - Once configured, you cannot change the location where your data is stored. If you need to move your data to another location, you need to contact Microsoft Support to reset the tenant. Server endpoint monitoring utilizing this integration has been disabled for Office 365 GCC customers. + ## Configure and update System Center Endpoint Protection clients @@ -211,7 +221,7 @@ The following steps are required to enable this integration: - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting. - + ## Offboard Windows servers You can offboard Windows Server (SAC), Windows Server 2019, and Windows Server 2019 Core edition in the same method available for Windows 10 client devices. @@ -263,6 +273,9 @@ To offboard the Windows server, you can use either of the following methods: $AgentCfg.ReloadConfiguration() ``` + + + ## Related topics - [Onboard Windows 10 devices](configure-endpoints.md) - [Onboard non-Windows devices](configure-endpoints-non-windows.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md index 62e2e5f5b1..570ac8e0e5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-siem.md @@ -4,7 +4,7 @@ description: Learn how to use REST API and configure supported security informat keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Pull detections to your SIEM tools diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md new file mode 100644 index 0000000000..5c24aa1ae7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-vulnerability-email-notifications.md @@ -0,0 +1,93 @@ +--- +title: Configure vulnerability email notifications in Microsoft Defender for Endpoint +description: Use Microsoft Defender for Endpoint to configure email notification settings for vulnerability events. +keywords: email notifications, configure alert notifications, microsoft defender atp notifications, microsoft defender atp alerts, windows 10 enterprise, windows 10 education +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: ellevin +author: levinec +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Configure vulnerability email notifications in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to:** +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +>Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) + +Configure Microsoft Defender for Endpoint to send email notifications to specified recipients for new vulnerability events. This feature enables you to identify a group of individuals who will immediately be informed and can act on the notifications based on the event. The vulnerability information comes from Defender for Endpoint's [threat and vulnerability management](next-gen-threat-and-vuln-mgt.md) capability. + +> [!NOTE] +> Only users with 'Manage security settings' permissions can configure email notifications. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. [Learn more about permission options](user-roles.md) + +The notification rules allow you to set the vulnerability events that trigger notifications, and add or remove email notification recipients. New recipients get notified about vulnerabilities after they are added. + +If you're using role-based access control (RBAC), recipients will only receive notifications based on the device groups that were configured in the notification rule. +Users with the proper permission can only create, edit, or delete notifications that are limited to their device group management scope. Only users assigned to the Global administrator role can manage notification rules that are configured for all device groups. + +The email notification includes basic information about the vulnerability event. There are also links to filtered views in the threat and vulnerability management [Security recommendations](tvm-security-recommendation.md) and [Weaknesses](tvm-weaknesses.md) pages in the portal so you can further investigate. For example, you could get a list of all exposed devices or get additional details about the vulnerability. + +## Create rules for alert notifications + +Create a notification rule to send an email when there are certain exploit or vulnerability events, such as a new public exploit. For each rule, multiple event types can be selected. + +1. In the navigation pane, go to **Settings** > **Email notifications** > **Vulnerabilities**. + +2. Select **Add notification rule**. + +3. Name the email notification rule and include a description. + +4. Check **Notification enabled** to activate the notification. Select **Next** + +5. Fill in the notification settings. Then select **Next** + + - Choose device groups to get notifications for. + - Choose the vulnerability event(s) that you want to be notified about when they affect your organization. + - Options: new vulnerability found (including severity threshold), new public exploit, exploit added to an exploit kit, exploit was verified. + - Include organization name if you want the organization name in the email + +6. Enter the recipient email address then select **Add**. You can add multiple email addresses. + +7. Review the settings for the new email notification rule and select **Create rule** when you're ready to create it. + +## Edit a notification rule + +1. Select the notification rule you'd like to edit. + +2. Select the **Edit rule** button next to the pencil icon in the flyout. Make sure you have permission to edit or delete the rule. + +## Delete notification rule + +1. Select the notification rule you'd like to delete. + +2. Select the **Delete** button next to the trash can icon in the flyout. Make sure you have permission to edit or delete the rule. + +## Troubleshoot email notifications for alerts + +This section lists various issues that you may encounter when using email notifications for alerts. + +**Problem:** Intended recipients report they are not getting the notifications. + +**Solution:** Make sure that the notifications are not blocked by email filters: + +1. Check that the Defender for Endpoint email notifications are not sent to the Junk Email folder. Mark them as Not junk. +2. Check that your email security product is not blocking the email notifications from Defender for Endpoint. +3. Check your email application rules that might be catching and moving your Defender for Endpoint email notifications. + +## Related topics + +- [Threat and vulnerability management overview](next-gen-threat-and-vuln-mgt.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Weaknesses](tvm-weaknesses.md) +- [Event timeline](threat-and-vuln-mgt-event-timeline.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md index 99a86d51e7..77a5862d83 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md @@ -1,11 +1,11 @@ --- -title: Connected applications in Microsoft Defender ATP +title: Connected applications in Microsoft Defender ATP ms.reviewer: description: View connected partner applications that use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs. keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Connected applications in Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md index a3ea45d493..d82a536e7c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/contact-support-usgov.md @@ -4,7 +4,7 @@ description: Learn how to contact Microsoft Defender for Endpoint support for US keywords: support, contact, premier support, solutions, problems, case, government, gcc, gcc-m, gcc-h, defender, endpoint, mdatp, mde search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ROBOTS: noindex,nofollow +ms.technology: mde --- # Contact Microsoft Defender for Endpoint support for US Government customers diff --git a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md index b8af068443..4082593706 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/contact-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/contact-support.md @@ -4,7 +4,7 @@ description: Learn how to contact Microsoft Defender ATP support keywords: support, contact, premier support, solutions, problems, case search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Contact Microsoft Defender for Endpoint support diff --git a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md index c8e81166ac..7ded77ec21 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/controlled-folders.md @@ -1,9 +1,9 @@ --- -title: Prevent ransomware and threats from encrypting and changing files +title: Protect important folders from ransomware from encrypting your files with controlled folder access description: Files in default folders can be protected from being changed by malicious apps. Prevent ransomware from encrypting your files. keywords: controlled folder access, windows 10, windows defender, ransomware, protect, files, folders search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,10 +11,11 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb audience: ITPro -ms.date: 12/17/2020 +ms.date: 02/03/2021 ms.reviewer: v-maave manager: dansimp ms.custom: asr +ms.technology: mde --- # Protect important folders with controlled folder access @@ -34,6 +35,9 @@ Controlled folder access helps protect your valuable data from malicious apps an Controlled folder access works best with [Microsoft Defender for Endpoint](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../microsoft-defender-atp/investigate-alerts.md). +> [!TIP] +> Controlled folder access blocks don't generate alerts in the [Alerts queue](../microsoft-defender-atp/alerts-queue.md). However, you can view information about controlled folder access blocks in the [device timeline view](../microsoft-defender-atp/investigate-machines.md), while using [advanced hunting](../microsoft-defender-atp/advanced-hunting-overview.md), or with [custom detection rules](../microsoft-defender-atp/custom-detection-rules.md). + ## How does controlled folder access work? Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders. @@ -42,7 +46,7 @@ Controlled folder access works with a list of trusted apps. If an app is include Apps are added to the list based upon their prevalence and reputation. Apps that are highly prevalent throughout your organization and that have never displayed any behavior deemed malicious are considered trustworthy. Those apps are added to the list automatically. -Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console. +Apps can also be added manually to the trusted list by using Configuration Manager or Intune. Additional actions, such as [adding a file indicator](../microsoft-defender-atp/respond-file-alerts.md#add-indicator-to-block-or-allow-a-file) for an app, can be performed from the Security Center Console. ## Why controlled folder access is important @@ -117,17 +121,11 @@ The following table shows events related to controlled folder access: You can use the Windows Security app to view the list of folders that are protected by controlled folder access. 1. On your Windows 10 device, open the Windows Security app. - 2. Select **Virus & threat protection**. - 3. Under **Ransomware protection**, select **Manage ransomware protection**. - 4. If controlled folder access is turned off, you'll need to turn it on. Select **protected folders**. - 5. Do one of the following steps: - - To add a folder, select **+ Add a protected folder**. - - To remove a folder, select it, and then select **Remove**. > [!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index eefccc5624..91a38d3f42 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -3,7 +3,7 @@ title: Create alert from event API description: Learn how to use the Create alert API to create a new Alert on top of Event in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, alert, information, id search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create alert API @@ -95,9 +96,10 @@ If successful, this method returns 200 OK, and a new [alert](alerts.md) object i Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/alerts/CreateAlertByReference ``` + ```json { "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md index 17e23e40fc..6dd72d0e5a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules.md @@ -5,7 +5,7 @@ description: Learn how to create custom detection rules based on advanced huntin keywords: custom detections, create, manage, alerts, edit, run on demand, frequency, interval, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 09/20/2020 +ms.technology: mde --- # Create custom detection rules diff --git a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md index ef5088e134..8089825d75 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/custom-detections-manage.md @@ -5,7 +5,7 @@ description: Learn how to view and manage custom detection rules keywords: custom detections, view, manage, alerts, edit, run on demand, detection rules, advanced hunting, hunt, query, response actions, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md index 81ede44b00..1da7a9ee99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-attack-surface-reduction.md @@ -3,7 +3,7 @@ title: Customize attack surface reduction rules description: Individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from attack surface reduction rules keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Customize attack surface reduction rules diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md index 629775a962..3d14a162c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-controlled-folders.md @@ -1,9 +1,9 @@ --- title: Customize controlled folder access -description: Add additional folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. +description: Add other folders that should be protected by controlled folder access, or allow apps that are incorrectly blocking changes to important files. keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, customize, add folder, add app, allow, add executable search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,7 +12,8 @@ author: denisebmsft ms.author: deniseb ms.reviewer: jcedola, dbodorin, vladiso, nixanm, anvascon manager: dansimp -ms.date: 12/16/2020 +ms.date: 01/06/2021 +ms.technology: mde --- # Customize controlled folder access @@ -38,7 +39,7 @@ This article describes how to customize controlled folder access capabilities, a ## Protect additional folders -Controlled folder access applies to a number of system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list. +Controlled folder access applies to many system folders and default locations, including folders such as **Documents**, **Pictures**, and **Movies**. You can add additional folders to be protected, but you cannot remove the default folders in the default list. Adding other folders to controlled folder access can be helpful for cases when you don't store files in the default Windows libraries, or you've changed the default location of your libraries. @@ -72,7 +73,7 @@ You can use the Windows Security app, Group Policy, PowerShell cmdlets, or mobil ### Use PowerShell to protect additional folders -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** +1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: @@ -125,7 +126,7 @@ An allowed application or service only has write access to a controlled folder a ### Use PowerShell to allow specific apps -1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** +1. Type **PowerShell** in the Start menu, right-click **Windows PowerShell** and select **Run as administrator** 2. Enter the following cmdlet: ```PowerShell diff --git a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md index 964158b256..fb5a2ad59a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/customize-exploit-protection.md @@ -3,15 +3,16 @@ title: Customize exploit protection keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr description: You can enable or disable specific mitigations used by exploit protection using the Windows Security app or PowerShell. You can also audit mitigations and export configurations. search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.reviewer: +ms.reviewer: manager: dansimp +ms.technology: mde --- # Customize exploit protection @@ -48,27 +49,27 @@ For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r | Mitigation | Description | Can be applied to | Audit mode available | | ---------- | ----------- | ----------------- | -------------------- | -| Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] | -| Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] | -| Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] | -| Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] | -| Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] | -| Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](../images/svg/check-no.svg)] | -| Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] | -| Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] | -| Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Don't allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | -| Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] | -| Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](../images/svg/check-no.svg)] | -| Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](../images/svg/check-yes.svg)] | +| Control flow guard (CFG) | Ensures control flow integrity for indirect calls. Can optionally suppress exports and use strict CFG. | System and app-level |  | +| Data Execution Prevention (DEP) | Prevents code from being run from data-only memory pages such as the heap and stacks. Only configurable for 32-bit (x86) apps, permanently enabled for all other architectures. Can optionally enable ATL thunk emulation. | System and app-level |  | +| Force randomization for images (Mandatory ASLR) | Forcibly relocates images not compiled with /DYNAMICBASE. Can optionally fail loading images that don't have relocation information. | System and app-level |  | +| Randomize memory allocations (Bottom-Up ASLR) | Randomizes locations for virtual memory allocations. It includes system structure heaps, stacks, TEBs, and PEBs. Can optionally use a wider randomization variance for 64-bit processes. | System and app-level |  | +| Validate exception chains (SEHOP) | Ensures the integrity of an exception chain during exception dispatch. Only configurable for 32-bit (x86) applications. | System and app-level |  | +| Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level |  | +| Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only |  | +| Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | | +| Block remote images | Prevents loading of images from remote devices. | App-level only |  | +| Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only |  | +| Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only |  | +| Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only |  | +| Don't allow child processes | Prevents an app from creating child processes. | App-level only |  | +| Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only |  | +| Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only |  | +| Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only |  | +| Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only |  | +| Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only |  | +| Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only |  | +| Validate stack integrity (StackPivot) | Ensures that the stack hasn't been redirected for sensitive APIs. Not compatible with ACG | App-level only |  | > [!IMPORTANT] > If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: @@ -76,10 +77,10 @@ For the associated PowerShell cmdlets for each mitigation, see the [PowerShell r > > | Enabled in **Program settings** | Enabled in **System settings** | Behavior | > | ------------------------------- | ------------------------------ | -------- | -> | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** | -> | [!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** | -> | [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** | -> | [!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option | +> |  |  | As defined in **Program settings** | +> |  |  | As defined in **Program settings** | +> |  |  | As defined in **System settings** | +> |  |  | Default as defined in **Use default** option | > > > diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index 7932cfb153..dbf2b89d69 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -1,10 +1,10 @@ --- -title: Verify data storage location and update data retention settings +title: Verify data storage location and update data retention settings description: Verify data storage location and update data retention settings for Microsoft Defender Advanced Threat Protection keywords: data, storage, settings, retention, update search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Verify data storage location and update data retention settings for Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md index 953b74c139..ec1ee3cba5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy.md @@ -1,10 +1,10 @@ --- -title: Microsoft Defender ATP data storage and privacy -description: Learn about how Microsoft Defender ATP handles privacy and data that it collects. -keywords: Microsoft Defender ATP data storage and privacy, storage, privacy, licensing, geolocation, data retention, data +title: Microsoft Defender for Endpoint data storage and privacy +description: Learn about how Microsoft Defender for Endpoint handles privacy and data that it collects. +keywords: Microsoft Defender for Endpoint, Microsoft Defender ATP, data storage and privacy, storage, privacy, licensing, geolocation, data retention, data search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender for Endpoint data storage and privacy @@ -84,7 +85,7 @@ No. Customer data is isolated from other customers and is not shared. However, i ## How long will Microsoft store my data? What is Microsoft’s data retention policy? **At service onboarding** -You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of one month to six months to meet your company’s regulatory compliance needs. +You can choose the data retention policy for your data. This determines how long Window Defender for Endpoint will store your data. There’s a flexibility of choosing in the range of one month to six months to meet your company’s regulatory compliance needs. **At contract termination or expiration** Your data will be kept and will be available to you while the license is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md index f84762a3a0..a26df70136 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-compatibility.md @@ -1,10 +1,10 @@ --- title: Microsoft Defender Antivirus compatibility with Microsoft Defender ATP -description: Learn about how Windows Defender works with Microsoft Defender ATP and how it functions when a third-party antimalware client is used. +description: Learn about how Windows Defender works with Microsoft Defender ATP and how it functions when a third-party antimalware client is used. keywords: windows defender compatibility, defender, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/24/2018 +ms.technology: mde --- # Microsoft Defender Antivirus compatibility with Microsoft Defender ATP diff --git a/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md new file mode 100644 index 0000000000..6a64647a0c --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives.md @@ -0,0 +1,364 @@ +--- +title: Address false positives/negatives in Microsoft Defender for Endpoint +description: Learn how to handle false positives or false negatives in Microsoft Defender for Endpoint. +keywords: alert, exclusion, defender atp, false positive, false negative +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: m365-security +ms.technology: mde +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.date: 01/27/2021 +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- m365-security-compliance +- m365initiative-defender-endpoint +ms.topic: conceptual +ms.reviewer: ramarom, evaldm, isco, mabraitm, chriggs, yonghree, jcedola +ms.custom: FPFN +--- + +# Address false positives/negatives in Microsoft Defender for Endpoint + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + +**Applies to** + +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146806) + +In endpoint protection solutions, a false positive is an entity, such as a file or a process, that was detected and identified as malicious, even though the entity isn't actually a threat. A false negative is an entity that was not detected as a threat, even though it actually is malicious. False positives/negatives can occur with any threat protection solution, including [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). + + + +Fortunately, steps can be taken to address and reduce these kinds of issues. If you're seeing false positives/negatives in your [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use), your security operations can take steps to address them by using the following process: + +1. [Review and classify alerts](#part-1-review-and-classify-alerts) +2. [Review remediation actions that were taken](#part-2-review-remediation-actions) +3. [Review and define exclusions](#part-3-review-or-define-exclusions) +4. [Submit an entity for analysis](#part-4-submit-a-file-for-analysis) +5. [Review and adjust your threat protection settings](#part-5-review-and-adjust-your-threat-protection-settings) + +And, you can [get help if you still have issues with false positives/negatives](#still-need-help) after performing the tasks described in this article. + + + +> [!NOTE] +> This article is intended as guidance for security operators and security administrators who are using [Microsoft Defender for Endpoint](microsoft-defender-advanced-threat-protection.md). + +## Part 1: Review and classify alerts + +If you see an [alert](alerts.md) that was triggered because something was detected as malicious or suspicious that should not have been, you can suppress the alert for that entity. You can also suppress alerts that are not necessarily false positives, but are unimportant. We recommend that you classify alerts as well. + +Managing your alerts and classifying true/false positives helps to train your threat protection solution and can reduce the number of false positives or false negatives over time. Taking these steps also helps reduce noise in your security operations dashboard so that your security team can focus on higher priority work items. + +### Determine whether an alert is accurate + +Before you classify or suppress an alert, determine whether the alert is accurate, a false positive, or benign. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, choose **Alerts queue**. +3. Select an alert to more details about the alert. (See [Review alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts).) +4. Depending on the alert status, take the steps described in the following table: + +| Alert status | What to do | +|:---|:---| +| The alert is accurate | Assign the alert, and then [investigate it](investigate-alerts.md) further. | +| The alert is a false positive | 1. [Classify the alert](#classify-an-alert) as a false positive. 2. [Suppress the alert](#suppress-an-alert). 3. [Create an indicator](#indicators-for-microsoft-defender-for-endpoint) for Microsoft Defender for Endpoint. 4. [Submit a file to Microsoft for analysis](#part-4-submit-a-file-for-analysis). | +| The alert is accurate, but benign (unimportant) | [Classify the alert](#classify-an-alert) as a true positive, and then [suppress the alert](#suppress-an-alert). | + +### Classify an alert + +Alerts can be classified as false positives or true positives in the Microsoft Defender Security Center. Classifying alerts helps train Microsoft Defender for Endpoint so that, over time, you'll see more true alerts and fewer false alerts. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. Select **Alerts queue**, and then select an alert. +3. For the selected alert, select **Actions** > **Manage alert**. A flyout pane opens. +4. In the **Manage alert** section, select either **True alert** or **False alert**. (Use **False alert** to classify a false positive.) + +> [!TIP] +> For more information about suppressing alerts, see [Manage Microsoft Defender for Endpoint alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts). And, if your organization is using a security information and event management (SIEM) server, make sure to define a suppression rule there, too. + +### Suppress an alert + +If you have alerts that are either false positives or that are true positives but for unimportant events, you can suppress those alerts in the Microsoft Defender Security Center. Suppressing alerts helps reduce noise in your security operations dashboard. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. +2. In the navigation pane, select **Alerts queue**. +3. Select an alert that you want to suppress to open its **Details** pane. +4. In the **Details** pane, choose the ellipsis (**...**), and then **Create a suppression rule**. +5. Specify all the settings for your suppression rule, and then choose **Save**. + +> [!TIP] +> Need help with suppression rules? See [Suppress an alert and create a new suppression rule](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-alerts#suppress-an-alert-and-create-a-new-suppression-rule). + +## Part 2: Review remediation actions + +[Remediation actions](manage-auto-investigation.md#remediation-actions), such as sending a file to quarantine or stopping a process, are taken on entities (such as files) that are detected as threats. Several types of remediation actions occur automatically through automated investigation and Microsoft Defender Antivirus: +- Quarantine a file +- Remove a registry key +- Kill a process +- Stop a service +- Disable a driver +- Remove a scheduled task + +Other actions, such as starting an antivirus scan or collecting an investigation package, occur manually or through [Live Response](live-response.md). Actions taken through Live Response cannot be undone. + +After you have reviewed your alerts, your next step is to [review remediation actions](manage-auto-investigation.md). If any actions were taken as a result of false positives, you can undo most kinds of remediation actions. Specifically, you can: +- [Undo one action at a time](#undo-an-action); +- [Undo multiple actions at one time](#undo-multiple-actions-at-one-time); and +- [Remove a file from quarantine across multiple devices](#remove-a-file-from-quarantine-across-multiple-devices). + +When you're done reviewing and undoing actions that were taken as a result of false positives, proceed to [review or define exclusions](#part-3-review-or-define-exclusions). + +### Review completed actions + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. Select the **History** tab to view a list of actions that were taken. +3. Select an item to view more details about the remediation action that was taken. + +### Undo an action + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select an action that you want to undo. +3. In the flyout pane, select **Undo**. If the action cannot be undone with this method, you will not see an **Undo** button. (To learn more, see [Undo completed actions](manage-auto-investigation.md#undo-completed-actions).) + +### Undo multiple actions at one time + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select the actions that you want to undo. +3. In the pane on the right side of the screen, select **Undo**. + +### Remove a file from quarantine across multiple devices + + + +1. Go to the Action center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)) and sign in. +2. On the **History** tab, select a file that has the Action type **Quarantine file**. +3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**. + +## Part 3: Review or define exclusions + +An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won’t be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint. + +To define exclusions across Microsoft Defender for Endpoint, perform the following tasks: +- [Define exclusions for Microsoft Defender Antivirus](#exclusions-for-microsoft-defender-antivirus) +- [Create “allow” indicators for Microsoft Defender for Endpoint](#indicators-for-microsoft-defender-for-endpoint) + +> [!NOTE] +> Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use exclusions for Microsoft Defender Antivirus and [custom indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) for Microsoft Defender for Endpoint. + +The procedures in this section describe how to define exclusions and indicators. + +### Exclusions for Microsoft Defender Antivirus + +In general, you should not need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) to define or edit your antivirus exclusions; however, you can use other methods, such as [Group Policy](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy) (see [Manage Microsoft Defender for Endpoint](manage-atp-post-migration.md)). + +> [!TIP] +> Need help with antivirus exclusions? See [Configure and validate exclusions for Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus). + +#### Use Microsoft Endpoint Manager to manage antivirus exclusions (for existing policies) + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus**, and then select an existing policy. (If you don’t have an existing policy, or you want to create a new policy, skip to [the next procedure](#use-microsoft-endpoint-manager-to-create-a-new-antivirus-policy-with-exclusions)). +3. Choose **Properties**, and next to **Configuration settings**, choose **Edit**. +4. Expand **Microsoft Defender Antivirus Exclusions** and then specify your exclusions. +5. Choose **Review + save**, and then choose **Save**. + +#### Use Microsoft Endpoint Manager to create a new antivirus policy with exclusions + +1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and sign in. +2. Choose **Endpoint security** > **Antivirus** > **+ Create Policy**. +3. Select a platform (such as **Windows 10 and later**, **macOS**, or **Windows 10 and Windows Server**). +4. For **Profile**, select **Microsoft Defender Antivirus exclusions**, and then choose **Create**. +5. Specify a name and description for the profile, and then choose **Next**. +6. On the **Configuration settings** tab, specify your antivirus exclusions, and then choose **Next**. +7. On the **Scope tags** tab, if you are using scope tags in your organization, specify scope tags for the policy you are creating. (See [Scope tags](https://docs.microsoft.com/mem/intune/fundamentals/scope-tags).) +8. On the **Assignments** tab, specify the users and groups to whom your policy should be applied, and then choose **Next**. (If you need help with assignments, see [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/configuration/device-profile-assign).) +9. On the **Review + create** tab, review the settings, and then choose **Create**. + +### Indicators for Microsoft Defender for Endpoint + +[Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs. + +To specify entities as exclusions for Microsoft Defender for Endpoint, create "allow" indicators for those entities. Such "allow" indicators in Microsoft Defender for Endpoint apply to [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10), [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response), and [automated investigation & remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). + +"Allow" indicators can be created for: + +- [Files](#indicators-for-files) +- [IP addresses, URLs, and domains](#indicators-for-ip-addresses-urls-or-domains) +- [Application certificates](#indicators-for-application-certificates) + + + +#### Indicators for files + +When you [create an "allow" indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file), it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as `.exe` and `.dll` files. + +Before you create indicators for files, make sure the following requirements are met: +- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus)) +- Antimalware client version is 4.18.1901.x or later +- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 +- The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) + +#### Indicators for IP addresses, URLs, or domains + +When you [create an "allow" indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain), it helps prevent the sites or IP addresses your organization uses from being blocked. + +Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met: +- Network protection in Defender for Endpoint is enabled in block mode (see [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection)) +- Antimalware client version is 4.18.1906.x or later +- Devices are running Windows 10, version 1709, or later + +Custom network indicators are turned on in the Microsoft Defender Security Center (see [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features)) + +#### Indicators for application certificates + +When you [create an "allow" indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates), it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. `.CER` or `.PEM` file extensions are supported. + +Before you create indicators for application certificates, make sure the following requirements are met: +- Microsoft Defender Antivirus is configured with cloud-based protection enabled (see [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus)) +- Antimalware client version is 4.18.1901.x or later +- Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019 +- Virus and threat protection definitions are up to date + +> [!TIP] +> When you create indicators, you can define them one by one, or import multiple items at once. Keep in mind there's a limit of 15,000 indicators for a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md). + +## Part 4: Submit a file for analysis + +You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions, and their results help inform Microsoft Defender for Endpoint threat protection capabilities. When you sign in at the submission site, you can track your submissions. + +### Submit a file for analysis + +If you have a file that was either wrongly detected as malicious or was missed, follow these steps to submit the file for analysis. + +1. Review the guidelines here: [Submit files for analysis](https://docs.microsoft.com/windows/security/threat-protection/intelligence/submission-guide). +2. Visit the Microsoft Security Intelligence submission site ([https://www.microsoft.com/wdsi/filesubmission](https://www.microsoft.com/wdsi/filesubmission)), and submit your file(s). + +### Submit a fileless detection for analysis + +If something was detected as malware based on behavior, and you don’t have a file, you can submit your `Mpsupport.cab` file for analysis. You can get the *.cab* file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10. + +1. Go to ` C:\ProgramData\Microsoft\Windows Defender\Platform\ - Windows 10 (all releases) - Windows Server 2016 or later | +|Operating system |One of the following versions: - Windows 10 (all releases) - Windows Server, version 1803 or newer - Windows Server 2019 | |Windows E5 enrollment |Windows E5 is included in the following subscriptions: - Microsoft 365 E5 - Microsoft 365 E3 together with the Identity & Threat Protection offering See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide&preserve-view=true#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | -|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled. See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | -|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | -|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | +|Microsoft Defender Antivirus |Microsoft Defender Antivirus must be installed and running in either active mode or passive mode. (You can use Microsoft Defender Antivirus alongside a non-Microsoft antivirus solution.) [Confirm Microsoft Defender Antivirus is in active or passive mode](#how-do-i-confirm-microsoft-defender-antivirus-is-in-active-or-passive-mode). | +|Cloud-delivered protection |Make sure Microsoft Defender Antivirus is configured such that [cloud-delivered protection is enabled](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus). | +|Microsoft Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | +|Microsoft Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | > [!IMPORTANT] -> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your exclusions are defined. - +> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features, and that your [exclusions are configured](../microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md). EDR in block mode respects exclusions that are defined for Microsoft Defender Antivirus. ## Frequently asked questions ### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices? -We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode gives you an added layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections. +We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode provides another layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections. ### Will EDR in block mode have any impact on a user's antivirus protection? -EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. +EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), except it also blocks and remediates malicious artifacts or behaviors that are detected. ### Why do I need to keep Microsoft Defender Antivirus up to date? -Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest device learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Microsoft Defender Antivirus up to date. +Because Microsoft Defender Antivirus detects and remediates malicious items, it's important to keep it up to date. For EDR in block mode to be effective, it uses the latest device learning models, behavioral detections, and heuristics. The [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner. To get best protection value, you should keep Microsoft Defender Antivirus up to date. ### Why do we need cloud protection on? Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and device learning models. +### How do I set Microsoft Defender Antivirus to passive mode? + +See [Enable Microsoft Defender Antivirus and confirm it's in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode). + +### How do I confirm Microsoft Defender Antivirus is in active or passive mode? + +To confirm whether Microsoft Defender Antivirus is running in active or passive mode, you can use Command Prompt or PowerShell on a device running Windows. + +#### Use PowerShell + +1. Select the Start menu, begin typing `PowerShell`, and then open Windows PowerShell in the results. + +2. Type `Get-MpComputerStatus`. + +3. In the list of results, in the **AMRunningMode** row, look for one of the following values: + - `Normal` + - `Passive Mode` + - `SxS Passive Mode` + +To learn more, see [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus). + +#### Use Command Prompt + +1. Select the Start menu, begin typing `Command Prompt`, and then open Windows Command Prompt in the results. + +2. Type `sc query windefend`. + +3. In the list of results, in the **STATE** row, confirm that the service is running. + ## See also - [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 603f751bdd..c34737f912 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -3,7 +3,7 @@ title: Enable attack surface reduction rules description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques. keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Enable attack surface reduction rules @@ -45,7 +46,7 @@ You can enable attack surface reduction rules by using any of these methods: - [Group Policy](#group-policy) - [PowerShell](#powershell) -Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup. +Enterprise-level management such as Intune or Microsoft Endpoint Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup. ## Exclude files and folders from ASR rules @@ -98,7 +99,7 @@ Example: `OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions` -`Value: c:\path|e:\path|c:\Whitelisted.exe` +`Value: c:\path|e:\path|c:\Exclusions.exe` > [!NOTE] > Be sure to enter OMA-URI values without spaces. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md index 8af897f9a0..a8bc3ae850 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-controlled-folders.md @@ -3,7 +3,7 @@ title: Enable controlled folder access keywords: Controlled folder access, windows 10, windows defender, ransomware, protect, files, folders, enable, turn on, use description: Learn how to protect your important files by enabling Controlled folder access search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Enable controlled folder access diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md index 7b1c044a64..84b77ed1ea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-exploit-protection.md @@ -3,7 +3,7 @@ title: Turn on exploit protection to help mitigate against attacks keywords: exploit, mitigation, attacks, vulnerability description: Learn how to enable exploit protection in Windows 10. Exploit protection helps protect your device against malware. search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ author: denisebmsft ms.author: deniseb ms.reviewer: ksarens manager: dansimp +ms.technology: mde --- # Enable exploit protection @@ -30,14 +31,13 @@ manager: dansimp Many features from the Enhanced Mitigation Experience Toolkit (EMET) are included in exploit protection. -You can enable each mitigation separately by using any of these methods: - -* [Windows Security app](#windows-security-app) -* [Microsoft Intune](#intune) -* [Mobile Device Management (MDM)](#mdm) -* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) -* [Group Policy](#group-policy) -* [PowerShell](#powershell) +You can enable each mitigation separately by using any of these methods: +- [Windows Security app](#windows-security-app) +- [Microsoft Intune](#intune) +- [Mobile Device Management (MDM)](#mdm) +- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) +- [Group Policy](#group-policy) +- [PowerShell](#powershell) Exploit protection is configured by default in Windows 10. You can set each mitigation to on, off, or to its default value. Some mitigations have additional options. @@ -47,41 +47,41 @@ You can also set mitigations to [audit mode](evaluate-exploit-protection.md). Au ## Windows Security app -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or by searching the start menu for **Security**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection settings**. 3. Go to **Program settings** and choose the app you want to apply mitigations to. - - If the app you want to configure is already listed, click it and then click **Edit**. - - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. - - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. + - If the app you want to configure is already listed, select it, and then select **Edit**. + - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app. + - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You are notified if you need to restart the process or app, or if you need to restart Windows. 5. Repeat steps 3-4 for all the apps and mitigations you want to configure. -6. Under the **System settings** section, find the mitigation you want to configure and select one of the following. Apps that aren't configured individually in the **Program settings** section will use the settings configured here: +6. Under the **System settings** section, find the mitigation you want to configure and then specify one of the following settings. Apps that aren't configured individually in the **Program settings** section use the settings that are configured here. - **On by default**: The mitigation is *enabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Off by default**: The mitigation is *disabled* for apps that don't have this mitigation set in the app-specific **Program settings** section - **Use default**: The mitigation is either enabled or disabled, depending on the default configuration that is set up by Windows 10 installation; the default value (**On** or **Off**) is always specified next to the **Use default** label for each mitigation -7. Repeat step 6 for all the system-level mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +7. Repeat step 6 for all the system-level mitigations you want to configure. Select **Apply** when you're done setting up your configuration. If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: |Enabled in **Program settings** | Enabled in **System settings** | Behavior | |:---|:---|:---| -|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark no](../images/svg/check-no.svg)] | As defined in **Program settings** | -|[!include[Check mark yes](../images/svg/check-yes.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **Program settings** | -|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | As defined in **System settings** | -|[!include[Check mark no](../images/svg/check-no.svg)] | [!include[Check mark yes](../images/svg/check-yes.svg)] | Default as defined in **Use default** option | +| |  | As defined in **Program settings** | +| |  | As defined in **Program settings** | +| |  | As defined in **System settings** | +| |  | Default as defined in **Use default** option | ### Example 1: Mikael configures Data Execution Prevention in system settings section to be off by default Mikael adds the app *test.exe* to the **Program settings** section. In the options for that app, under **Data Execution Prevention (DEP)**, Mikael enables the **Override system settings** option and sets the switch to **On**. There are no other apps listed in the **Program settings** section. -The result will be that DEP only will be enabled for *test.exe*. All other apps will not have DEP applied. +The result is that DEP is enabled only for *test.exe*. All other apps will not have DEP applied. ### Example 2: Josie configures Data Execution Prevention in system settings to be off by default @@ -89,66 +89,84 @@ Josie adds the app *test.exe* to the **Program settings** section. In the option Josie also adds the app *miles.exe* to the **Program settings** section and configures **Control flow guard (CFG)** to **On**. Josie doesn't enable the **Override system settings** option for DEP or any other mitigations for that app. -The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. +The result is that DEP is enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. CFG will be enabled for *miles.exe*. -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. 3. Go to **Program settings** and choose the app you want to apply mitigations to. - - If the app you want to configure is already listed, click it and then click **Edit**. - - If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. + - If the app you want to configure is already listed, select it, and then select **Edit**. + - If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app. - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +5. Repeat steps 3-4 for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. -2. Click **Device configuration** > **Profiles** > **Create profile**. +2. Go to **Device configuration** > **Profiles** > **Create profile**. + +3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. -3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**.  -4. Click **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. +4. Select **Configure** > **Windows Defender Exploit Guard** > **Exploit protection**. -5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings:  +5. Upload an [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: -6. Click **OK** to save each open blade and click **Create**. +  -7. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. +6. Select **OK** to save each open blade, and then choose **Create**. + +7. Select the profile **Assignments** tab, assign the policy to **All Users & All Devices**, and then select **Save**. ## MDM Use the [./Vendor/MSFT/Policy/Config/ExploitGuard/ExploitProtectionSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) configuration service provider (CSP) to enable or disable exploit protection mitigations or to use audit mode. +## Microsoft Endpoint Manager + +1. In Microsoft Endpoint Manager, go to **Endpoint Security** > **Attack surface reduction**. + +2. Select **Create Policy** > **Platform**, and for **Profile**, choose **Exploit Protection**. Then select **Create**. + +3. Specify a name and a description, and then choose **Next**. + +4. Select **Select XML File** and browse to the location of the exploit protection XML file. Select the file, and then choose **Next**. + +5. Configure **Scope tags** and **Assignments** if necessary. + +6. Under **Review + create**, review the configuration and then choose **Create**. + + ## Microsoft Endpoint Configuration Manager -1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. -2. Click **Home** > **Create Exploit Guard Policy**. +2. Select **Home** > **Create Exploit Guard Policy**. -3. Enter a name and a description, click **Exploit protection**, and click **Next**. +3. Specify a name and a description, select **Exploit protection**, and then choose **Next**. -4. Browse to the location of the exploit protection XML file and click **Next**. +4. Browse to the location of the exploit protection XML file and select **Next**. -5. Review the settings and click **Next** to create the policy. +5. Review the settings, and then choose **Next** to create the policy. -6. After the policy is created, click **Close**. +6. After the policy is created, select **Close**. ## Group Policy 1. On your Group Policy management device, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 3. Expand the tree to **Windows components** > **Windows Defender Exploit Guard** > **Exploit Protection** > **Use a common set of exploit protection settings**. -4. Click **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard) and click **OK**. +4. Select **Enabled** and type the location of the [XML file](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-exploitguard), and then choose **OK**. ## PowerShell @@ -160,11 +178,8 @@ Get-ProcessMitigation -Name processName.exe > [!IMPORTANT] > System-level mitigations that have not been configured will show a status of `NOTSET`. -> -> For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. -> -> For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. -> +> - For system-level settings, `NOTSET` indicates the default setting for that mitigation has been applied. +> - For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. > The default setting for each system-level mitigation can be seen in the Windows Security. Use `Set` to configure each mitigation in the following format: @@ -207,44 +222,45 @@ If you need to restore the mitigation back to the system default, you need to in Set-Processmitigation -Name test.exe -Remove -Disable DEP ``` -This table lists the PowerShell cmdlets (and associated audit mode cmdlet) that can be used to configure each mitigation. +This table lists the individual **Mitigations** (and **Audits**, when available) to be used with the `-Enable` or `-Disable` cmdlet parameters. -|Mitigation | Applies to | PowerShell cmdlets | Audit mode cmdlet | -|:---|:---|:---|:---| -|Control flow guard (CFG) | System and app-level | CFG, StrictCFG, SuppressExports | Audit not available | -|Data Execution Prevention (DEP) | System and app-level | DEP, EmulateAtlThunks | Audit not available | -|Force randomization for images (Mandatory ASLR) | System and app-level | ForceRelocateImages | Audit not available | -|Randomize memory allocations (Bottom-Up ASLR) | System and app-level | BottomUp, HighEntropy | Audit not available -|Validate exception chains (SEHOP) | System and app-level | SEHOP, SEHOPTelemetry | Audit not available -|Validate heap integrity | System and app-level | TerminateOnHeapError | Audit not available -|Arbitrary code guard (ACG) | App-level only | DynamicCode | AuditDynamicCode -|Block low integrity images | App-level only | BlockLowLabel | AuditImageLoad -|Block remote images | App-level only | BlockRemoteImages | Audit not available -|Block untrusted fonts | App-level only | DisableNonSystemFonts | AuditFont, FontAuditOnly -|Code integrity guard | App-level only | BlockNonMicrosoftSigned, AllowStoreSigned | AuditMicrosoftSigned, AuditStoreSigned -|Disable extension points | App-level only | ExtensionPoint | Audit not available -|Disable Win32k system calls | App-level only | DisableWin32kSystemCalls | AuditSystemCall -|Do not allow child processes | App-level only | DisallowChildProcessCreation | AuditChildProcess -|Export address filtering (EAF) | App-level only | EnableExportAddressFilterPlus, EnableExportAddressFilter \[1\] | Audit not available\[2\] | -|Import address filtering (IAF) | App-level only | EnableImportAddressFilter | Audit not available\[2\] | -|Simulate execution (SimExec) | App-level only | EnableRopSimExec | Audit not available\[2\] | -|Validate API invocation (CallerCheck) | App-level only | EnableRopCallerCheck | Audit not available\[2\] | -|Validate handle usage | App-level only | StrictHandle | Audit not available | -|Validate image dependency integrity | App-level only | EnforceModuleDepencySigning | Audit not available | -|Validate stack integrity (StackPivot) | App-level only | EnableRopStackPivot | Audit not available\[2\] | +| Mitigation type | Applies to | Mitigation cmdlet parameter keyword | Audit mode cmdlet parameter | +| :-------------- | :--------- | :---------------------------------- | :-------------------------- | +| Control flow guard (CFG) | System and app-level | `CFG`, `StrictCFG`, `SuppressExports` | Audit not available | +| Data Execution Prevention (DEP) | System and app-level | `DEP`, `EmulateAtlThunks` | Audit not available | +| Force randomization for images (Mandatory ASLR) | System and app-level | `ForceRelocateImages` | Audit not available | +| Randomize memory allocations (Bottom-Up ASLR) | System and app-level | `BottomUp`, `HighEntropy` | Audit not available +| Validate exception chains (SEHOP) | System and app-level | `SEHOP`, `SEHOPTelemetry` | Audit not available | +| Validate heap integrity | System and app-level | `TerminateOnError` | Audit not available | +| Arbitrary code guard (ACG) | App-level only | `DynamicCode` | `AuditDynamicCode` | +| Block low integrity images | App-level only | `BlockLowLabel` | `AuditImageLoad` | +| Block remote images | App-level only | `BlockRemoteImages` | Audit not available | +| Block untrusted fonts | App-level only | `DisableNonSystemFonts` | `AuditFont`, `FontAuditOnly` | +| Code integrity guard | App-level only | `BlockNonMicrosoftSigned`, `AllowStoreSigned` | AuditMicrosoftSigned, AuditStoreSigned | +| Disable extension points | App-level only | `ExtensionPoint` | Audit not available | +| Disable Win32k system calls | App-level only | `DisableWin32kSystemCalls` | `AuditSystemCall` | +| Do not allow child processes | App-level only | `DisallowChildProcessCreation` | `AuditChildProcess` | +| Export address filtering (EAF) | App-level only | `EnableExportAddressFilterPlus`, `EnableExportAddressFilter` \[1\] | Audit not available\[2\] | +| Import address filtering (IAF) | App-level only | `EnableImportAddressFilter` | Audit not available\[2\] | +| Simulate execution (SimExec) | App-level only | `EnableRopSimExec` | Audit not available\[2\] | +| Validate API invocation (CallerCheck) | App-level only | `EnableRopCallerCheck` | Audit not available\[2\] | +| Validate handle usage | App-level only | `StrictHandle` | Audit not available | +| Validate image dependency integrity | App-level only | `EnforceModuleDepencySigning` | Audit not available | +| Validate stack integrity (StackPivot) | App-level only | `EnableRopStackPivot` | Audit not available\[2\] | \[1\]: Use the following format to enable EAF modules for DLLs for a process: ```PowerShell Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlus -EAFModules dllName1.dll,dllName2.dll ``` -\[2\]: Audit for this mitigation is not available via Powershell cmdlets. +\[2\]: Audit for this mitigation is not available via PowerShell cmdlets. + ## Customize the notification -See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) article for more information about customizing the notification when a rule is triggered and blocks an app or file. ## See also -* [Evaluate exploit protection](evaluate-exploit-protection.md) -* [Configure and audit exploit protection mitigations](customize-exploit-protection.md) -* [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index 4f9ad6dff7..b489a186a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -3,7 +3,7 @@ title: Turn on network protection description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager. keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Turn on network protection diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md index c4e8e36cbe..63dc623e7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md @@ -4,7 +4,7 @@ description: Enable SIEM integration to receive detections in your security info keywords: enable siem connector, siem, connector, security information and events search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Enable SIEM integration in Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md index b80ba00b38..836dcb090d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-atp.md @@ -2,10 +2,10 @@ title: Evaluate Microsoft Defender for Endpoint ms.reviewer: description: Evaluate the different security capabilities in Microsoft Defender for Endpoint. -keywords: attack surface reduction, evaluate, next, generation, protection +keywords: attack surface reduction, evaluate, next, generation, protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Evaluate Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md index 4fdbaae9b9..e5e1491d2b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-attack-surface-reduction.md @@ -3,7 +3,7 @@ title: Evaluate attack surface reduction rules description: See how attack surface reduction would block and prevent attacks with the custom demo tool. keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Evaluate attack surface reduction rules diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md index fb1a325c8e..e85e2cd887 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-controlled-folder-access.md @@ -3,7 +3,7 @@ title: Evaluate controlled folder access description: See how controlled folder access can help protect files from being changed by malicious apps. keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Evaluate controlled folder access @@ -44,7 +45,7 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode > [!TIP] > If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to devices in your network(s). -You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Endpoint Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md). +You can also use Group Policy, Intune, mobile device management (MDM), or Microsoft Endpoint Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders.md). ## Review controlled folder access events in Windows Event Viewer diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md index a6dcacc047..55fb86a8b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-exploit-protection.md @@ -3,7 +3,7 @@ title: See how exploit protection works in a demo description: See how exploit protection can prevent suspicious behaviors from occurring on specific apps. keywords: Exploit protection, exploits, kernel, events, evaluate, demo, try, mitigation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,10 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 08/28/2020 +ms.date: 01/06/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Evaluate exploit protection @@ -38,20 +39,20 @@ You can set mitigation in audit mode for specific programs either by using the W ### Windows Security app -1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for **Defender**. -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. +2. Select the **App & browser control** tile (or the app icon on the left menu bar) and then select **Exploit protection**. 3. Go to **Program settings** and choose the app you want to apply protection to: - 1. If the app you want to configure is already listed, click it and then click **Edit** - 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app. - - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. + 1. If the app you want to configure is already listed, select it and then select **Edit** + 2. If the app is not listed, at the top of the list select **Add program to customize** and then choose how you want to add the app. + - Use **Add by program name** to have the mitigation applied to any running process with that name. Specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. 4. After selecting the app, you'll see a list of all the mitigations that can be applied. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. -5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. +5. Repeat this procedure for all the apps and mitigations you want to configure. Select **Apply** when you're done setting up your configuration. ### PowerShell diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md index 1da3fe309f..067bb51204 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluate-network-protection.md @@ -3,7 +3,7 @@ title: Evaluate network protection description: See how network protection works by testing common scenarios that it protects against. keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Evaluate network protection diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index 64a0179395..4d6f35d840 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -3,7 +3,7 @@ title: Microsoft Defender for Endpoint evaluation lab description: Learn about Microsoft Defender for Endpoint capabilities, run attack simulations, and see how it prevents, detects, and remediates threats. keywords: evaluate mdatp, evaluation, lab, simulation, windows 10, windows server 2019, evaluation lab search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-evalutatemtp + - M365-security-compliance + - m365solution-evalutatemtp ms.topic: article +ms.technology: mde --- # Microsoft Defender for Endpoint evaluation lab diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md index a2b75300ee..cf4a725b95 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md @@ -4,7 +4,7 @@ description: Get descriptions and further troubleshooting steps (if required) fo keywords: troubleshoot, event viewer, log summary, failure code, failed, Microsoft Defender for Endpoint service, cannot start, broken, can't start search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 05/21/2018 +ms.technology: mde --- diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-views.md b/windows/security/threat-protection/microsoft-defender-atp/event-views.md index 9edcad6d34..73f0cf3ba2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/event-views.md +++ b/windows/security/threat-protection/microsoft-defender-atp/event-views.md @@ -3,7 +3,7 @@ title: View attack surface reduction events description: Import custom views to see attack surface reduction events. keywords: event view, exploit guard, audit, review, events search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -12,6 +12,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # View attack surface reduction events diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md index 99f4521685..28051f72bd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference.md @@ -4,17 +4,18 @@ keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, expl description: Details on how the exploit protection feature works in Windows 10 search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 07/20/2020 +ms.date: 01/06/2021 ms.reviewer: cjacks manager: dansimp ms.custom: asr +ms.technology: mde --- # Exploit Protection Reference @@ -223,7 +224,7 @@ Block low integrity images will prevent the application from loading files that ### Description -Block remote images will prevent the application from loading files that are hosted on a remote device, such as a UNC share. This helps protect against loading binaries into memory that are on an external device controlled by the attacker. +Blocking remote images helps to prevent the application from loading files that are hosted on a remote device, such as a UNC share. Blocking remote images helps protect against loading binaries into memory that are on an external device controlled by the attacker. This mitigation will block image loads if the image is determined to be on a remote device. It is implemented by the memory manager, which blocks the file from being mapped into memory. If an application attempts to map a remote file, it will trigger a STATUS_ACCESS_DENIED error. @@ -257,7 +258,7 @@ The most common use of fonts outside of the system fonts directory is with [web ### Description -Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. This includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process. +Code integrity guard ensures that all binaries loaded into a process are digitally signed by Microsoft. Code integrity guard includes [WHQL](https://docs.microsoft.com/windows-hardware/drivers/install/whql-release-signature) (Windows Hardware Quality Labs) signatures, which will allow WHQL-approved drivers to run within the process. This mitigation is implemented within the memory manager, which blocks the binary from being mapped into memory. If you attempt to load a binary that is not signed by Microsoft, the memory manger will return the error STATUS_INVALID_IMAGE_HASH. By blocking at the memory manager level, this prevents both binaries loaded by the process and binaries injected into the process. @@ -275,9 +276,9 @@ This mitigation specifically blocks any binary that is not signed by Microsoft. ### Description -Control flow guard (CFG) mitigates the risk of attackers leveraging memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program). +Control flow guard (CFG) mitigates the risk of attackers using memory corruption vulnerabilities by protecting indirect function calls. For example, an attacker may user a buffer overflow vulnerability to overwrite memory containing a function pointer, and replace that function pointer with a pointer to executable code of their choice (which may also have been injected into the program). -This mitigation is provided by injecting an additional check at compile time. Before each indirect function call, additional instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation. +This mitigation is provided by injecting another check at compile time. Before each indirect function call, another instructions are added which verify that the target is a valid call target before it is called. If the target is not a valid call target, then the application is terminated. As such, only applications that are compiled with CFG support can benefit from this mitigation. The check for a valid target is provided by the Windows kernel. When executable files are loaded, the metadata for indirect call targets is extracted at load time and marked as valid call targets. Additionally, when memory is allocated and marked as executable (such as for generated code), these memory locations are also marked as valid call targets, to support mechanisms such as JIT compilation. @@ -296,7 +297,7 @@ Since applications must be compiled to support CFG, they implicitly declare thei ### Description -Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. This helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code. +Data execution prevention (DEP) prevents memory that was not explicitly allocated as executable from being executed. DEP helps protect against an attacker injecting malicious code into the process, such as through a buffer overflow, and then executing that code. If you attempt to set the instruction pointer to a memory address not marked as executable, the processor will throw an exception (general-protection violation), causing the application to crash. @@ -304,7 +305,7 @@ If you attempt to set the instruction pointer to a memory address not marked as All x64, ARM, and ARM-64 executables have DEP enabled by default, and it cannot be disabled. Since an application will have never been executed without DEP, compatibility is assumed. -All x86 (32-bit) binaries will have DEP enabled by default, but it can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, may not be compatible with DEP. These are typically applications that dynamically generate code (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code. +All x86 (32-bit) binaries have DEP enabled by default, but DEP can be disabled per process. Some old legacy applications, typically applications developed prior to Windows XP SP2, might not be compatible with DEP. Such applications typically generate code dynamically (for example, JIT compiling) or link to older libraries (such as older versions of ATL) which dynamically generate code. ### Configuration options @@ -324,7 +325,7 @@ This includes: ### Compatibility considerations -Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third party Legacy IMEs that will not work with the protected application. +Most of these extension points are relatively infrequently used, so compatibility impact is typically small, particularly at an individual application level. The one consideration is if users are using third-party Legacy IMEs that will not work with the protected application. ### Configuration options @@ -341,7 +342,7 @@ Win32k.sys provides a broad attack surface for an attacker. As a kernel-mode com ### Compatibility considerations -This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will leverage process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation. +This mitigation is designed for processes that are dedicated non-UI processes. For example, many modern browsers will use process isolation and incorporate non-UI processes. Any application that displays a GUI using a single process will be impacted by this mitigation. ### Configuration options @@ -379,18 +380,18 @@ This mitigation is primarily an issue for applications such as debuggers, sandbo ### Configuration options -**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for additional commonly attacked modules: +**Validate access for modules that are commonly abused by exploits** - This option, also known as EAF+, adds protections for other commonly attacked modules: -- mshtml.dll -- flash*.ocx -- jscript*.ocx -- vbscript.dll -- vgx.dll -- mozjs.dll -- xul.dll -- acrord32.dll -- acrofx32.dll -- acroform.api +- `mshtml.dll` +- `flash*.ocx` +- `jscript*.ocx` +- `vbscript.dll` +- `vgx.dll` +- `mozjs.dll` +- `xul.dll` +- `acrord32.dll` +- `acrofx32.dll` +- `acroform.api` Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection to the page containing the "MZ" header, the first two bytes of the [DOS header in a PE file](https://docs.microsoft.com/windows/win32/debug/pe-format#ms-dos-stub-image-only), which is another aspect of known memory content which shellcode can look for to identify modules potentially of interest in memory. @@ -400,7 +401,7 @@ Additionally, by enabling EAF+, this mitigation adds the PAGE_GUARD protection t ### Description -Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker leveraging techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose. +Address Space Layout Randomization (ASLR) mitigates the risk of an attacker using their knowledge of the memory layout of the system in order to execute code that is already present in process memory and already marked as executable. This can mitigate the risk of an attacker using techniques such as return-to-libc attacks, where the adversary sets the context and then modifies the return address to execute existing code with context that suits the adversary's purpose. Mandatory ASLR forces a rebase of all DLLs within the process. A developer can enable ASLR using the [/DYNAMICBASE](https://docs.microsoft.com/cpp/build/reference/dynamicbase-use-address-space-layout-randomization?view=vs-2019&preserve-view=true) linker option, and this mitigation has the same effect. @@ -427,31 +428,31 @@ The memory pages for all protected APIs will have the [PAGE_GUARD](https://docs. This mitigation protects the following Windows APIs: -- GetProcAddress -- GetProcAddressForCaller -- LoadLibraryA -- LoadLibraryExA -- LoadLibraryW -- LoadLibraryExW -- LdrGetProcedureAddress -- LdrGetProcedureAddressEx -- LdrGetProcedureAddressForCaller -- LdrLoadDll -- VirtualProtect -- VirtualProtectEx -- VirtualAlloc -- VirtualAllocEx -- NtAllocateVirtualMemory -- NtProtectVirtualMemory -- CreateProcessA -- CreateProcessW -- WinExec -- CreateProcessAsUserA -- CreateProcessAsUserW -- GetModuleHandleA -- GetModuleHandleW -- RtlDecodePointer -- DecodePointer +- `GetProcAddress` +- `GetProcAddressForCaller` +- `LoadLibraryA` +- `LoadLibraryExA` +- `LoadLibraryW` +- `LoadLibraryExW` +- `LdrGetProcedureAddress` +- `LdrGetProcedureAddressEx` +- `LdrGetProcedureAddressForCaller` +- `LdrLoadDll` +- `VirtualProtect` +- `VirtualProtectEx` +- `VirtualAlloc` +- `VirtualAllocEx` +- `NtAllocateVirtualMemory` +- `NtProtectVirtualMemory` +- `CreateProcessA` +- `CreateProcessW` +- `WinExec` +- `CreateProcessAsUserA` +- `CreateProcessAsUserW` +- `GetModuleHandleA` +- `GetModuleHandleW` +- `RtlDecodePointer` +- `DecodePointer` ### Compatibility considerations @@ -471,7 +472,7 @@ The size of the 32-bit address space places practical constraints on the entropy ### Compatibility considerations -Most applications that are compatible with Mandatory ASLR (rebasing) will also be compatible with the additional entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled). +Most applications that are compatible with Mandatory ASLR (rebasing) are also compatible with the other entropy of Bottom-up ASLR. Some applications may have pointer-truncation issues if they are saving local pointers in 32-bit variables (expecting a base address below 4 GB), and thus will be incompatible with the high entropy option (which can be disabled). ### Configuration options @@ -488,40 +489,40 @@ Simulate execution (SimExec) is a mitigation for 32-bit applications only. This The APIs intercepted by this mitigation are: -- LoadLibraryA -- LoadLibraryW -- LoadLibraryExA -- LoadLibraryExW -- LdrLoadDll -- VirtualAlloc -- VirtualAllocEx -- NtAllocateVirtualMemory -- VirtualProtect -- VirtualProtectEx -- NtProtectVirtualMemory -- HeapCreate -- RtlCreateHeap -- CreateProcessA -- CreateProcessW -- CreateProcessInternalA -- CreateProcessInternalW -- NtCreateUserProcess -- NtCreateProcess -- NtCreateProcessEx -- CreateRemoteThread -- CreateRemoteThreadEx -- NtCreateThreadEx -- WriteProcessMemory -- NtWriteVirtualMemory -- WinExec -- CreateFileMappingA -- CreateFileMappingW -- CreateFileMappingNumaW -- NtCreateSection -- MapViewOfFile -- MapViewOfFileEx -- MapViewOfFileFromApp -- LdrGetProcedureAddressForCaller +- `LoadLibraryA` +- `LoadLibraryW` +- `LoadLibraryExA` +- `LoadLibraryExW` +- `LdrLoadDll` +- `VirtualAlloc` +- `VirtualAllocEx` +- `NtAllocateVirtualMemory` +- `VirtualProtect` +- `VirtualProtectEx` +- `NtProtectVirtualMemory` +- `HeapCreate` +- `RtlCreateHeap` +- `CreateProcessA` +- `CreateProcessW` +- `CreateProcessInternalA` +- `CreateProcessInternalW` +- `NtCreateUserProcess` +- `NtCreateProcess` +- `NtCreateProcessEx` +- `CreateRemoteThread` +- `CreateRemoteThreadEx` +- `NtCreateThreadEx` +- `WriteProcessMemory` +- `NtWriteVirtualMemory` +- `WinExec` +- `CreateFileMappingA` +- `CreateFileMappingW` +- `CreateFileMappingNumaW` +- `NtCreateSection` +- `MapViewOfFile` +- `MapViewOfFileEx` +- `MapViewOfFileFromApp` +- `LdrGetProcedureAddressForCaller` If a ROP gadget is detected, the process is terminated. @@ -543,40 +544,40 @@ Validate API invocation (CallerCheck) is a mitigation for return-oriented progra The APIs intercepted by this mitigation are: -- LoadLibraryA -- LoadLibraryW -- LoadLibraryExA -- LoadLibraryExW -- LdrLoadDll -- VirtualAlloc -- VirtualAllocEx -- NtAllocateVirtualMemory -- VirtualProtect -- VirtualProtectEx -- NtProtectVirtualMemory -- HeapCreate -- RtlCreateHeap -- CreateProcessA -- CreateProcessW -- CreateProcessInternalA -- CreateProcessInternalW -- NtCreateUserProcess -- NtCreateProcess -- NtCreateProcessEx -- CreateRemoteThread -- CreateRemoteThreadEx -- NtCreateThreadEx -- WriteProcessMemory -- NtWriteVirtualMemory -- WinExec -- CreateFileMappingA -- CreateFileMappingW -- CreateFileMappingNumaW -- NtCreateSection -- MapViewOfFile -- MapViewOfFileEx -- MapViewOfFileFromApp -- LdrGetProcedureAddressForCaller +- `LoadLibraryA` +- `LoadLibraryW` +- `LoadLibraryExA` +- `LoadLibraryExW` +- `LdrLoadDll` +- `VirtualAlloc` +- `VirtualAllocEx` +- `NtAllocateVirtualMemory` +- `VirtualProtect` +- `VirtualProtectEx` +- `NtProtectVirtualMemory` +- `HeapCreate` +- `RtlCreateHeap` +- `CreateProcessA` +- `CreateProcessW` +- `CreateProcessInternalA` +- `CreateProcessInternalW` +- `NtCreateUserProcess` +- `NtCreateProcess` +- `NtCreateProcessEx` +- `CreateRemoteThread` +- `CreateRemoteThreadEx` +- `NtCreateThreadEx` +- `WriteProcessMemory` +- `NtWriteVirtualMemory` +- `WinExec` +- `CreateFileMappingA` +- `CreateFileMappingW` +- `CreateFileMappingNumaW` +- `NtCreateSection` +- `MapViewOfFile` +- `MapViewOfFileEx` +- `MapViewOfFileFromApp` +- `LdrGetProcedureAddressForCaller` If a ROP gadget is detected, the process is terminated. @@ -594,7 +595,7 @@ This mitigation is incompatible with the Arbitrary Code Guard mitigation. ### Description -Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can leverage a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice. +Validate exception chains (SEHOP) is a mitigation against the *Structured Exception Handler (SEH) overwrite* exploitation technique. [Structured exception handling](https://docs.microsoft.com/windows/win32/debug/structured-exception-handling) is the process by which an application can ask to handle a particular exception. Exception handlers are chained together, so that if one exception handler chooses not to handle a particular exception, it can be passed on to the next exception handler in the chain until one decides to handle it. Because the list of handler is dynamic, it is stored on the stack. An attacker can use a stack overflow vulnerability to then overwrite the exception handler with a pointer to the code of the attacker's choice. This mitigation relies on the design of SEH, where each SEH entry contains both a pointer to the exception handler, as well as a pointer to the next handler in the exception chain. This mitigation is called by the exception dispatcher, which validates the SEH chain when an exception is invoked. It verifies that: @@ -619,7 +620,7 @@ Compatibility issues with SEHOP are relatively rare. It's uncommon for an applic ### Description -*Validate handle usage* is a mitigation that helps protect against an attacker leveraging an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). +*Validate handle usage* is a mitigation that helps protect against an attacker using an existing handle to access a protected object. A [handle](https://docs.microsoft.com/windows/win32/sysinfo/handles-and-objects) is a reference to a protected object. If application code is referencing an invalid handle, that could indicate that an adversary is attempting to use a handle it has previously recorded (but which application reference counting wouldn't be aware of). If the application attempts to use an invalid object, instead of simply returning null, the application will raise an exception (STATUS_INVALID_HANDLE). This mitigation is automatically applied to Windows Store applications. @@ -639,7 +640,7 @@ Applications that were not accurately tracking handle references, and which were The *validate heap integrity* mitigation increases the protection level of heap mitigations in Windows, by causing the application to terminate if a heap corruption is detected. The mitigations include: - Preventing a HEAP handle from being freed -- Performing additional validation on extended block headers for heap allocations +- Performing another validation on extended block headers for heap allocations - Verifying that heap allocations are not already flagged as in-use - Adding guard pages to large allocations, heap segments, and subsegments above a minimum size @@ -672,48 +673,48 @@ Compatibility issues are uncommon. Applications that depend on replacing Windows The *validate stack integrity (StackPivot)* mitigation helps protect against the Stack Pivot attack, a ROP attack where an attacker creates a fake stack in heap memory, and then tricks the application into returning into the fake stack that controls the flow of execution. -This mitigation intercepts a number of Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated. +This mitigation intercepts many Windows APIs, and inspects the value of the stack pointer. If the address of the stack pointer does not fall between the bottom and the top of the stack, then an event is recorded and, if not in audit mode, the process will be terminated. The APIs intercepted by this mitigation are: -- LoadLibraryA -- LoadLibraryW -- LoadLibraryExA -- LoadLibraryExW -- LdrLoadDll -- VirtualAlloc -- VirtualAllocEx -- NtAllocateVirtualMemory -- VirtualProtect -- VirtualProtectEx -- NtProtectVirtualMemory -- HeapCreate -- RtlCreateHeap -- CreateProcessA -- CreateProcessW -- CreateProcessInternalA -- CreateProcessInternalW -- NtCreateUserProcess -- NtCreateProcess -- NtCreateProcessEx -- CreateRemoteThread -- CreateRemoteThreadEx -- NtCreateThreadEx -- WriteProcessMemory -- NtWriteVirtualMemory -- WinExec -- CreateFileMappingA -- CreateFileMappingW -- CreateFileMappingNumaW -- NtCreateSection -- MapViewOfFile -- MapViewOfFileEx -- MapViewOfFileFromApp -- LdrGetProcedureAddressForCaller +- `LoadLibraryA` +- `LoadLibraryW` +- `LoadLibraryExA` +- `LoadLibraryExW` +- `LdrLoadDll` +- `VirtualAlloc` +- `VirtualAllocEx` +- `NtAllocateVirtualMemory` +- `VirtualProtect` +- `VirtualProtectEx` +- `NtProtectVirtualMemory` +- `HeapCreate` +- `RtlCreateHeap` +- `CreateProcessA` +- `CreateProcessW` +- `CreateProcessInternalA` +- `CreateProcessInternalW` +- `NtCreateUserProcess` +- `NtCreateProcess` +- `NtCreateProcessEx` +- `CreateRemoteThread` +- `CreateRemoteThreadEx` +- `NtCreateThreadEx` +- `WriteProcessMemory` +- `NtWriteVirtualMemory` +- `WinExec` +- `CreateFileMappingA` +- `CreateFileMappingW` +- `CreateFileMappingNumaW` +- `NtCreateSection` +- `MapViewOfFile` +- `MapViewOfFileEx` +- `MapViewOfFileFromApp` +- `LdrGetProcedureAddressForCaller` ### Compatibility considerations -Applications that are leveraging fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. +Applications that are using fake stacks will be impacted, and there is also a small risk of revealing subtle timing bugs in multi-threaded applications. Applications that perform API interception, particularly security software, can cause compatibility problems with this mitigation. This mitigation is incompatible with the Arbitrary Code Guard mitigation. diff --git a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md index b2ad6f832b..9b169e43bd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exploit-protection.md @@ -3,7 +3,7 @@ title: Apply mitigations to help prevent attacks through vulnerabilities keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet description: Protect devices against exploits with Windows 10. Windows 10 has advanced exploit protection capabilities, building upon and improving the settings available in Enhanced Mitigation Experience Toolkit (EMET). search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.date: 10/21/2020 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Protect devices from exploits diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index 9f93b7365e..9994672041 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -1,10 +1,10 @@ --- -title: Use Microsoft Defender for Endpoint APIs +title: Use Microsoft Defender for Endpoint APIs ms.reviewer: description: Learn how to design a native Windows app to get programmatic access to Microsoft Defender for Endpoint without a user. keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Use Microsoft Defender for Endpoint APIs diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md index cfb61033a4..2e5ce37a4f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-partners.md @@ -4,7 +4,7 @@ ms.reviewer: description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint without a user. keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Partner access through Microsoft Defender for Endpoint APIs diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md index f4dc27179e..dbec1029c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-webapp.md @@ -4,7 +4,7 @@ ms.reviewer: description: Learn how to design a web app to get programmatic access to Microsoft Defender for Endpoint without a user. keywords: apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create an app to access Microsoft Defender for Endpoint without a user diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md index 8100c26890..0f872dce10 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md @@ -4,7 +4,7 @@ ms.reviewer: description: Use these code samples, querying several Microsoft Defender for Endpoint APIs. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article +ms.collection: M365-security-compliance +ms.topic: article ms.date: 09/24/2018 +ms.technology: mde --- # Microsoft Defender for Endpoint APIs using PowerShell diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md index e5f0ac91e0..631006a9c3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list.md @@ -1,10 +1,10 @@ --- -title: Supported Microsoft Defender for Endpoint APIs +title: Supported Microsoft Defender for Endpoint APIs ms.reviewer: -description: Learn about the specific supported Microsoft Defender for Endpoint entities where you can create API calls to. +description: Learn about the specific supported Microsoft Defender for Endpoint entities where you can create API calls to. keywords: apis, supported apis, actor, alerts, device, user, domain, ip, file, advanced queries, advanced hunting search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Supported Microsoft Defender for Endpoint APIs diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index 8cea855481..0d88d39023 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -4,7 +4,7 @@ ms.reviewer: description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender for Endpoint. keywords: apis, supported apis, odata, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # OData queries with Microsoft Defender for Endpoint @@ -43,7 +44,7 @@ Not all properties are filterable. ### Example 1 -Get 10 latest Alerts with related Evidence +Get 10 latest Alerts with related Evidence: ```http HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence @@ -56,75 +57,51 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts", "value": [ { - "id": "da637306396589640224_1753239473", - "incidentId": 875832, - "investigationId": 478434, + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, "assignedTo": null, "severity": "Low", "status": "New", "classification": null, "determination": null, - "investigationState": "PendingApproval", - "detectionSource": "WindowsDefenderAv", - "category": "UnwantedSoftware", - "threatFamilyName": "InstallCore", - "title": "An active 'InstallCore' unwanted software was detected", - "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.", - "alertCreationTime": "2020-07-18T03:27:38.9483995Z", - "firstEventTime": "2020-07-18T03:25:39.6124549Z", - "lastEventTime": "2020-07-18T03:26:18.4362304Z", - "lastUpdateTime": "2020-07-18T03:28:19.76Z", + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", "resolvedTime": null, - "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa", - "computerDnsName": "temp2.redmond.corp.microsoft.com", - "rbacGroupName": "Ring0", - "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47", + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { - "userName": "temp2", - "domainName": "REDMOND" - }, - "comments": [], + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], "evidence": [ - { - "entityType": "File", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": null, - "processCommandLine": null, - "processCreationTime": null, - "parentProcessId": null, - "parentProcessCreationTime": null, - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, - { - "entityType": "Process", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": 24348, - "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ", - "processCreationTime": "2020-07-18T03:25:38.5269993Z", - "parentProcessId": 16840, - "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z", - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, { "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", "sha1": null, "sha256": null, "fileName": null, @@ -134,13 +111,74 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev "processCreationTime": null, "parentProcessId": null, "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, "ipAddress": null, "url": null, - "accountName": "temp2", - "domainName": "REDMOND", - "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363", - "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d", - "userPrincipalName": "temp2@microsoft.com" + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" } ] }, @@ -151,7 +189,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=ev ### Example 2 -Get all the alerts last updated after 2019-11-22 00:00:00 +Get all the alerts last updated after 2019-11-22 00:00:00: ```http HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdateTime+ge+2019-11-22T00:00:00Z @@ -187,6 +225,12 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate "computerDnsName": "temp123.middleeast.corp.microsoft.com", "rbacGroupName": "MiddleEast", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { "userName": "temp123", "domainName": "MIDDLEEAST" @@ -207,7 +251,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/alerts?$filter=lastUpdate ### Example 3 -Get all the devices with 'High' 'RiskScore' +Get all the devices with 'High' 'RiskScore': ```http HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScore+eq+'High' @@ -220,25 +264,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScor "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, "healthStatus": "Active", - "rbacGroupId": 140, + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "High", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } @@ -246,7 +304,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=riskScor ### Example 4 -Get top 100 devices with 'HealthStatus' not equals to 'Active' +Get top 100 devices with 'HealthStatus' not equals to 'Active': ```http HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100 @@ -259,25 +317,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthSt "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "ImpairedCommunication", - "rbacGroupId": 140, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } @@ -285,7 +357,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=healthSt ### Example 5 -Get all the devices that last seen after 2018-10-20 +Get all the devices that last seen after 2018-10-20: ```http HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen gt 2018-08-01Z @@ -298,25 +370,39 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "ImpairedCommunication", - "rbacGroupId": 140, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "ExampleTag" ] - }, + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } @@ -324,7 +410,7 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=lastSeen ### Example 6 -Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint +Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender for Endpoint: ```http HTTP GET https://api.securitycenter.microsoft.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan' @@ -368,5 +454,58 @@ HTTP GET https://api.securitycenter.microsoft.com/api/machines/123321d0c675eaa4 4 ``` +### Example 8 + +Get all the devices with 'computerDnsName' starting with 'mymachine': + +```http +HTTP GET https://api.securitycenter.microsoft.com/api/machines?$filter=startswith(computerDnsName,'mymachine') +``` + +**Response:** + +```json +json{ + "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", + "osPlatform": "Windows10", + "osProcessor": "x64", + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, + ... + ] +} +``` + ## See also - [Microsoft Defender for Endpoint APIs](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md index b5ac0c1ea5..709f74bc35 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md +++ b/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking.md @@ -8,14 +8,15 @@ author: denisebmsft ms.author: deniseb manager: dansimp ms.reviewer: shwetaj -audience: ITPro -ms.topic: article -ms.prod: w10 +audience: ITPro +ms.topic: article +ms.prod: m365-security ms.localizationpriority: medium ms.custom: -- next-gen -- edr + - next-gen + - edr ms.collection: +ms.technology: mde --- # Feedback-loop blocking diff --git a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md index a4f175566c..bc70d8c0e4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fetch-alerts-mssp.md @@ -4,7 +4,7 @@ description: Learn how to fetch alerts from a customer tenant keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Fetch alerts from MSSP customer tenant diff --git a/windows/security/threat-protection/microsoft-defender-atp/files.md b/windows/security/threat-protection/microsoft-defender-atp/files.md index 677387cad1..0fbe833f68 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/files.md @@ -3,7 +3,7 @@ title: File resource type description: Retrieve recent Microsoft Defender for Endpoint alerts related to files. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # File resource type diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md deleted file mode 100644 index b94742b61d..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machine-info-by-ip.md +++ /dev/null @@ -1,95 +0,0 @@ ---- -title: Find device information by internal IP API -description: Use this API to create calls related to finding a device entry around a specific timestamp by internal IP. -keywords: ip, apis, graph api, supported apis, find device, device information -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article ---- - -# Find device information by internal IP API - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - -[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] - -[!include[Improve request performance](../../includes/improve-request-performance.md)] - -Find a device by internal IP. - ->[!NOTE] ->The timestamp must be within the last 30 days. - -## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) - -Permission type | Permission | Permission display name -:---|:---|:--- -Application | Machine.Read.All | 'Read all machine profiles' -Application | Machine.ReadWrite.All | 'Read and write all machine information' - -## HTTP request -``` -GET /api/machines/find(timestamp={time},key={IP}) -``` - -## Request headers - -Name | Type | Description -:---|:---|:--- -Authorization | String | Bearer {token}. **Required**. - - -## Request body -Empty - -## Response -If successful and machine exists - 200 OK. -If no machine found - 404 Not Found. - - -## Example - -**Request** - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61') -Content-type: application/json -``` - -**Response** - -Here is an example of the response. - -The response will return a list of all devices that reported this IP address within sixteen minutes prior and after the timestamp. - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", - "value": [ - { - "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb", - "computerDnsName": "", - "firstSeen": "2017-07-06T01:25:04.9480498Z", - "osPlatform": "Windows10", -… -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md index 616dfffb2e..d9ebb6559c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md @@ -1,9 +1,9 @@ --- title: Find devices by internal IP API -description: Find devices seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp +description: Find devices seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp keywords: apis, graph api, supported apis, get, device, IP, find, find device, by ip, ip search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Find devices by internal IP API @@ -79,6 +80,6 @@ If the timestamp is not in the past 30 days - 400 Bad Request. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2019-09-22T08:44:05Z) ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md new file mode 100644 index 0000000000..5bb4e7756f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/find-machines-by-tag.md @@ -0,0 +1,89 @@ +--- +title: Find devices by tag API +description: Find all devices that contain specifc tag +keywords: apis, supported apis, get, device, find, find device, by tag, tag +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Find devices by tag API + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + +## API description +Find [Machines](machine.md) by [Tag](machine-tags.md). + ```startswith``` query is supported. + +## Limitations +1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) +> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) +> - Response will include only devices that the user have access to based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) + +## HTTP request +``` +GET /api/machines/findbytag?tag={tag}&useStartsWithFilter={true/false} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +tag | String | The tag name. **Required**. +useStartsWithFilter | Boolean | When set to true, the search will find all devices with tag name that starts with the given tag in the query. Defaults to false. **Optional**. + +## Request body +Empty + +## Response +If successful - 200 OK with list of the machines in the response body. + +## Example + +**Request** + +Here is an example of the request. + +```http +GET https://api.securitycenter.microsoft.com/api/machines/findbytag?tag=testTag&useStartsWithFilter=true +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md index ce92f63d99..2ab8c7db1b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md @@ -4,7 +4,7 @@ description: Fix device sensors that are reporting as misconfigured or inactive keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ms.date: 11/06/2020 +ms.technology: mde --- # Fix unhealthy sensors in Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md index 210a00624f..5177928062 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-info-by-id.md @@ -3,7 +3,7 @@ title: Get alert information by ID API description: Learn how to use the Get alert information by ID API to retrieve a specific alert by its ID in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, alert, information, id search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get alert information by ID API diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index 607206740c..c84308bef0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -1,9 +1,9 @@ --- -title: Get alert related domains information +title: Get alert related domains information description: Retrieve all domains related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get alert information, alert information, related domain search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get alert related domain information API @@ -76,7 +77,7 @@ If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/domains ``` @@ -84,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Domains", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index f95776b987..015b98dba0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -1,9 +1,9 @@ --- -title: Get alert related files information +title: Get alert related files information description: Retrieve all files related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint). keywords: apis, graph api, supported apis, get alert information, alert information, related files search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get alert related files information API @@ -76,7 +77,7 @@ If successful and alert and files exist - 200 OK. If alert not found - 404 Not F Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/files ``` @@ -85,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index dd5859b46d..602a1fd1c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -1,9 +1,9 @@ --- -title: Get alert related IPs information +title: Get alert related IPs information description: Retrieve all IPs related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint). keywords: apis, graph api, supported apis, get alert information, alert information, related ip search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get alert related IPs information API @@ -77,7 +78,7 @@ If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not F Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_2136280442/ips ``` @@ -86,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/alerts/636688558380765161_213628044 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/$metadata#Ips", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index ab1cfd8107..4a56186c19 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -1,9 +1,9 @@ --- -title: Get alert related machine information +title: Get alert related machine information description: Retrieve all devices related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender for Endpoint). keywords: apis, graph api, supported apis, get alert information, alert information, related device search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get alert related machine information API @@ -55,7 +56,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >- The user needs to have access to the device associated with the alert, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) ## HTTP request -``` + +```http GET /api/alerts/{id}/machine ``` @@ -78,7 +80,7 @@ If successful and alert and device exist - 200 OK. If alert not found or device Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/machine ``` @@ -87,28 +89,39 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines/$entity", - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", - "computerDnsName": "mymachine1.contoso.com", - "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", - "osPlatform": "Windows10", - "version": "1709", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", + "osPlatform": "Windows10", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, - "healthStatus": "Active", - "rbacGroupId": 140, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, + "healthStatus": "Active", + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", - "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] + "riskScore": "Low", + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md index c5461ce794..2afbe73739 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-user-info.md @@ -1,9 +1,9 @@ --- -title: Get alert related user information +title: Get alert related user information description: Learn how to use the Get alert related user information API to retrieve the user related to a specific alert in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, alert, information, related, user search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get alert related user information API @@ -77,7 +78,7 @@ If successful and alert and a user exists - 200 OK with user in the body. If ale Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_2136280442/user ``` @@ -86,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/alerts/636688558380765161_21362 Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity", "id": "contoso\\user1", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md index 687c2dffa2..47af279049 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alerts.md @@ -3,7 +3,7 @@ title: List alerts API description: Learn how to use the List alerts API to retrieve a collection of alerts in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List alerts API @@ -87,7 +88,7 @@ If successful, this method returns 200 OK, and a list of [alert](alerts.md) obje Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts ``` @@ -127,6 +128,12 @@ Here is an example of the response. "computerDnsName": "temp123.middleeast.corp.microsoft.com", "rbacGroupName": "MiddleEast", "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { "userName": "temp123", "domainName": "MIDDLEEAST" @@ -151,7 +158,7 @@ Here is an example of the response. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/alerts?$top=10&$expand=evidence ``` @@ -169,75 +176,51 @@ Here is an example of the response. "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Alerts", "value": [ { - "id": "da637306396589640224_1753239473", - "incidentId": 875832, - "investigationId": 478434, + "id": "da637472900382838869_1364969609", + "incidentId": 1126093, + "investigationId": null, "assignedTo": null, "severity": "Low", "status": "New", "classification": null, "determination": null, - "investigationState": "PendingApproval", - "detectionSource": "WindowsDefenderAv", - "category": "UnwantedSoftware", - "threatFamilyName": "InstallCore", - "title": "An active 'InstallCore' unwanted software was detected", - "description": "Potentially unwanted applications (PUA) often impact productivity and performance and are often unwanted in enterprise environments. This category of applications include torrent downloaders, cryptocurrency miners, browser advertising software, and evasion software.\n\nAn application is considered active if it is found running on the machine or it already has persistence mechanisms in place.\n\nBecause this PUA was active, take precautionary measures and check for residual signs of infection.", - "alertCreationTime": "2020-07-18T03:27:38.9483995Z", - "firstEventTime": "2020-07-18T03:25:39.6124549Z", - "lastEventTime": "2020-07-18T03:26:18.4362304Z", - "lastUpdateTime": "2020-07-18T03:28:19.76Z", + "investigationState": "Queued", + "detectionSource": "WindowsDefenderAtp", + "detectorId": "17e10bbc-3a68-474a-8aad-faef14d43952", + "category": "Execution", + "threatFamilyName": null, + "title": "Low-reputation arbitrary code executed by signed executable", + "description": "Binaries signed by Microsoft can be used to run low-reputation arbitrary code. This technique hides the execution of malicious code within a trusted process. As a result, the trusted process might exhibit suspicious behaviors, such as opening a listening port or connecting to a command-and-control (C&C) server.", + "alertCreationTime": "2021-01-26T20:33:57.7220239Z", + "firstEventTime": "2021-01-26T20:31:32.9562661Z", + "lastEventTime": "2021-01-26T20:31:33.0577322Z", + "lastUpdateTime": "2021-01-26T20:33:59.2Z", "resolvedTime": null, - "machineId": "97868b864dc8fa09cc8726c37a1fcd8ab582f3aa", - "computerDnsName": "temp2.redmond.corp.microsoft.com", - "rbacGroupName": "Ring0", - "aadTenantId": "12f988bf-1234-1234-91ab-2d7cd011db47", + "machineId": "111e6dd8c833c8a052ea231ec1b19adaf497b625", + "computerDnsName": "temp123.middleeast.corp.microsoft.com", + "rbacGroupName": "A", + "aadTenantId": "a839b112-1253-6432-9bf6-94542403f21c", + "threatName": null, + "mitreTechniques": [ + "T1064", + "T1085", + "T1220" + ], "relatedUser": { - "userName": "temp2", - "domainName": "REDMOND" - }, - "comments": [], + "userName": "temp123", + "domainName": "MIDDLEEAST" + }, + "comments": [ + { + "comment": "test comment for docs", + "createdBy": "secop123@contoso.com", + "createdTime": "2021-01-26T01:00:37.8404534Z" + } + ], "evidence": [ - { - "entityType": "File", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": null, - "processCommandLine": null, - "processCreationTime": null, - "parentProcessId": null, - "parentProcessCreationTime": null, - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, - { - "entityType": "Process", - "sha1": "ff02786682af8a6ae2842b64c8da543c4d76823c", - "sha256": "16dafd771171b619a472bb23cd55bc069625be8de5ee01b37b41de1216b2bbb2", - "fileName": "Your File Is Ready To Download_1911150169.exe", - "filePath": "C:\\Users\\temp2\\Downloads", - "processId": 24348, - "processCommandLine": "\"Your File Is Ready To Download_1911150169.exe\" ", - "processCreationTime": "2020-07-18T03:25:38.5269993Z", - "parentProcessId": 16840, - "parentProcessCreationTime": "2020-07-18T02:12:32.8616797Z", - "ipAddress": null, - "url": null, - "accountName": null, - "domainName": null, - "userSid": null, - "aadUserId": null, - "userPrincipalName": null - }, { "entityType": "User", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", "sha1": null, "sha256": null, "fileName": null, @@ -247,13 +230,74 @@ Here is an example of the response. "processCreationTime": null, "parentProcessId": null, "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, "ipAddress": null, "url": null, - "accountName": "temp2", - "domainName": "REDMOND", - "userSid": "S-1-5-21-1127532184-1642412920-1887927527-75363", - "aadUserId": "319dc320-4ce3-4cd7-a0de-c476d146342d", - "userPrincipalName": "temp2@microsoft.com" + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": "eranb", + "domainName": "MIDDLEEAST", + "userSid": "S-1-5-21-11111607-1111760036-109187956-75141", + "aadUserId": "11118379-2a59-1111-ac3c-a51eb4a3c627", + "userPrincipalName": "temp123@microsoft.com", + "detectionStatus": null + }, + { + "entityType": "Process", + "evidenceCreationTime": "2021-01-26T20:33:58.6133333Z", + "sha1": "ff836cfb1af40252bd2a2ea843032e99a5b262ed", + "sha256": "a4752c71d81afd3d5865d24ddb11a6b0c615062fcc448d24050c2172d2cbccd6", + "fileName": "rundll32.exe", + "filePath": "C:\\Windows\\SysWOW64", + "processId": 3276, + "processCommandLine": "rundll32.exe c:\\temp\\suspicious.dll,RepeatAfterMe", + "processCreationTime": "2021-01-26T20:31:32.9581596Z", + "parentProcessId": 8420, + "parentProcessCreationTime": "2021-01-26T20:31:32.9004163Z", + "parentProcessFileName": "rundll32.exe", + "parentProcessFilePath": "C:\\Windows\\System32", + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" + }, + { + "entityType": "File", + "evidenceCreationTime": "2021-01-26T20:33:58.42Z", + "sha1": "8563f95b2f8a284fc99da44500cd51a77c1ff36c", + "sha256": "dc0ade0c95d6db98882bc8fa6707e64353cd6f7767ff48d6a81a6c2aef21c608", + "fileName": "suspicious.dll", + "filePath": "c:\\temp", + "processId": null, + "processCommandLine": null, + "processCreationTime": null, + "parentProcessId": null, + "parentProcessCreationTime": null, + "parentProcessFileName": null, + "parentProcessFilePath": null, + "ipAddress": null, + "url": null, + "registryKey": null, + "registryHive": null, + "registryValueType": null, + "registryValue": null, + "accountName": null, + "domainName": null, + "userSid": null, + "aadUserId": null, + "userPrincipalName": null, + "detectionStatus": "Detected" } ] }, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md index a076a373b1..6548493ea9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-recommendations.md @@ -1,9 +1,9 @@ --- title: List all recommendations description: Retrieves a list of all security recommendations affecting the organization. -keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api +keywords: apis, graph api, supported apis, get, security recommendations, mdatp tvm api, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List all recommendations @@ -66,7 +67,7 @@ If successful, this method returns 200 OK with the list of security recommendati Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md index 8839180405..0126da149d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities-by-machines.md @@ -3,7 +3,7 @@ title: Get all vulnerabilities by machine and software description: Retrieves a list of all the vulnerabilities affecting the organization by Machine and Software keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List vulnerabilities by machine and software @@ -71,7 +72,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/vulnerabilities/machinesVulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md index d899f7c360..00ade14700 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-all-vulnerabilities.md @@ -3,7 +3,7 @@ title: Get all vulnerabilities description: Retrieves a list of all the vulnerabilities affecting the organization keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List vulnerabilities @@ -66,7 +67,7 @@ If successful, this method returns 200 OK with the list of vulnerabilities in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Vulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md index fb60d09e95..3264cc7d76 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-cvekbmap-collection.md @@ -4,7 +4,7 @@ description: Learn how to use the Get CVE-KB map API to retrieve a map of CVE's keywords: apis, graph api, supported apis, get, cve, kb search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ROBOTS: NOINDEX +ms.technology: mde --- # Get CVE-KB map API @@ -60,18 +61,15 @@ If successful and map exists - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/CveKbMap -Content-type: application/json ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap", "@odata.count": 4168, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md index 920e2fab04..2edded89ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-device-secure-score.md @@ -3,7 +3,7 @@ title: Get device secure score description: Retrieves the organizational device secure score. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ ms.author: ellevin ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get device secure score @@ -67,7 +68,7 @@ If successful, this method returns 200 OK, with the device secure score data in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/configurationScore ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md index 14425d3b01..760ce4ddb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-discovered-vulnerabilities.md @@ -3,7 +3,7 @@ title: Get discovered vulnerabilities description: Retrieves a collection of discovered vulnerabilities related to a given device ID. keywords: apis, graph api, supported apis, get, list, file, information, discovered vulnerabilities, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ ms.author: ellevin ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get discovered vulnerabilities @@ -29,8 +30,12 @@ ms.topic: article [!include[Improve request performance](../../includes/improve-request-performance.md)] +## API description Retrieves a collection of discovered vulnerabilities related to a given device ID. +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) @@ -66,7 +71,7 @@ If successful, this method returns 200 OK with the discovered vulnerability info Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/vulnerabilities ``` @@ -74,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4 Here is an example of the response. -``` +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md index 2ef6ab2307..12f8042a7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-alerts.md @@ -3,7 +3,7 @@ title: Get domain related alerts API description: Learn how to use the Get domain related alerts API to retrieve alerts related to a given domain address in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, domain, related, alerts search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get domain related alerts API diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md index 8c70e05df5..87af94f174 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-related-machines.md @@ -3,7 +3,7 @@ title: Get domain related machines API description: Learn how to use the Get domain related machines API to get machines that communicated to or from a domain in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, domain, related, devices search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get domain related machines API diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md index a1174ffd17..13a3f3f28f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-domain-statistics.md @@ -3,7 +3,7 @@ title: Get domain statistics API description: Learn how to use the Get domain statistics API to retrieve the statistics on the given domain in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, domain, domain related devices search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get domain statistics API @@ -61,6 +62,11 @@ Header | Value :---|:--- Authorization | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -75,8 +81,8 @@ If successful and domain exists - 200 OK, with statistics object in the response Here is an example of the request. -``` -GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats +```http +GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats?lookBackHours=48 ``` **Response** @@ -84,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/domains/example.com/stats Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats", "host": "example.com", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md index 2dc25a2049..0288816bb4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-exposure-score.md @@ -3,7 +3,7 @@ title: Get exposure score description: Retrieves the organizational exposure score. keywords: apis, graph api, supported apis, get, exposure score, organizational exposure score search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ ms.author: ellevin ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get exposure score @@ -69,7 +70,7 @@ If successful, this method returns 200 OK, with the exposure data in the respons Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/exposureScore ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md index c69bbf38e5..37b4c39da7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-information.md @@ -3,7 +3,7 @@ title: Get file information API description: Learn how to use the Get file information API to get a file by Sha1, Sha256, or MD5 identifier in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5 search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get file information API @@ -75,7 +76,7 @@ If successful and file exists - 200 OK with the [file](files.md) entity in the b Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c017ad50bdcdafb3 ``` @@ -84,9 +85,7 @@ GET https://api.securitycenter.microsoft.com/api/files/4388963aaa83afe2042a46a3c Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Files/$entity", "sha1": "4388963aaa83afe2042a46a3c017ad50bdcdafb3", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md index e9088291e8..1ef694df96 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-alerts.md @@ -3,7 +3,7 @@ title: Get file related alerts API description: Learn how to use the Get file related alerts API to get a collection of alerts related to a given file hash in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, file, hash search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get file related alerts API @@ -78,6 +79,6 @@ If successful and file exists - 200 OK with list of [alert](alerts.md) entities Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md index 99313ac5c8..c0de4442c2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-related-machines.md @@ -3,7 +3,7 @@ title: Get file related machines API description: Learn how to use the Get file related machines API to get a collection of machines related to a file hash in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, devices, hash search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get file related machines API @@ -78,6 +79,6 @@ If successful and file exists - 200 OK with list of [machine](machine.md) entiti Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md index d81d9b8af3..ab8b12267d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-file-statistics.md @@ -3,7 +3,7 @@ title: Get file statistics API description: Learn how to use the Get file statistics API to retrieve the statistics for the given file in Microsoft Defender for Endpoint. keywords: apis, graph api, supported apis, get, file, statistics search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get file statistics API @@ -61,6 +62,11 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -75,8 +81,8 @@ If successful and file exists - 200 OK with statistical data in the body. If fil Here is an example of the request. -``` -GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats +```http +GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed11e6be064081d9f/stats?lookBackHours=48 ``` **Response** @@ -84,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/files/0991a395da64e1c5fbe8732ed Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", "sha1": "0991a395da64e1c5fbe8732ed11e6be064081d9f", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md index 09233fa7ab..9effa5d7a6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-installed-software.md @@ -3,7 +3,7 @@ title: Get installed software description: Retrieves a collection of installed software related to a given device ID. keywords: apis, graph api, supported apis, get, list, file, information, software inventory, installed software per device, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get installed software @@ -65,7 +66,7 @@ If successful, this method returns 200 OK with the installed software informatio Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md index b58d1ddd9e..cca2597b98 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-collection.md @@ -3,7 +3,7 @@ title: List Investigations API description: Use this API to create calls related to get Investigations collection keywords: apis, graph api, supported apis, Investigations collection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List Investigations API @@ -89,9 +90,7 @@ GET https://api.securitycenter.microsoft.com/api/investigations Here is an example of the response: -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Investigations", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md index 866f046908..74f3ac1b33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-investigation-object.md @@ -3,7 +3,7 @@ title: Get Investigation object API description: Use this API to create calls related to get Investigation object keywords: apis, graph api, supported apis, Investigation object search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get Investigation API diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index b18a482d19..d4f66c71d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -3,7 +3,7 @@ title: Get IP related alerts API description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, ip, related, alerts search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get IP related alerts API @@ -78,6 +79,6 @@ If successful and IP exists - 200 OK with list of [alert](alerts.md) entities in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 7492cfa46e..bc04301ab1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -3,7 +3,7 @@ title: Get IP statistics API description: Get the latest stats for your IP using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, ip, statistics, prevalence search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get IP statistics API @@ -46,12 +47,13 @@ Permission type | Permission | Permission display name Application | Ip.Read.All | 'Read IP address profiles' Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' ->[!Note] +>[!NOTE] > When obtaining a token using user credentials: >- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ## HTTP request -``` + +```http GET /api/ips/{ip}/stats ``` @@ -61,6 +63,11 @@ Name | Type | Description :---|:---|:--- Authorization | String | Bearer {token}. **Required**. +## Request URI parameters + +Name | Type | Description +:---|:---|:--- +lookBackHours | Int32 | Defines the hours we search back to get the statistics. Defaults to 30 days. **Optional**. ## Request body Empty @@ -75,8 +82,8 @@ If successful and ip exists - 200 OK with statistical data in the body. IP do no Here is an example of the request. -``` -GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats +```http +GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats?lookBackHours=48 ``` **Response** @@ -84,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/ips/10.209.67.177/stats Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", "ipAddress": "10.209.67.177", @@ -95,3 +100,13 @@ Content-type: application/json "orgLastSeen": "2017-08-29T13:32:59Z" } ``` + + +| Name | Description | +| :--- | :---------- | +| Org prevalence | the distinct count of devices that opened network connection to this IP. | +| Org first seen | the first connection for this IP in the organization. | +| Org last seen | the last connection for this IP in the organization. | + +> [!NOTE] +> This statistic information is based on data from the past 30 days. diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md index b3e1d5574a..0eeced010e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md @@ -4,7 +4,7 @@ description: Retrieve a collection of knowledge bases (KB's) and KB details with keywords: apis, graph api, supported apis, get, kb search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article ROBOTS: NOINDEX +ms.technology: mde --- # Get KB collection API @@ -60,18 +61,15 @@ If successful - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/KbInfo -Content-type: application/json ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo", "@odata.count": 271, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md index f46e912d8c..76dc993182 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-by-id.md @@ -3,7 +3,7 @@ title: Get machine by ID API description: Learn how to use the Get machine by ID API to retrieve a machine by its device ID or computer name in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, devices, entity, id search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get machine by ID API @@ -40,7 +41,7 @@ Retrieves specific [Machine](machine.md) by its device ID or computer name. ## Permissions -One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md). Permission type | Permission | Permission display name :---|:---|:--- @@ -90,29 +91,39 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29 Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { - "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machine", - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, "healthStatus": "Active", - "rbacGroupId": 140, + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] } - ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md index e13a900af5..6f54986e33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-group-exposure-score.md @@ -3,7 +3,7 @@ title: List exposure score by device group description: Retrieves a list of exposure scores by device group. keywords: apis, graph api, supported apis, get, exposure score, device group, device group exposure score search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ ms.author: ellevin ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List exposure score by device group @@ -69,7 +70,7 @@ If successful, this method returns 200 OK, with a list of exposure score per dev Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/exposureScore/ByMachineGroups ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index 42ceb10f0e..3e9b901fac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -3,7 +3,7 @@ title: Get machine logon users API description: Learn how to use the Get machine logon users API to retrieve a collection of logged on users on a device in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, device, log on, users search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get machine logon users API @@ -86,9 +87,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c29 Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md index 86de75298d..cf6f953a00 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-related-alerts.md @@ -3,7 +3,7 @@ title: Get machine related alerts API description: Learn how to use the Get machine related alerts API to retrieve all alerts related to a specific device in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, devices, related, alerts search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get machine related alerts API diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md index da012c1b41..9520bd1379 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineaction-object.md @@ -3,7 +3,7 @@ title: Get MachineAction object API description: Learn how to use the Get MachineAction API to retrieve a specific Machine Action by its ID in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, machineaction object search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get machineAction API @@ -76,7 +77,7 @@ If successful, this method returns 200, Ok response code with a [Machine Action] Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba ``` @@ -85,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions/2e9da30d-27f6-42 Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions/$entity", "id": "5382f7ea-7557-4ab7-9782-d50480024a4e", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index ec9d161528..d910d3beda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -3,7 +3,7 @@ title: List machineActions API description: Learn how to use the List MachineActions API to retrieve a collection of Machine Actions in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, machineaction collection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List MachineActions API @@ -81,7 +82,7 @@ If successful, this method returns 200, Ok response code with a collection of [m Here is an example of the request on an organization that has three MachineActions. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions ``` @@ -90,9 +91,7 @@ GET https://api.securitycenter.microsoft.com/api/machineactions Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineActions", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md deleted file mode 100644 index 925103b0d1..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinegroups-collection.md +++ /dev/null @@ -1,89 +0,0 @@ ---- -title: Get RBAC machine groups collection API -description: Learn how to use the Get KB collection API to retrieve a collection of RBAC device groups in Microsoft Defender Advanced Threat Protection. -keywords: apis, graph api, supported apis, get, RBAC, group -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: leonidzh -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article -ms.date: 10/07/2018 ---- - -# Get KB collection API - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) - -[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] - -[!include[Improve request performance](../../includes/improve-request-performance.md)] - - -Retrieves a collection of RBAC device groups. - -## Permissions -User needs read permissions. - -## HTTP request -``` -GET /testwdatppreview/machinegroups -``` - -## Request headers - -Header | Value -:---|:--- -Authorization | Bearer {token}. **Required**. -Content type | application/json - -## Request body -Empty - -## Response -If successful - 200 OK. - -## Example - -**Request** - -Here is an example of the request. - -``` -GET https://graph.microsoft.com/testwdatppreview/machinegroups -Content-type: application/json -``` - -**Response** - -Here is an example of the response. -Field id contains device group **id** and equal to field **rbacGroupId** in devices info. -Field **ungrouped** is true only for one group for all devices that have not been assigned to any group. This group as usual has name "UnassignedGroup". - -``` -HTTP/1.1 200 OK -Content-type: application/json -{ - "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineGroups", - "@odata.count":7, - "value":[ - { - "id":86, - "name":"UnassignedGroup", - "description":"", - "ungrouped":true}, - … -} -``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md index 8cb9e3c2d3..b2f9da0734 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-software.md @@ -3,7 +3,7 @@ title: List devices by software description: Retrieve a list of devices that has this software installed. keywords: apis, graph api, supported apis, get, list devices, devices list, list devices by software, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List devices by software @@ -66,7 +67,7 @@ If successful, this method returns 200 OK and a list of devices with the softwar Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machineReferences ``` @@ -75,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/machi Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#MachineReferences", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md index bc0c969c79..bf4208cd36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines-by-vulnerability.md @@ -3,7 +3,7 @@ title: List devices by vulnerability description: Retrieves a list of devices affected by a vulnerability. keywords: apis, graph api, supported apis, get, devices list, vulnerable devices, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List devices by vulnerability @@ -66,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/vulnerabilities/CVE-2019-0608/machineReferences ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md index 6c89d74e65..44e815ff37 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machines.md @@ -3,7 +3,7 @@ title: List machines API description: Learn how to use the List machines API to retrieve a collection of machines that have communicated with Microsoft Defender ATP cloud. keywords: apis, graph api, supported apis, get, devices search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List machines API @@ -32,9 +33,12 @@ ms.topic: article ## API description Retrieves a collection of [Machines](machine.md) that have communicated with Microsoft Defender for Endpoint cloud. - Supports [OData V4 queries](https://www.odata.org/documentation/). - The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`. - See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md) + +Supports [OData V4 queries](https://www.odata.org/documentation/). + +The OData's `$filter` query is supported on: `computerDnsName`, `lastSeen`, `healthStatus`, `osPlatform`, `riskScore` and `rbacGroupId`. + +See examples at [OData queries with Defender for Endpoint](exposed-apis-odata-samples.md). ## Limitations @@ -54,8 +58,8 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine >[!Note] > When obtaining a token using user credentials: ->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information) ->- Response will include only devices, that the user have access to, based on device group settings (See [Create and manage device groups](machine-groups.md) for more information) +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information). +>- Response will include only devices, that the user have access to, based on device group settings. For more info, see [Create and manage device groups](machine-groups.md). ## HTTP request @@ -91,32 +95,44 @@ GET https://api.securitycenter.microsoft.com/api/machines Here is an example of the response. -```http -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Machines", "value": [ { - "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", "computerDnsName": "mymachine1.contoso.com", "firstSeen": "2018-08-02T14:55:03.7791856Z", - "lastSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2021-01-25T07:27:36.052313Z", "osPlatform": "Windows10", - "version": "1709", "osProcessor": "x64", - "lastIpAddress": "172.17.230.209", - "lastExternalIpAddress": "167.220.196.71", - "osBuild": 18209, + "version": "1901", + "lastIpAddress": "10.166.113.46", + "lastExternalIpAddress": "167.220.203.175", + "osBuild": 19042, "healthStatus": "Active", - "rbacGroupId": 140, + "deviceValue": "Normal", "rbacGroupName": "The-A-Team", "riskScore": "Low", - "exposureLevel": "Medium", - "isAadJoined": true, - "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", - "machineTags": [ "test tag 1", "test tag 2" ] - } + "exposureLevel": "Low", + "aadDeviceId": "fd2e4d29-7072-4195-aaa5-1af139b78028", + "machineTags": [ + "Tag1", + "Tag2" + ], + "ipAddresses": [ + { + "ipAddress": "10.166.113.47", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + }, + { + "ipAddress": "2a01:110:68:4:59e4:3916:3b3e:4f96", + "macAddress": "8CEC4B897E73", + "operationalStatus": "Up" + } + ] + }, ... ] } diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md index 4f1d4fedec..9d1e0ef235 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md @@ -4,7 +4,7 @@ description: Retrieve a collection of device security states using Microsoft Def keywords: apis, graph api, supported apis, get, device, security, state search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: article +ms.collection: M365-security-compliance +ms.topic: article +ms.technology: mde --- # Get Machines security states collection API @@ -59,9 +60,8 @@ If successful - 200 OK. Here is an example of the request. -``` +```http GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates -Content-type: application/json ``` **Response** @@ -69,9 +69,7 @@ Content-type: application/json Here is an example of the response. Field *id* contains device id and equal to the field *id** in devices info. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates", "@odata.count":444, diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md index 089381bade..d3c13ddae1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-machine.md @@ -3,7 +3,7 @@ title: Get missing KBs by device ID description: Retrieves missing security updates by device ID keywords: apis, graph api, supported apis, get, list, file, information, device id, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get missing KBs by device ID @@ -29,7 +30,11 @@ ms.topic: article [!include[Improve request performance](../../includes/improve-request-performance.md)] -Retrieves missing KBs (security updates) by device ID +## API description +Retrieves missing KBs (security updates) by device ID. + +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. ## HTTP request @@ -57,7 +62,7 @@ If successful, this method returns 200 OK, with the specified device missing kb Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/2339ad14a01bd0299afb93dfa2550136057bff96/getmissingkbs ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md index a74bad1490..3b53dabe02 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-missing-kbs-software.md @@ -3,7 +3,7 @@ title: Get missing KBs by software ID description: Retrieves missing security updates by software ID keywords: apis, graph api, supported apis, get, list, file, information, software id, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get missing KBs by software ID @@ -67,7 +68,7 @@ If successful, this method returns 200 OK, with the specified software missing k Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/getmissingkbs ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md index 332e875e6e..2683556f81 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-package-sas-uri.md @@ -3,7 +3,7 @@ title: Get package SAS URI API description: Use this API to get a URI that allows downloading an investigation package. keywords: apis, graph api, supported apis, get package, sas, uri search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get package SAS URI API @@ -72,19 +73,15 @@ If successful, this method returns 200, Ok response code with object that holds Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri - ``` **Response** Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json - +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String", "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md index 3666ef7955..5548416186 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-by-id.md @@ -1,9 +1,9 @@ --- title: Get recommendation by Id description: Retrieves a security recommendation by its ID. -keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api +keywords: apis, graph api, supported apis, get, security recommendation, security recommendation by ID, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get recommendation by ID @@ -66,7 +67,7 @@ If successful, this method returns 200 OK with the security recommendations in t Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md index dfec0fb89f..fa448849b7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-machines.md @@ -1,9 +1,9 @@ --- title: List devices by recommendation -description: Retrieves a list of devices associated with the security recommendation. -keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api +description: Retrieves a list of devices associated with the security recommendation. +keywords: apis, graph api, supported apis, get, security recommendation for vulnerable devices, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List devices by recommendation @@ -66,7 +67,7 @@ If successful, this method returns 200 OK with the list of devices associated wi Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/machineReferences ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md index c0adaddae0..0fcdc3e55a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-software.md @@ -1,9 +1,9 @@ --- title: Get recommendation by software description: Retrieves a security recommendation related to a specific software. -keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api +keywords: apis, graph api, supported apis, get, security recommendation, security recommendation for software, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get recommendation by software @@ -66,7 +67,7 @@ If successful, this method returns 200 OK with the software associated with the Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md index 9c06a2df8f..e4a52ff2a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-recommendation-vulnerabilities.md @@ -1,9 +1,9 @@ --- title: List vulnerabilities by recommendation description: Retrieves a list of vulnerabilities associated with the security recommendation. -keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api +keywords: apis, graph api, supported apis, get, list of vulnerabilities, security recommendation, security recommendation for vulnerabilities, threat and vulnerability management, threat and vulnerability management api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List vulnerabilities by recommendation @@ -66,7 +67,7 @@ If successful, this method returns 200 OK, with the list of vulnerabilities asso Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/recommendations/va-_-google-_-chrome/vulnerabilities ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md index 1cf2a7793b..2581a14cb0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-security-recommendations.md @@ -3,7 +3,7 @@ title: Get security recommendations description: Retrieves a collection of security recommendations related to a given device ID. keywords: apis, graph api, supported apis, get, list, file, information, security recommendation per device, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get security recommendations @@ -30,8 +31,12 @@ ms.topic: article [!include[Prerelease information](../../includes/prerelease.md)] +## API description Retrieves a collection of security recommendations related to a given device ID. +## Limitations +1. Rate limitations for this API are 50 calls per minute and 1500 calls per hour. + ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) @@ -65,7 +70,7 @@ If successful, this method returns 200 OK with the security recommendations in t Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf44207c4006ed7cc4501/recommendations ``` @@ -74,7 +79,7 @@ GET https://api.securitycenter.microsoft.com/api/machines/ac233fa6208e1579620bf4 Here is an example of the response. -``` +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Recommendations", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md index 8c13f1d5da..43ed0055bf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-by-id.md @@ -1,9 +1,9 @@ --- title: Get software by Id -description: Retrieves a list of exposure scores by device group. +description: Retrieves a list of sofware by ID. keywords: apis, graph api, supported apis, get, software, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get software by Id @@ -66,7 +67,7 @@ If successful, this method returns 200 OK with the specified software data in th Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge ``` @@ -75,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Software/$entity", "id": "microsoft-_-edge", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md index 2bb098203c..897e0c91a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software-ver-distribution.md @@ -1,9 +1,9 @@ --- -title: List software version distribution -description: Retrieves a list of your organization's software version distribution +title: List software version distribution +description: Retrieves a list of your organization's software version distribution keywords: apis, graph api, supported apis, get, software version distribution, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List software version distribution @@ -66,7 +67,7 @@ If successful, this method returns 200 OK with a list of software distributions Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distributions ``` @@ -75,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/distr Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Distributions", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-software.md index 7629b66bff..b070207ed0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-software.md @@ -3,7 +3,7 @@ title: List software description: Retrieves a list of software inventory keywords: apis, graph api, supported apis, get, list, file, information, software inventory, threat & vulnerability management api, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List software inventory API @@ -65,7 +66,7 @@ If successful, this method returns 200 OK with the software inventory in the bod Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md index f0151a49db..d126296521 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md @@ -5,7 +5,7 @@ description: Learn the steps and requirements to integrate your solution with Mi keywords: partner, integration, solution validation, certification, requirements, member, misa, application portal search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde --- # Become a Microsoft Defender for Endpoint partner diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md index 5cd725bebe..5a5ea5a354 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ti-indicators-collection.md @@ -3,7 +3,7 @@ title: List Indicators API description: Learn how to use the List Indicators API to retrieve a collection of all active Indicators in Microsoft Defender Advanced Threat Protection. keywords: apis, public api, supported apis, Indicators collection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List Indicators API @@ -77,7 +78,7 @@ If successful, this method returns 200, Ok response code with a collection of [I Here is an example of a request that gets all Indicators -``` +```http GET https://api.securitycenter.microsoft.com/api/indicators ``` @@ -85,9 +86,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ @@ -140,7 +139,7 @@ Content-type: application/json Here is an example of a request that gets all Indicators with 'AlertAndBlock' action -``` +```http GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'AlertAndBlock' ``` @@ -148,9 +147,7 @@ GET https://api.securitycenter.microsoft.com/api/indicators?$filter=action+eq+'A Here is an example of the response. -``` -HTTP/1.1 200 Ok -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Indicators", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md index d9af8b76ce..d4d47fa618 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-information.md @@ -3,7 +3,7 @@ title: Get user information API description: Learn how to use the Get user information API to retrieve a User entity by key, or user name, in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, user, user information search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get user information API @@ -63,9 +64,8 @@ If successful and user exists - 200 OK with [user](user.md) entity in the body. Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1 -Content-type: application/json ``` **Response** @@ -73,9 +73,7 @@ Content-type: application/json Here is an example of the response. -``` -HTTP/1.1 200 OK -Content-type: application/json +```json { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Users/$entity", "id": "user1", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index d16cd4cfee..341e56d35d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -3,7 +3,7 @@ title: Get user-related alerts API description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, user, related, alerts search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get user-related alerts API @@ -80,6 +81,6 @@ If successful and user exists - 200 OK. If the user does not exist - 404 Not Fou Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1/alerts ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index 88a70fd056..b91c080c8e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -3,7 +3,7 @@ title: Get user-related machines API description: Learn how to use the Get user-related machines API to retrieve a collection of devices related to a user ID in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, get, user, user related alerts search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get user-related machines API @@ -81,6 +82,6 @@ If successful and user exists - 200 OK with list of [machine](machine.md) entiti Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/users/user1/machines ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md index abb77af560..762572746a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vuln-by-software.md @@ -1,9 +1,9 @@ --- title: List vulnerabilities by software -description: Retrieve a list of vulnerabilities in the installed software. +description: Retrieve a list of vulnerabilities in the installed software. keywords: apis, graph api, supported apis, get, vulnerabilities list, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # List vulnerabilities by software @@ -66,7 +67,7 @@ If successful, this method returns 200 OK with a a list of vulnerabilities expos Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulnerabilities ``` @@ -75,7 +76,6 @@ GET https://api.securitycenter.microsoft.com/api/Software/microsoft-_-edge/vulne Here is an example of the response. ```json - { "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Collection(Analytics.Contracts.PublicAPI.PublicVulnerabilityDto)", "value": [ diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md index df3bc5a56f..441ac6bf08 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-vulnerability-by-id.md @@ -3,7 +3,7 @@ title: Get vulnerability by Id description: Retrieves vulnerability information by its ID. keywords: apis, graph api, supported apis, get, vulnerability information, mdatp tvm api search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Get vulnerability by ID @@ -66,7 +67,7 @@ If successful, this method returns 200 OK with the vulnerability information in Here is an example of the request. -``` +```http GET https://api.securitycenter.microsoft.com/api/Vulnerabilities/CVE-2019-0608 ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index 1c89d002cb..972dc7f639 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -1,10 +1,10 @@ --- -title: Microsoft Defender ATP for US Government GCC High customers -description: Learn about the requirements and the available Microsoft Defender ATP capabilities for US Government CCC High customers -keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp +title: Microsoft Defender for Endpoint for US Government customers +description: Learn about the requirements and the available Microsoft Defender for Endpoint capabilities for US Government customers +keywords: government, gcc, high, requirements, capabilities, defender, defender atp, mdatp, endpoint, dod search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,104 +13,128 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- -# Microsoft Defender for Endpoint for US Government GCC High customers +# Microsoft Defender for Endpoint for US Government customers [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -Microsoft Defender for Endpoint for US Government Community Cloud High (GCC High) customers, built in the US Azure Government environment, uses the same underlying technologies as Defender for Endpoint in Azure Commercial. +Microsoft Defender for Endpoint for US Government customers, built in the US Azure Government environment, uses the same underlying technologies as Defender for Endpoint in Azure Commercial. -This offering is currently available to US Office 365 GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some key differences in the availability of capabilities for this offering. +This offering is currently available to Microsoft 365 GCC and GCC High customers and is based on the same prevention, detection, investigation, and remediation as the commercial version. However, there are some differences in the availability of capabilities for this offering. +> [!NOTE] +> If you are a "GCC on Commercial" customer, please refer to the public documentation pages. + +## Portal URLs +The following are the Microsoft Defender for Endpoint portal URLs for US Government customers: + +Customer type | Portal URL +:---|:--- +GCC | https://gcc.securitycenter.microsoft.us +GCC High | https://securitycenter.microsoft.us + + ## Endpoint versions + +### Standalone OS versions The following OS versions are supported: -- Windows 10, version 1903 -- Windows 10, version 1809 (OS Build 17763.404 with [KB4490481](https://support.microsoft.com/help/4490481)) -- Windows 10, version 1803 (OS Build 17134.799 with [KB4499183](https://support.microsoft.com/help/4499183)) -- Windows 10, version 1709 (OS Build 16299.1182 with [KB4499147](https://support.microsoft.com/help/4499147)) -- Windows Server, 2019 (with [KB4490481](https://support.microsoft.com/help/4490481)) +OS version | GCC | GCC High +:---|:---|:--- +Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853)) |  |  +Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853)) |  |  +Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) |  |  +Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) |  |  +Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) |  |  +Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245)) |  |  +Windows 10, version 1709 |  Note: Won't be supported |  With [KB4499147](https://support.microsoft.com/help/4499147) Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade +Windows 10, version 1703 and earlier |  Note: Won't be supported |  Note: Won't be supported +Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) |  |  +Windows Server 2016 |  |  In development +Windows Server 2012 R2 |  |  In development +Windows Server 2008 R2 SP1 |  |  In development +Windows 8.1 Enterprise |  |  In development +Windows 8 Pro |  |  In development +Windows 7 SP1 Enterprise |  |  In development +Windows 7 SP1 Pro |  |  In development +Linux |  In development |  In development +macOS |  In development |  In development +Android |  On engineering backlog |  On engineering backlog +iOS |  On engineering backlog |  On engineering backlog ->[!NOTE] ->A patch must be deployed before device onboarding in order to configure Defender for Endpoint to the correct environment. +> [!NOTE] +> Where a patch is specified, it must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment. -The following OS versions are supported via Azure Security Center: -- Windows Server 2008 R2 SP1 -- Windows Server 2012 R2 -- Windows Server 2016 +> [!NOTE] +> Trying to onboard Windows devices older than Windows 10 or Windows Server 2019 using [Microsoft Monitoring Agent](configure-server-endpoints.md#option-1-onboard-by-installing-and-configuring-microsoft-monitoring-agent-mma)? You'll need to choose "Azure US Government" under "Azure Cloud" if using the [setup wizard](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard), or if using a [command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line) or a [script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation) - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. -The following OS versions are not supported: -- Windows Server 2008 R2 SP1 (standalone, not via ASC) -- Windows Server 2012 R2 (standalone, not via ASC) -- Windows Server 2016 (standalone, not via ASC) -- Windows Server, version 1803 -- Windows 7 SP1 Enterprise -- Windows 7 SP1 Pro -- Windows 8 Pro -- Windows 8.1 Enterprise -- macOS -- Linux +### OS versions when using Azure Defender for Servers +The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp): -The initial release of Defender for Endpoint will not have immediate parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government (GCC High) customers, there are some capabilities not yet available that we'd like to highlight. These are the known gaps as of August 2020: +OS version | GCC | GCC High +:---|:---|:--- +Windows Server 2016 |  Rolling out |  +Windows Server 2012 R2 |  Rolling out |  +Windows Server 2008 R2 SP1 |  Rolling out |  -## Threat Analytics -Not currently available. - -## Threat & Vulnerability Management -Not currently available. - - -## Automated investigation and remediation -The following capabilities are not currently available: -- Response to Office 365 alerts -- Live response - - - -## Management and APIs -The following capabilities are not currently available: - -- Threat protection report -- Device health and compliance report -- Integration with third-party products - - -## Email notifications -Not currently available. - - -## Integrations -Integrations with the following Microsoft products are not currently available: -- Azure Advanced Threat Protection -- Azure Information Protection -- Defender for Office 365 -- Microsoft Cloud App Security -- Skype for Business -- Microsoft Intune (sharing of device information and enhanced policy enforcement) - -## Microsoft Threat Experts -Not currently available. + ## Required connectivity settings You'll need to ensure that traffic from the following are allowed: Service location | DNS record :---|:--- -Common URLs for all locations (Global location) | ```crl.microsoft.com``` ```ctldl.windowsupdate.com``` ```notify.windows.com``` ```settings-win.data.microsoft.com``` NOTE: ```settings-win.data.microsoft.com``` is only needed on Windows 10 devices running version 1803 or earlier. -Defender for Endpoint GCC High specific | ```us4-v20.events.data.microsoft.com``` ```winatp-gw-usgt.microsoft.com``` ```winatp-gw-usgv.microsoft.com``` ```*.blob.core.usgovcloudapi.net``` +Common URLs for all locations (Global location) | `crl.microsoft.com` `ctldl.windowsupdate.com` `notify.windows.com` `settings-win.data.microsoft.com` Note: `settings-win.data.microsoft.com` is only needed on Windows 10 devices running version 1803 or earlier. +Common URLs for all US Gov customers | `us4-v20.events.data.microsoft.com` `*.blob.core.usgovcloudapi.net` +Defender for Endpoint GCC specific | `winatp-gw-usmt.microsoft.com` `winatp-gw-usmv.microsoft.com` +Defender for Endpoint GCC High specific | `winatp-gw-usgt.microsoft.com` `winatp-gw-usgv.microsoft.com` + ## API -- Login endpoint: ```https://login.microsoftonline.us``` +Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs: -- Microsoft Defender for Endpoint API endpoint: ```https://api-gov.securitycenter.microsoft.us``` +Endpoint type | GCC | GCC High +:---|:---|:--- +Login | `https://login.microsoftonline.com` | `https://login.microsoftonline.us` +Defender for Endpoint API | `https://api-gcc.securitycenter.microsoft.us` | `https://api-gov.securitycenter.microsoft.us` +SIEM | `https://wdatp-alertexporter-us.gcc.securitycenter.windows.us` | `https://wdatp-alertexporter-us.securitycenter.windows.us` + +## Feature parity with commercial +Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available that we'd like to highlight. + +These are the known gaps as of January 2021: + +Feature name | GCC | GCC High +:---|:---|:--- +Automated investigation and remediation: Live response |  |  In development +Automated investigation and remediation: Response to Office 365 alerts |  On engineering backlog |  On engineering backlog +Email notifications |  Rolling out |  In development +Evaluation lab |  |  In development +Management and APIs: Device health and compliance report |  |  In development +Management and APIs: Integration with third-party products |  |  In development +Management and APIs: Streaming API |  |  In development +Management and APIs: Threat protection report |  |  In development +Threat & vulnerability management |  |  In development +Threat analytics |  |  In development +Web content filtering |  In development |  In development +Integrations: Azure Sentinel |  |  In development +Integrations: Microsoft Cloud App Security |  On engineering backlog |  On engineering backlog +Integrations: Microsoft Compliance Center |  On engineering backlog |  On engineering backlog +Integrations: Microsoft Defender for Identity |  On engineering backlog |  On engineering backlog +Integrations: Microsoft Defender for Office 365 |  On engineering backlog |  On engineering backlog +Integrations: Microsoft Endpoint DLP |  On engineering backlog |  On engineering backlog +Integrations: Microsoft Intune |  |  In development +Integrations: Microsoft Power Automate & Azure Logic Apps |  |  In development +Integrations: Skype for Business / Teams |  |  In development +Microsoft Threat Experts |  On engineering backlog |  On engineering backlog diff --git a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md index f62c3b418f..f5397c26f3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md +++ b/windows/security/threat-protection/microsoft-defender-atp/grant-mssp-access.md @@ -1,10 +1,10 @@ --- title: Grant access to managed security service provider (MSSP) -description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP +description: Take the necessary steps to configure the MSSP integration with Microsoft Defender ATP keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Grant managed security service provider (MSSP) access (preview) diff --git a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md index adc3dd0a3b..88e26c2252 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/helpful-resources.md @@ -4,7 +4,7 @@ description: Access helpful resources such as links to blogs and other resources keywords: Microsoft Defender Security Center, product brief, brief, capabilities, licensing search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde --- # Helpful Microsoft Defender for Endpoint resources @@ -28,31 +29,33 @@ ms.topic: conceptual Access helpful resources such as links to blogs and other resources related to Microsoft Defender for Endpoint. ## Endpoint protection platform -- [Top scoring in industry +- [Top scoring in industry tests](https://docs.microsoft.com/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests) -- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) +- [Inside out: Get to know the advanced technologies at the core of Defender for Endpoint next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/) -- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341) +- [Protecting disconnected devices with Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Protecting-disconnected-devices-with-Microsoft-Defender-ATP/ba-p/500341) -- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571) +- [Tamper protection in Defender for Endpoint](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Tamper-protection-in-Microsoft-Defender-ATP/ba-p/389571) ## Endpoint Detection Response -- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894) +- [Incident response at your fingertips with Defender for Endpoint live response](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Incident-response-at-your-fingertips-with-Microsoft-Defender-ATP/ba-p/614894) ## Threat Vulnerability Management -- [Defender for Endpoint Threat & Vulnerability Management now publicly +- [Defender for Endpoint Threat & Vulnerability Management now publicly available!](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/MDATP-Threat-amp-Vulnerability-Management-now-publicly-available/ba-p/460977) ## Operational -- [The Golden Hour remake - Defining metrics for a successful security +- [The Golden Hour remake - Defining metrics for a successful security operations](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/The-Golden-Hour-remake-Defining-metrics-for-a-successful/ba-p/782014) -- [Defender for Endpoint Evaluation lab is now available in public preview +- [Defender for Endpoint Evaluation lab is now available in public preview ](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271) -- [How automation brings value to your security +- [How automation brings value to your security teams](https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/How-automation-brings-value-to-your-security-teams/ba-p/729297) + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cloud-native-architecture.png b/windows/security/threat-protection/microsoft-defender-atp/images/cloud-native-architecture.png new file mode 100644 index 0000000000..c19f2aef54 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cloud-native-architecture.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/co-management-architecture.png b/windows/security/threat-protection/microsoft-defender-atp/images/co-management-architecture.png new file mode 100644 index 0000000000..4ce41c73a7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/co-management-architecture.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png new file mode 100644 index 0000000000..e30347f04c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-indicators.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png new file mode 100644 index 0000000000..c2092639af Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-overview.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png new file mode 100644 index 0000000000..85a91de789 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/false-positives-step-diagram.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/intune-onboarding.png b/windows/security/threat-protection/microsoft-defender-atp/images/intune-onboarding.png new file mode 100644 index 0000000000..216b928467 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/intune-onboarding.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png index d2f1c35a83..db725b26fa 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mac-system-extension-filter.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md index f496d2d153..73079133a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/microsoft-defender-atp/import-export-exploit-protection-emet-xml.md @@ -4,7 +4,7 @@ description: Use Group Policy to deploy mitigations configuration. keywords: Exploit protection, mitigations, import, export, configure, convert, conversion, deploy, install search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -13,6 +13,7 @@ author: levinec ms.author: ellevin ms.reviewer: manager: dansimp +ms.technology: mde --- # Import, export, and deploy exploit protection configurations diff --git a/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md new file mode 100644 index 0000000000..ae63ad7d4b --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/import-ti-indicators.md @@ -0,0 +1,142 @@ +--- +title: Import Indicators API +description: Learn how to use the Import batch of Indicator API in Microsoft Defender Advanced Threat Protection. +keywords: apis, supported apis, submit, ti, indicator, update +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article +--- + +# Import Indicators API + +[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] + + +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) + +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + +[!include[Improve request performance](../../includes/improve-request-performance.md)] + + +## API description +Submits or Updates batch of [Indicator](ti-indicator.md) entities. + CIDR notation for IPs is not supported. + +## Limitations +1. Rate limitations for this API are 30 calls per minute. +2. There is a limit of 15,000 active [Indicators](ti-indicator.md) per tenant. +3. Maximum batch size for one API call is 500. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Get started](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write Indicators' +Application | Ti.ReadWrite.All | 'Read and write All Indicators' +Delegated (work or school account) | Ti.ReadWrite | 'Read and write Indicators' + + +## HTTP request +``` +POST https://api.securitycenter.microsoft.com/api/indicators/import +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Indicators | List<[Indicator](ti-indicator.md)> | List of [Indicators](ti-indicator.md). **Required** + + +## Response +- If successful, this method returns 200 - OK response code with a list of import results per indicator, see example below. +- If not successful: this method return 400 - Bad Request. Bad request usually indicates incorrect body. + +## Example + +**Request** + +Here is an example of the request. + +```http +POST https://api.securitycenter.microsoft.com/api/indicators/import +``` + +```json +{ + "Indicators": + [ + { + "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "demo", + "application": "demo-test", + "expirationTime": "2021-12-12T00:00:00Z", + "action": "Alert", + "severity": "Informational", + "description": "demo2", + "recommendedActions": "nothing", + "rbacGroupNames": ["group1", "group2"] + }, + { + "indicatorValue": "2233223322332233223322332233223322332233223322332233223322332222", + "indicatorType": "FileSha256", + "title": "demo2", + "application": "demo-test2", + "expirationTime": "2021-12-12T00:00:00Z", + "action": "Alert", + "severity": "Medium", + "description": "demo2", + "recommendedActions": "nothing", + "rbacGroupNames": [] + } + ] +} +``` + +**Response** + +Here is an example of the response. + +```json +{ + "value": [ + { + "id": "2841", + "indicator": "220e7d15b011d7fac48f2bd61114db1022197f7f", + "isFailed": false, + "failureReason": null + }, + { + "id": "2842", + "indicator": "2233223322332233223322332233223322332233223322332233223322332222", + "isFailed": false, + "failureReason": null + } + ] +} +``` + +## Related topic +- [Manage indicators](manage-indicators.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md index 4c34fbe26c..40baef0411 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates.md @@ -1,11 +1,11 @@ --- -title: Create indicators based on certificates +title: Create indicators based on certificates ms.reviewer: description: Create indicators based on certificates that define the detection, prevention, and exclusion of entities. keywords: ioc, certificate, certificates, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create indicators based on certificates diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md index 3e7b8c855d..78a28933b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-file.md @@ -1,11 +1,11 @@ --- -title: Create indicators for files +title: Create indicators for files ms.reviewer: description: Create indicators for a file hash that define the detection, prevention, and exclusion of entities. -keywords: file, hash, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +keywords: file, hash, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create indicators for files @@ -38,7 +39,7 @@ There are two ways you can create indicators for files: ### Before you begin It's important to understand the following prerequisites prior to creating indicators for files: -- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). +- This feature is available if your organization uses Windows Defender Antivirus and Cloud-based protection is enabled. For more information, see [Manage cloud-based protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). - The Antimalware client version must be 4.18.1901.x or later. - Supported on machines on Windows 10, version 1703 or later, Windows server 2016 and 2019. - To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md index 800f2e0f16..2fd5f9cce1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md @@ -1,11 +1,11 @@ --- -title: Create indicators for IPs and URLs/domains +title: Create indicators for IPs and URLs/domains ms.reviewer: description: Create indicators for IPs and URLs/domains that define the detection, prevention, and exclusion of entities. -keywords: ip, url, domain, manage, allowed, blocked, whitelist, blacklist, block, clean, malicious, file hash, ip address, urls, domain +keywords: ip, url, domain, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create indicators for IPs and URLs/domains @@ -51,14 +52,14 @@ It's important to understand the following prerequisites prior to creating indic > Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. > For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement: > NOTE: ->- IP is supported for all three protocols ->- Only single IP addresses are supported (no CIDR blocks or IP ranges) ->- Encrypted URLs (full path) can only be blocked on first party browsers ->- Encrypted URLS (FQDN only) can be blocked outside of first party browsers ->- Full URL path blocks can be applied on the domain level and all unencrypted URLs +> - IP is supported for all three protocols +> - Only single IP addresses are supported (no CIDR blocks or IP ranges) +> - Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge) +> - Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) +> - Full URL path blocks can be applied on the domain level and all unencrypted URLs ->[!NOTE] ->There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. +> [!NOTE] +> There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. ### Create an indicator for IPs, URLs, or domains from the settings page diff --git a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md index 569a727336..347e36b6a5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/indicator-manage.md @@ -5,7 +5,7 @@ description: Manage indicators for a file hash, IP address, URLs, or domains tha keywords: import, indicator, list, ioc, csv, manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Manage indicators diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index 74f53cc04c..1c11db4157 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -1,10 +1,10 @@ --- title: Information protection in Windows overview -ms.reviewer: +ms.reviewer: description: Learn about how information protection works in Windows to identify and protect sensitive information keywords: information, protection, dlp, data, loss, prevention, protect search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Information protection in Windows overview diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md index 30a7574c30..6299559448 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-investigation.md @@ -3,7 +3,7 @@ title: Use sensitivity labels to prioritize incident response description: Learn how to use sensitivity labels to prioritize and investigate incidents keywords: information, protection, data, loss, prevention,labels, dlp, incident, investigate, investigation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Use sensitivity labels to prioritize incident response diff --git a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md index 90bd7b9256..5617ebcae7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/initiate-autoir-investigation.md @@ -3,7 +3,7 @@ title: Start Investigation API description: Use this API to start investigation on a device. keywords: apis, graph api, supported apis, investigation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Start Investigation API @@ -83,9 +84,12 @@ If successful, this method returns 201 - Created response code and [Investigatio Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/startInvestigation -Content-type: application/json +``` + +```json { - "Comment": "Test investigation", + "Comment": "Test investigation" } +``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md index 541f45d7c4..b58e9f2197 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-alerts.md @@ -4,7 +4,7 @@ description: Use the investigation options to get details on alerts are affectin keywords: investigate, investigation, devices, device, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,10 +14,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- # Investigate alerts in Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md index 42e6837413..179a53a1fd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-behind-proxy.md @@ -4,7 +4,7 @@ description: Learn how to use advanced HTTP level monitoring through network pro keywords: proxy, network protection, forward proxy, network events, audit, block, domain names, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Investigate connection events that occur behind forward proxies diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md index bee61aaabc..5297a8957a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-domain.md @@ -4,7 +4,7 @@ description: Use the investigation options to see if devices and servers have be keywords: investigate domain, domain, malicious domain, microsoft defender atp, alert, URL search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,10 +14,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- # Investigate a domain associated with a Microsoft Defender for Endpoint alert diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md index a9e415015a..0f4a60d9b5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-files.md @@ -1,10 +1,10 @@ --- title: Investigate Microsoft Defender Advanced Threat Protection files -description: Use the investigation options to get details on files associated with alerts, behaviours, or events. +description: Use the investigation options to get details on files associated with alerts, behaviors, or events. keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,13 +14,14 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- -# Investigate a file associated with a Microsoft Defender ATP alert +# Investigate a file associated with a Microsoft Defender for Endpoint alert [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md index 003cb02227..7b03162e01 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-incidents.md @@ -1,10 +1,10 @@ --- title: Investigate incidents in Microsoft Defender ATP -description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident +description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident keywords: investigate, incident, alerts, metadata, risk, detection source, affected devices, patterns, correlation search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Investigate incidents in Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md index 3647ff20ed..a9f13f2327 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-ip.md @@ -4,7 +4,7 @@ description: Use the investigation options to examine possible communication bet keywords: investigate, investigation, IP address, alert, microsoft defender atp, external IP search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,10 +14,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- # Investigate an IP address associated with a Microsoft Defender for Endpoint alert diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md index 1a47eaf935..5fe4f76ffc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-machines.md @@ -4,7 +4,7 @@ description: Investigate affected devices by reviewing alerts, network connectio keywords: devices, tags, groups, endpoint, alerts queue, alerts, device name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service health search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Investigate devices in the Microsoft Defender for Endpoint Devices list diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md index 292ee98eec..694b64620b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigate-user.md @@ -4,7 +4,7 @@ description: Investigate a user account for potential compromised credentials or keywords: investigate, account, user, user entity, alert, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,10 +14,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article ms.date: 04/24/2018 +ms.technology: mde --- # Investigate a user account in Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/investigation.md b/windows/security/threat-protection/microsoft-defender-atp/investigation.md index d5a2cf97cf..64b309d544 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/investigation.md @@ -3,7 +3,7 @@ title: Investigation resource type description: Microsoft Defender ATP Investigation entity. keywords: apis, graph api, supported apis, get, alerts, investigations search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Investigation resource type @@ -39,7 +40,7 @@ Represent an Automated Investigation entity in Defender for Endpoint. Method|Return Type |Description :---|:---|:--- [List Investigations](get-investigation-collection.md) | Investigation collection | Get collection of Investigation -[Get single Investigation](get-investigation-collection.md) | Investigation entity | Gets single Investigation entity. +[Get single Investigation](get-investigation-object.md) | Investigation entity | Gets single Investigation entity. [Start Investigation](initiate-autoir-investigation.md) | Investigation entity | Starts Investigation on a device. diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md index 6c50645b1f..00fc73300c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-configure-features.md @@ -1,11 +1,11 @@ --- title: Configure Microsoft Defender ATP for iOS features -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for iOS features keywords: microsoft, defender, atp, ios, configure, features, ios search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Configure Microsoft Defender for Endpoint for iOS features @@ -27,40 +28,11 @@ ms.topic: conceptual > [!NOTE] > Defender for Endpoint for iOS would use a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. -## Configure compliance policy against jailbroken devices +## Conditional Access with Defender for Endpoint for iOS +Microsoft Defender for Endpoint for iOS along with Microsoft Intune and Azure Active Directory enables enforcing Device compliance and Conditional Access policies +based on device risk levels. Defender for Endpoint is a Mobile Threat Defense (MTD) solution that you can deploy to leverage this capability via Intune. -To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune. - -> [!NOTE] -> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally - -Follow the steps below to create a compliance policy against jailbroken devices. - -1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> click on **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**. - - > [!div class="mx-imgBorder"] - >  - -1. Specify a name of the policy, example "Compliance Policy for Jailbreak". -1. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field. - - > [!div class="mx-imgBorder"] - >  - -1. In the *Action for noncompliance* section, select the actions as per your requirements and click **Next**. - - > [!div class="mx-imgBorder"] - >  - -1. In the *Assignments* section, select the user groups that you want to include for this policy and then click **Next**. -1. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. - -## Configure custom indicators - -Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. Refer to [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) on how to configure custom indicators. - -> [!NOTE] -> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains. +For more information about how to set up Conditional Access with Defender for Endpoint for iOS, see [Defender for Endpoint and Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection). ## Web Protection and VPN @@ -78,10 +50,46 @@ While enabled by default, there might be some cases that require you to disable > [!NOTE] > Web Protection will not be available when VPN is disabled. To re-enable Web Protection, open the Microsoft Defender for Endpoint app on the device and click or tap **Start VPN**. -### Co-existence of multiple VPN profiles +## Co-existence of multiple VPN profiles Apple iOS does not support multiple device-wide VPNs to be active simultaneously. While multiple VPN profiles can exist on the device, only one VPN can be active at a time. + +## Configure compliance policy against jailbroken devices + +To protect corporate data from being accessed on jailbroken iOS devices, we recommend that you set up the following compliance policy on Intune. + +> [!NOTE] +> At this time Microsoft Defender for Endpoint for iOS does not provide protection against jailbreak scenarios. If used on a jailbroken device, then in specific scenarios data that is used by the application like your corporate email id and corporate profile picture (if available) can be exposed locally + +Follow the steps below to create a compliance policy against jailbroken devices. + +1. In [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Devices** -> **Compliance policies** -> **Create Policy**. Select "iOS/iPadOS" as platform and click **Create**. + + > [!div class="mx-imgBorder"] + >  + +2. Specify a name of the policy, for example "Compliance Policy for Jailbreak". +3. In the compliance settings page, click to expand **Device Health** section and click **Block** for **Jailbroken devices** field. + + > [!div class="mx-imgBorder"] + >  + +4. In the *Action for noncompliance* section, select the actions as per your requirements and select **Next**. + + > [!div class="mx-imgBorder"] + >  + +5. In the *Assignments* section, select the user groups that you want to include for this policy and then select **Next**. +6. In the **Review+Create** section, verify that all the information entered is correct and then select **Create**. + +## Configure custom indicators + +Defender for Endpoint for iOS enables admins to configure custom indicators on iOS devices as well. For more information on how to configure custom indicators, see [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators). + +> [!NOTE] +> Defender for Endpoint for iOS supports creating custom indicators only for IP addresses and URLs/domains. + ## Report unsafe site Phishing websites impersonate trustworthy websites for the purpose of obtaining your personal or financial information. Visit the [Provide feedback about network protection](https://www.microsoft.com/wdsi/filesubmission/exploitguard/networkprotection) page if you want to report a website that could be a phishing site. diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md index 6f0005e8b9..c58faa8d2e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-install.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-install.md @@ -1,11 +1,11 @@ --- title: App-based deployment for Microsoft Defender ATP for iOS -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for iOS using an app keywords: microsoft, defender, atp, ios, app, installation, deploy, uninstallation, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploy Microsoft Defender for Endpoint for iOS diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md index 361ee24da1..8bea026e5d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md @@ -1,11 +1,11 @@ --- title: Privacy information - Microsoft Defender for Endpoint for iOS -ms.reviewer: +ms.reviewer: description: Describes privacy information for Microsoft Defender for Endpoint for iOS keywords: microsoft, defender, atp, ios, policy, overview search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Privacy information - Microsoft Defender for Endpoint for iOS @@ -41,9 +42,7 @@ Here is a list of the types of data being collected: ### Web page or Network information -- Connection information only when a malicious connection or web page is detected. - -- Protocol type (such as HTTP, HTTPS, etc.) only when a malicious connection or web page is detected. +- Domain name of the website only when a malicious connection or web page is detected. ### Device and account information diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md index 997e5ed226..aa2cb53ec8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for iOS Application license terms -ms.reviewer: +ms.reviewer: description: Describes the Microsoft Defender ATP for iOS license terms -keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, +keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,10 +15,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual hideEdit: true +ms.technology: mde --- # Microsoft Defender for Endpoint for iOS application license terms diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 7d5d12f3e4..15f0c9b691 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -3,7 +3,7 @@ title: Isolate machine API description: Learn how to use the Isolate machine API to isolate a device from accessing external network in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, isolate device search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Isolate machine API @@ -89,13 +90,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -```console +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate -Content-type: application/json +``` + +```json { "Comment": "Isolate machine due to alert 1234", - “IsolationType”: “Full” + "IsolationType": "Full" } ``` -- To unisolate a device, see [Release device from isolation](unisolate-machine.md). +- To release a device from isolation, see [Release device from isolation](unisolate-machine.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md index e1e14ad345..34da9afb03 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-exclusions.md @@ -4,7 +4,7 @@ description: Provide and validate exclusions for Microsoft Defender ATP for Linu keywords: microsoft, defender, atp, linux, exclusions, scans, antivirus search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Configure and validate exclusions for Microsoft Defender for Endpoint for Linux diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index cb813cf147..c45701fbed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -1,11 +1,11 @@ --- title: Deploy Microsoft Defender ATP for Linux manually -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploy Microsoft Defender for Endpoint for Linux manually diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md index 35fe0795ab..b0ac68a9e6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-ansible.md @@ -1,11 +1,11 @@ --- title: Deploy Microsoft Defender ATP for Linux with Ansible -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux using Ansible. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploy Microsoft Defender for Endpoint for Linux with Ansible diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md index 46100ac983..157fa13b36 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-with-puppet.md @@ -1,11 +1,11 @@ --- title: Deploy Microsoft Defender ATP for Linux with Puppet -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux using Puppet. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploy Microsoft Defender for Endpoint for Linux with Puppet @@ -157,7 +158,7 @@ $version = undef } file { '/etc/opt/microsoft/mdatp/mdatp_onboard.json': - source => 'puppet:///modules/mdatp/mdatp_onboard.json', + source => 'puppet:///modules/install_mdatp/mdatp_onboard.json', owner => root, group => root, mode => '0600', diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md index 2ec4ae0d08..c745a4803c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-preferences.md @@ -5,7 +5,7 @@ description: Describes how to configure Microsoft Defender ATP for Linux in ente keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Set preferences for Microsoft Defender for Endpoint for Linux @@ -200,7 +201,7 @@ Type of threat for which the behavior is configured. Action to take when coming across a threat of the type specified in the preceding section. Can be: - **Audit**: The device is not protected against this type of threat, but an entry about the threat is logged. -- **Block**: The device is protected against this type of threat and you are notified in the user interface and the security console. +- **Block**: The device is protected against this type of threat and you are notified in the security console. - **Off**: The device is not protected against this type of threat and nothing is logged. ||| diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md index 28afe2d32b..f389dd572e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-privacy.md @@ -4,7 +4,7 @@ description: Privacy controls, how to configure policy settings that impact priv keywords: microsoft, defender, atp, linux, privacy, diagnostic search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Privacy for Microsoft Defender for Endpoint for Linux diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md index ff2da099a2..7062258108 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-pua.md @@ -4,7 +4,7 @@ description: Detect and block Potentially Unwanted Applications (PUA) using Micr keywords: microsoft, defender, atp, linux, pua, pus search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Detect and block potentially unwanted applications with Microsoft Defender for Endpoint for Linux diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md index 3b12f36855..ec804b1358 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-resources.md @@ -5,7 +5,7 @@ description: Describes resources for Microsoft Defender ATP for Linux, including keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Resources @@ -36,20 +37,23 @@ If you can reproduce a problem, first increase the logging level, run the system 1. Increase logging level: ```bash - mdatp log level set --level verbose + mdatp log level set --level debug ``` + ```Output Log level configured successfully ``` 2. Reproduce the problem. -3. Run the following command to back up Defender for Endpoint's logs. The files will be stored inside of a .zip archive. +3. Run the following command to back up Defender for Endpoint's logs. The files will be stored inside of a .zip archive. ```bash sudo mdatp diagnostic create ``` + This command will also print out the file path to the backup after the operation succeeds: + ```Output Diagnostic file created: -Devices must be running one of the following versions of Windows 10: - - [1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later - - [1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) - - [1809](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) - - [1803](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) - - [1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) +- **Verify that you're running a supported version of Windows**. +Devices must be running one of the following versions of Windows -- **Make sure to install appropriate security updates**. - - 1903: [KB4515384](https://support.microsoft.com/help/4515384/windows-10-update-kb4515384) - - 1809 (RS5): [KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818) - - 1803 (RS4): [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795) - - 1709 (RS3): [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816) + - **Windows 10** + - [Version 1909](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1909) or later + - [Version 1903](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1903) with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384) + - [Version 1809 (RS 5)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809) with [with KB4537818](https://support.microsoft.com/help/4537818/windows-10-update-kb4537818) + - [Version 1803 (RS 4)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1803) with [KB4537795](https://support.microsoft.com/help/4537795/windows-10-update-kb4537795) + - [Version 1709 (RS 3)](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) with [KB4537816](https://support.microsoft.com/help/4537816/windows-10-update-kb4537816) + + - **Windows Server 2019 - Only applicable for Public preview** + - Version 1903 or (with [KB4515384](https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384)) later + - Version 1809 (with [KB4537818](https://support.microsoft.com/en-us/help/4537818/windows-10-update-kb4537818)) -- **Enable live response from the settings page**. +- **Enable live response from the advanced settings page**. You'll need to enable the live response capability in the [Advanced features settings](advanced-features.md) page. >[!NOTE] >Only users with manage security or global admin roles can edit these settings. + +- **Enable live response for servers from the advanced settings page** (recommended). + + >[!NOTE] + >Only users with manage security or global admin roles can edit these settings. - **Ensure that the device has an Automation Remediation level assigned to it**. You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response session to a member of that group. @@ -186,7 +192,7 @@ Here are some examples: |Command |What it does | |---------|---------| -|`"C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. | +|`Download "C:\windows\some_file.exe" &` |Starts downloading a file named *some_file.exe* in the background. | |`fg 1234` |Returns a download with command ID *1234* to the foreground. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md index 2e17fbc6fd..818558bc99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-exclusions.md @@ -4,7 +4,7 @@ description: Provide and validate exclusions for Microsoft Defender ATP for Mac. keywords: microsoft, defender, atp, mac, exclusions, scans, antivirus search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Configure and validate exclusions for Microsoft Defender for Endpoint for Mac diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md index d1f6337306..bc0711a28e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-jamfpro-login.md @@ -4,7 +4,7 @@ description: Log in to Jamf Pro keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Log in to Jamf Pro diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index 7f15b5ad73..375f715a8e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -4,7 +4,7 @@ description: Install Microsoft Defender ATP for macOS manually, from the command keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Manual deployment for Microsoft Defender for Endpoint for macOS @@ -115,7 +116,7 @@ To complete this process, you must have admin privileges on the device. The client device is not associated with orgId. Note that the *orgId* attribute is blank. ```bash - mdatp --health orgId + mdatp health --field org_id ``` 2. Run the Python script to install the configuration file: @@ -127,7 +128,7 @@ To complete this process, you must have admin privileges on the device. 3. Verify that the device is now associated with your organization and reports a valid *orgId*: ```bash - mdatp --health orgId + mdatp health --field org_id ``` After installation, you'll see the Microsoft Defender icon in the macOS status bar in the top-right corner. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 319d2756e1..e0cb7de973 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -4,7 +4,7 @@ description: Install Microsoft Defender for Endpoint for Mac, using Microsoft In keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Intune-based deployment for Microsoft Defender for Endpoint for Mac diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md index fccf7ab83a..45e4130495 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-jamf.md @@ -4,7 +4,7 @@ description: Deploying Microsoft Defender ATP for macOS with Jamf Pro keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deploying Microsoft Defender for Endpoint for macOS with Jamf Pro diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md index 509a722b64..e1befe8407 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-other-mdm.md @@ -4,7 +4,7 @@ description: Install Microsoft Defender ATP for Mac on other management solution keywords: microsoft, defender, atp, mac, installation, deploy, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint for Mac diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md index d0bde6a3d1..73dc882a2c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-device-groups.md @@ -4,7 +4,7 @@ description: Learn how to set up device groups in Jamf Pro for Microsoft Defende keywords: device, group, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,12 +14,13 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- -# Set up Microsoft c for macOS device groups in Jamf Pro +# Set up Microsoft Defender for Endpoint for macOS device groups in Jamf Pro [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md index d6954e0d90..ab77dc10cc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-enroll-devices.md @@ -1,10 +1,10 @@ --- -title: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro -description: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro +title: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro +description: Enroll Microsoft Defender ATP for macOS devices into Jamf Pro keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Enroll Microsoft Defender for Endpoint for macOS devices into Jamf Pro diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md index 5faeec9c8d..780f0d40dd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies.md @@ -4,7 +4,7 @@ description: Learn how to set up the Microsoft Defender ATP for macOS policies i keywords: policies, microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Set up the Microsoft Defender for Endpoint for macOS policies in Jamf Pro @@ -750,18 +751,14 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint  -4. Navigate to **Advanced Computer Searches**. - -  - -5. Select **Computer Management**. +4. Select your computer and click the gear icon at the top, then select **Computer Management**.  -6. In **Packages**, select **+ New**. +5. In **Packages**, select **+ New**.  -7. In **New Package** Enter the following details: +6. In **New Package** Enter the following details: **General tab** - Display Name: Leave it blank for now. Because it will be reset when you choose your pkg. @@ -774,15 +771,17 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint  -8. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. +7. Select **Open**. Set the **Display Name** to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. + **Manifest File** is not required. Microsoft Defender Advanced Threat Protection works without Manifest File. + **Options tab** Keep default values. **Limitations tab** Keep default values.  -9. Select **Save**. The package is uploaded to Jamf Pro. +8. Select **Save**. The package is uploaded to Jamf Pro.  @@ -790,45 +789,45 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint  -10. Navigate to the **Policies** page. +9. Navigate to the **Policies** page.  -11. Select **+ New** to create a new policy. +10. Select **+ New** to create a new policy.  -12. In **General** Enter the following details: +11. In **General** Enter the following details: - Display name: MDATP Onboarding Contoso 200329 v100.86.92 or later  -13. Select **Recurring Check-in**. +12. Select **Recurring Check-in**.  -14. Select **Save**. +13. Select **Save**. -15. Select **Packages > Configure**. +14. Select **Packages > Configure**.  -16. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**. +15. Select the **Add** button next to **Microsoft Defender Advanced Threat Protection and Microsoft Defender Antivirus**.  -17. Select **Save**. +16. Select **Save**.  -18. Select the **Scope** tab. +17. Select the **Scope** tab.  -19. Select the target computers. +18. Select the target computers.  @@ -844,7 +843,7 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint  -20. Select **Done**. +19. Select **Done**.  @@ -853,4 +852,3 @@ Follow the instructions on [Schedule scans with Microsoft Defender for Endpoint - diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md index 615f212fd6..0c8ecdb75c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-preferences.md @@ -4,7 +4,7 @@ description: Configure Microsoft Defender ATP for Mac in enterprise organization keywords: microsoft, defender, atp, mac, management, preferences, enterprise, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Set preferences for Microsoft Defender for Endpoint for Mac diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md index 2bf5eaf608..c77522dac0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-privacy.md @@ -4,7 +4,7 @@ description: Privacy controls, how to configure policy settings that impact priv keywords: microsoft, defender, atp, mac, privacy, diagnostic search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Privacy for Microsoft Defender for Endpoint for Mac diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md index 7668c4bfd0..37371fa8f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-pua.md @@ -4,7 +4,7 @@ description: Detect and block Potentially Unwanted Applications (PUA) using Micr keywords: microsoft, defender, atp, mac, pua, pus search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Detect and block potentially unwanted applications with Microsoft Defender for Endpoint for Mac @@ -58,7 +59,7 @@ You can configure how PUA files are handled from the command line or from the ma In Terminal, execute the following command to configure PUA protection: ```bash -mdatp --threat --type-handling potentially_unwanted_application [off|audit|block] +mdatp threat policy set --type potentially_unwanted_application --action [off|audit|block] ``` ### Use the management console to configure PUA protection: diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index b62abb198b..227df25707 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -4,7 +4,7 @@ description: Resources for Microsoft Defender ATP for Mac, including how to unin keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,10 +13,11 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint +ms.collection: + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Resources for Microsoft Defender for Endpoint for Mac @@ -148,7 +149,7 @@ To enable autocompletion in zsh: ## Client Microsoft Defender for Endpoint quarantine directory -`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`. +`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp threat list`. ## Microsoft Defender for Endpoint portal information diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md index 98d0151efc..331b7057ff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-schedule-scan-atp.md @@ -4,7 +4,7 @@ description: Learn how to schedule an automatic scanning time for Microsoft Defe keywords: microsoft, defender, atp, mac, scans, antivirus search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Schedule scans with Microsoft Defender for Endpoint for Mac @@ -46,7 +47,7 @@ You can create a scanning schedule using the *launchd* daemon on a macOS device. See [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) and [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). | |**[Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune)** (recommended) |Microsoft Intune (Intune), a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview), focuses on mobile device management (MDM) and mobile application management (MAM). With Intune, you control how your organization’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to control applications. See [Manage Microsoft Defender for Endpoint using Intune](manage-atp-post-migration-intune.md). | -|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Configuration Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software. See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md). | +|**[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/understand/introduction)** |Microsoft Endpoint Manager (Configuration Manager), formerly known as System Center Configuration Manager, is a component of [Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview). Configuration Manager is a powerful tool to manage your users, devices, and software. See [Manage Microsoft Defender for Endpoint with Configuration Manager](manage-atp-post-migration-configuration-manager.md). | |**[Group Policy Objects in Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/manage-group-policy)** |[Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) includes built-in Group Policy Objects for users and devices. You can customize the built-in Group Policy Objects as needed for your environment, as well as create custom Group Policy Objects and organizational units (OUs). See [Manage Microsoft Defender for Endpoint with Group Policy Objects](manage-atp-post-migration-group-policy-objects.md). | |**[PowerShell, WMI, and MPCmdRun.exe](manage-atp-post-migration-other-tools.md)** |*We recommend using Microsoft Endpoint Manager (which includes Intune and Configuration Manager) to manage threat protection features on your organization's devices. However, you can configure some settings, such as Microsoft Defender Antivirus settings on individual devices (endpoints) with PowerShell, WMI, or the MPCmdRun.exe tool.* You can use PowerShell to manage Microsoft Defender Antivirus, exploit protection, and your attack surface reduction rules. See [Configure Microsoft Defender for Endpoint with PowerShell](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-powershell). You can use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus and exclusions. See [Configure Microsoft Defender for Endpoint with WMI](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-windows-management-instrumentation-wmi). You can use the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) to manage Microsoft Defender Antivirus and exclusions, as well as validate connections between your network and the cloud. See [Configure Microsoft Defender for Endpoint with MPCmdRun.exe](manage-atp-post-migration-other-tools.md#configure-microsoft-defender-for-endpoint-with-microsoft-malware-protection-command-line-utility-mpcmdrunexe). | +## See also + +- [Address false positives/negatives in Microsoft Defender for Endpoint](defender-endpoint-false-positives-negatives.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md index b0ca7217c9..eba504af82 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation.md @@ -4,7 +4,7 @@ description: Review and approve (or reject) remediation actions following an aut keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, devices, duration, filter export search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,10 +14,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual ms.date: 12/15/2020 +ms.technology: mde --- # Review and approve remediation actions following an automated investigation diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md index a82c4c98cc..a01e6d0c82 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-file-uploads.md @@ -4,7 +4,7 @@ description: Enable content analysis and configure the file extension and email keywords: automation, file, uploads, content, analysis, file, extension, email, attachment search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Manage automation file uploads diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md index c60093cd86..ad0b7534bc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md @@ -1,10 +1,10 @@ --- title: Manage automation folder exclusions -description: Add automation folder exclusions to control the files that are excluded from an automated investigation. +description: Add automation folder exclusions to control the files that are excluded from an automated investigation. keywords: manage, automation, exclusion, block, clean, malicious search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Manage automation folder exclusions diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md index 458c0798ce..e3078652a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-edr.md @@ -5,7 +5,7 @@ description: keywords: search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Manage endpoint detection and response capabilities diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md index 4fa8c2f463..8da70d0d7e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-incidents.md @@ -1,10 +1,10 @@ --- title: Manage Microsoft Defender ATP incidents -description: Manage incidents by assigning it, updating its status, or setting its classification. +description: Manage incidents by assigning it, updating its status, or setting its classification. keywords: incidents, manage, assign, status, classification, true alert, false alert search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Manage Microsoft Defender for Endpoint incidents diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index e13c8bff5c..b6cfdd2f4a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -1,11 +1,11 @@ --- title: Create indicators -ms.reviewer: +ms.reviewer: description: Create indicators for a file hash, IP address, URLs, or domains that define the detection, prevention, and exclusion of entities. keywords: manage, allowed, blocked, block, clean, malicious, file hash, ip address, urls, domain search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create indicators diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md index bf6e43d5b2..4c884b71f6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-suppression-rules.md @@ -4,7 +4,7 @@ description: You might need to prevent alerts from appearing in the portal by us keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Manage suppression rules diff --git a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md index 4be39cf3be..7fa475efba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/management-apis.md +++ b/windows/security/threat-protection/microsoft-defender-atp/management-apis.md @@ -5,7 +5,7 @@ description: Learn about the management tools and API categories in Microsoft De keywords: onboarding, api, siem, rbac, access, portal, integration, investigation, response, entities, entity, user context, application context, streaming search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde --- # Overview of management and APIs @@ -23,10 +24,9 @@ ms.topic: conceptual [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] -**Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) ->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mgt-apis-abovefoldlink) +- Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) Defender for Endpoint supports a wide variety of options to ensure that customers can easily adopt the platform. @@ -34,7 +34,7 @@ Acknowledging that customer environments and structures can vary, Defender for E ## Endpoint onboarding and portal access -Device onboarding is fully integrated into Microsoft Endpoint Configuration Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender for Endpoint supports Group Policy and other third-party tools used for devices management. +Device onboarding is fully integrated into Microsoft Endpoint Manager and Microsoft Intune for client devices and Azure Security Center for server devices, providing complete end-to-end experience of configuration, deployment, and monitoring. In addition, Microsoft Defender for Endpoint supports Group Policy and other third-party tools used for devices management. Defender for Endpoint provides fine-grained control over what users with access to the portal can see and do through the flexibility of role-based access control (RBAC). The RBAC model supports all flavors of security teams structure: - Globally distributed organizations and security teams @@ -60,7 +60,7 @@ Defender for Endpoint offers a layered API model exposing data and capabilities Watch this video for a quick overview of Defender for Endpoint's APIs. >[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4d73M] -The **Investigation API** exposes the richness of Defender for Endpoint - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see, [Supported APIs](exposed-apis-list.md). +The **Investigation API** exposes the richness of Defender for Endpoint - exposing calculated or 'profiled' entities (for example, device, user, and file) and discrete events (for example, process creation and file creation) which typically describes a behavior related to an entity, enabling access to data via investigation interfaces allowing a query-based access to data. For more information, see [Supported APIs](exposed-apis-list.md). The **Response API** exposes the ability to take actions in the service and on devices, enabling customers to ingest indicators, manage settings, alert status, as well as take response actions on devices programmatically such as isolate devices from the network, quarantine files, and others. @@ -69,11 +69,11 @@ Defender for Endpoint raw data streaming API provides the ability for customers The Defender for Endpoint event information is pushed directly to Azure storage for long-term data retention, or to Azure Event Hubs for consumption by visualization services or additional data processing engines. -For more information, see, [Raw data streaming API](raw-data-export.md). +For more information, see [Raw data streaming API](raw-data-export.md). ## SIEM API -When you enable security information and event management (SIEM) integration, it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant. For more information, see, [SIEM integration](enable-siem-integration.md) +When you enable security information and event management (SIEM) integration, it allows you to pull detections from Microsoft Defender Security Center using your SIEM solution or by connecting directly to the detections REST API. This activates the SIEM connector access details section with pre-populated values and an application is created under your Azure Active Directory (Azure AD) tenant. For more information, see [SIEM integration](enable-siem-integration.md). ## Related topics - [Access the Microsoft Defender for Endpoint APIs ](apis-intro.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md index 6977f6f2c9..9f65ae6e85 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md @@ -4,8 +4,8 @@ description: Make the switch from McAfee to Microsoft Defender for Endpoint. Rea keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,9 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-mcafeemigrate -- m365solution-overview + - M365-security-compliance + - m365solution-mcafeemigrate + - m365solution-overview ms.topic: conceptual ms.custom: migrationguides ms.date: 09/22/2020 diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md index dd52552ec9..f703c93219 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md @@ -4,8 +4,8 @@ description: This is phase 3, Onboard, for migrating from McAfee to Microsoft De keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,9 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-McAfeemigrate -- m365solution-scenario + - M365-security-compliance + - m365solution-McAfeemigrate + - m365solution-scenario ms.custom: migrationguides ms.topic: article ms.date: 09/24/2020 diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md index 886846f36f..8108d9e245 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md @@ -4,8 +4,8 @@ description: This is phase 1, Prepare, for migrating from McAfee to Microsoft De keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,9 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-mcafeemigrate -- m365solution-scenario + - M365-security-compliance + - m365solution-mcafeemigrate + - m365solution-scenario ms.topic: article ms.custom: migrationguides ms.date: 09/22/2020 diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md index 432aed7160..d98440f9bd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md @@ -4,8 +4,8 @@ description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defe keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,9 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-mcafeemigrate -- m365solution-scenario + - M365-security-compliance + - m365solution-mcafeemigrate + - m365solution-scenario ms.topic: article ms.custom: migrationguides ms.date: 09/22/2020 @@ -142,7 +142,7 @@ Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defen |Method |What to do | |---------|---------| |Command Prompt |1. On a Windows device, open Command Prompt as an administrator. 2. Type `sc query windefend`, and then press Enter. 3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | -|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator. 2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. 3. In the list of results, look for **AntivirusEnabled: True**. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator. 2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. 3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.| > [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md index a05d99d1d6..0f3f29d7c0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md @@ -1,11 +1,11 @@ --- -title: Configure Microsoft Cloud App Security integration +title: Configure Microsoft Cloud App Security integration ms.reviewer: description: Learn how to turn on the settings to enable the Microsoft Defender ATP integration with Microsoft Cloud App Security. keywords: cloud, app, security, settings, integration, discovery, report search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure Microsoft Cloud App Security in Microsoft Defender for Endpoint @@ -44,7 +45,7 @@ Once activated, Microsoft Defender for Endpoint will immediately start forwardin ## View the data collected -To view and access Microsoft Defender for Endpoint data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration#investigate-machines-in-cloud-app-security). +To view and access Microsoft Defender for Endpoint data in Microsoft Cloud Apps Security, see [Investigate devices in Cloud App Security](https://docs.microsoft.com/cloud-app-security/mde-integration#investigate-devices-in-cloud-app-security). For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md index 87814b1b25..e3851124d6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-integration.md @@ -5,7 +5,7 @@ description: Microsoft Defender Advanced Threat Protection (Microsoft Defender A keywords: cloud, app, networking, visibility, usage search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/18/2018 +ms.technology: mde --- # Microsoft Cloud App Security in Defender for Endpoint overview diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index fc37668b46..d3217034e2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -4,7 +4,7 @@ description: Microsoft Defender for Endpoint is an enterprise endpoint security keywords: introduction to Microsoft Defender for Endpoint, introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next-generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md index 8fe16c9e8d..f6108d29ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-android.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for Android -ms.reviewer: +ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for Android keywords: microsoft, defender, atp, android, installation, deploy, uninstallation, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender for Endpoint for Android diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md index 7aa02ac093..dcb323a464 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for iOS overview -ms.reviewer: +ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for iOS keywords: microsoft, defender, atp, ios, overview, installation, deploy, uninstallation, intune search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender for Endpoint for iOS diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index 87dd24a90d..aa76048828 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for Linux -ms.reviewer: +ms.reviewer: description: Describes how to install and use Microsoft Defender ATP for Linux. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,16 +15,16 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender for Endpoint for Linux [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - This topic describes how to install, configure, update, and use Microsoft Defender for Endpoint for Linux. > [!CAUTION] @@ -35,6 +35,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend ### Prerequisites - Access to the Microsoft Defender Security Center portal +- Linux distribution using the [systemd](https://systemd.io/) system manager - Beginner-level experience in Linux and BASH scripting - Administrative privileges on the device (in case of manual deployment) @@ -100,12 +101,9 @@ After you've enabled the service, you may need to configure your network or fire The following downloadable spreadsheet lists the services and their associated URLs that your network must be able to connect to. You should ensure that there are no firewall or network filtering rules that would deny access to these URLs. If there are, you may need to create an *allow* rule specifically for them. - |**Spreadsheet of domains list**|**Description**| |:-----|:-----| -| | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) - - +| | Spreadsheet of specific DNS records for service locations, geographic locations, and OS. [Download the spreadsheet here.](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx) > [!NOTE] > For a more specific URL list, see [Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md index 0ec7a8050c..9766c422da 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac.md @@ -1,11 +1,11 @@ --- title: Microsoft Defender ATP for Mac -ms.reviewer: +ms.reviewer: description: Learn how to install, configure, update, and use Microsoft Defender Advanced Threat Protection for Mac. keywords: microsoft, defender, atp, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender for Endpoint for Mac @@ -131,7 +132,7 @@ The output from this command should be similar to the following: Once Microsoft Defender for Endpoint is installed, connectivity can be validated by running the following command in Terminal: ```bash -mdatp --connectivity-test +mdatp connectivity test ``` ## How to update Microsoft Defender for Endpoint for Mac diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md index b9fff07022..87fcc676b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-security-center.md @@ -4,7 +4,7 @@ description: Microsoft Defender Security Center is the portal where you can acce keywords: windows, defender, security, center, defender, advanced, threat, protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender Security Center diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md index d73aa55b7b..12ad2b50bc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts.md @@ -1,11 +1,11 @@ --- -title: Microsoft Threat Experts +title: Microsoft Threat Experts ms.reviewer: description: Microsoft Threat Experts provides an additional layer of expertise to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: managed threat hunting service, managed threat hunting, managed detection and response (MDR) service, MTE, Microsoft Threat Experts search.product: Windows 10 search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Microsoft Threat Experts diff --git a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md index 24527c0a89..5b18b5bad9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md +++ b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md @@ -1,21 +1,22 @@ --- title: Migration guides to make the switch to Microsoft Defender for Endpoint description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender for Endpoint -search.appverid: MET150 +search.appverid: MET150 author: denisebmsft ms.author: deniseb manager: dansimp audience: ITPro ms.topic: conceptual -ms.prod: w10 +ms.prod: m365-security ms.localizationpriority: medium ms.collection: -- M365-security-compliance -- m365solution-scenario + - M365-security-compliance + - m365solution-scenario ms.custom: migrationguides ms.reviewer: chriggs, depicker, yongrhee -f1.keywords: NOCSH +f1.keywords: NOCSH ms.date: 09/24/2020 +ms.technology: mde --- # Make the switch to Microsoft Defender for Endpoint and Microsoft Defender Antivirus diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 8605eac87e..f7623205a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -1,10 +1,10 @@ --- -title: Minimum requirements for Microsoft Defender ATP +title: Minimum requirements for Microsoft Defender for Endpoint description: Understand the licensing requirements and requirements for onboarding devices to the service keywords: minimum requirements, licensing, comparison table search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Minimum requirements for Microsoft Defender for Endpoint @@ -39,17 +40,19 @@ Microsoft Defender for Endpoint requires one of the following Microsoft volume l - Windows 10 Enterprise E5 - Windows 10 Education A5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 -- Microsoft 365 E5 Security - Microsoft 365 A5 (M365 A5) +- Microsoft 365 E5 Security +- Microsoft 365 A5 Security +- Microsoft Defender for Endpoint > [!NOTE] > Eligible licensed users may use Microsoft Defender for Endpoint on up to five concurrent devices. > Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP). -Microsoft Defender for Endpoint, on Windows Server, requires one of the following licensing options: +Microsoft Defender for Endpoint for servers requires one of the following licensing options: - [Azure Security Center with Azure Defender enabled](https://docs.microsoft.com/azure/security-center/security-center-pricing) -- Defender for Endpoint for Servers (one per covered server) +- Microsoft Defender for Endpoint for Server (one per covered server) > [!NOTE] > Customers may acquire server licenses (one per covered server Operating System Environment (OSE)) for Microsoft Defender for Endpoint for Servers if they have a combined minimum of 50 licenses for one or more of the following user licenses: @@ -57,7 +60,7 @@ Microsoft Defender for Endpoint, on Windows Server, requires one of the followin > * Microsoft Defender for Endpoint > * Windows E5/A5 > * Microsoft 365 E5/A5 -> * Microsoft 365 E5 Security +> * Microsoft 365 E5/A5 Security For detailed licensing information, see the [Product Terms site](https://www.microsoft.com/licensing/terms/) and work with your account team to learn more about the terms and conditions. @@ -94,6 +97,7 @@ Access to Defender for Endpoint is done through a browser, supporting the follow - Windows Server 2016 - Windows Server, version 1803 or later - Windows Server 2019 +- Windows Virtual Desktop Devices on your network must be running one of these editions. @@ -195,18 +199,16 @@ When Microsoft Defender Antivirus is not the active antimalware in your organiza If your organization has turned off Microsoft Defender Antivirus through group policy or other methods, devices that are onboarded must be excluded from this group policy. -If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, you shouldn't uninstall Microsoft Defender Antivirus. You'll need to configure it to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints.md). +If you are onboarding servers and Microsoft Defender Antivirus is not the active antimalware on your servers, Microsoft Defender Antivirus will either need to be configured to go on passive mode or uninstalled. The configuration is dependent on the server version. For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). > [!NOTE] > Your regular group policy doesn't apply to Tamper Protection, and changes to Microsoft Defender Antivirus settings will be ignored when Tamper Protection is on. -For more information, see [Microsoft Defender Antivirus compatibility](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). - ## Microsoft Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled If you're running Microsoft Defender Antivirus as the primary antimalware product on your devices, the Defender for Endpoint agent will successfully onboard. -If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Configuration Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). +If you're running a third-party antimalware client and use Mobile Device Management solutions or Microsoft Endpoint Manager (current branch), you'll need to ensure that the Microsoft Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Microsoft Defender Antivirus is not disabled by policy](troubleshoot-onboarding.md#ensure-that-microsoft-defender-antivirus-is-not-disabled-by-a-policy). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md index 0bf437cb62..31f6d2de46 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-list.md @@ -1,10 +1,10 @@ --- -title: Supported managed security service providers +title: Supported managed security service providers description: See the list of MSSPs that Microsoft Defender ATP integrates with keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Supported managed security service providers diff --git a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md index e6d53ec221..a1e10a6e12 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mssp-support.md @@ -4,7 +4,7 @@ description: Understand how Microsoft Defender ATP integrates with managed secur keywords: mssp, integration, managed, security, service, provider search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Managed security service provider partnership opportunities diff --git a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md index 0b6737027d..29ed5acfbf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/network-protection.md @@ -3,7 +3,7 @@ title: Use network protection to help prevent connections to bad sites description: Protect your network by preventing users from accessing known malicious and suspicious network addresses keywords: Network protection, exploits, malicious website, ip, domain, domains search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,11 +11,10 @@ ms.localizationpriority: medium audience: ITPro author: denisebmsft ms.author: deniseb -ms.date: 04/30/2019 ms.reviewer: manager: dansimp ms.custom: asr - +ms.technology: mde --- # Protect your network @@ -33,7 +32,7 @@ Network protection expands the scope of [Microsoft Defender SmartScreen](../micr Network protection is supported beginning with Windows 10, version 1709. -For more details about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. +For more information about how to enable network protection, see [Enable network protection](enable-network-protection.md). Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. > [!TIP] > You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. @@ -46,13 +45,13 @@ You can also use [audit mode](audit-windows-defender.md) to evaluate how Network ## Requirements -Network protection requires Windows 10 Pro, Enterprise E3, E5 and Microsoft Defender AV real-time protection. +Network protection requires Windows 10 Pro or Enterprise, and Microsoft Defender Antivirus real-time protection. -Windows 10 version | Microsoft Defender Antivirus --|- -Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled +| Windows 10 version | Microsoft Defender Antivirus | +|:---|:---| +| Windows 10 version 1709 or later | [Microsoft Defender AV real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) and [cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) must be enabled | -After you have enabled the services, you may need to configure your network or firewall to allow the connections between the services and your endpoints. +After you have enabled the services, you might need to configure your network or firewall to allow the connections between the services and your endpoints. - .smartscreen.microsoft.com - .smartscreen-prod.microsoft.com @@ -76,18 +75,18 @@ You can review the Windows event log to see events that are created when network 1. [Copy the XML directly](event-views.md). -2. Click **OK**. +2. Select **OK**. 3. This will create a custom view that filters to only show the following events related to network protection: - Event ID | Description - -|- - 5007 | Event when settings are changed - 1125 | Event when network protection fires in audit mode - 1126 | Event when network protection fires in block mode + | Event ID | Description | + |:---|:---| + | 5007 | Event when settings are changed | + | 1125 | Event when network protection fires in audit mode | + | 1126 | Event when network protection fires in block mode | ## Related articles -- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created. +- [Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrates how the feature works, and what events would typically be created. - [Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. diff --git a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md index d0317cd1ba..5cf235d1a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md +++ b/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md @@ -4,7 +4,7 @@ description: This new capability uses a game-changing risk-based approach to the keywords: threat & vulnerability management, threat and vulnerability management, MDATP TVM, MDATP-TVM, vulnerability management, vulnerability assessment, threat and vulnerability scanning, secure configuration assessment, microsoft defender atp, microsoft defender atp, endpoint vulnerabilities, next generation search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: overview +ms.technology: mde --- # Threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md index 0cce3c728b..0b951d8070 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/non-windows.md +++ b/windows/security/threat-protection/microsoft-defender-atp/non-windows.md @@ -3,7 +3,7 @@ title: Microsoft Defender ATP for non-Windows platforms description: Learn about Microsoft Defender ATP capabilities for non-Windows platforms keywords: non windows, mac, macos, linux, android search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,9 +13,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-evalutatemtp + - M365-security-compliance + - m365solution-evalutatemtp ms.topic: article +ms.technology: mde --- # Microsoft Defender for Endpoint for non-Windows platforms diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md index b87d77da37..df8552d5a9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machine-api.md @@ -3,7 +3,7 @@ title: Offboard machine API description: Learn how to use an API to offboard a device from Windows Defender Advanced Threat Protection (WDATP). keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Offboard machine API @@ -86,9 +87,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard -Content-type: application/json +``` + +```json { "Comment": "Offboard machine by automation" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md index 3eb9642bf4..b34544a337 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md @@ -4,7 +4,7 @@ description: Onboard Windows 10 devices, servers, non-Windows devices from the M keywords: offboarding, microsoft defender advanced threat protection offboarding, windows atp offboarding search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Offboard devices from the Microsoft Defender for Endpoint service diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md index 1a625303aa..5e9181a051 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-configure.md @@ -4,7 +4,7 @@ description: Onboard Windows 10 devices, servers, non-Windows devices and learn keywords: onboarding, microsoft defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Onboard devices to the Microsoft Defender for Endpoint service diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md index f99a9fbab3..bb6315accb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel.md @@ -4,7 +4,7 @@ description: Onboard supported previous versions of Windows devices so that they keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard previous versions of Windows @@ -82,9 +83,13 @@ Review the following details to verify minimum system requirements: - Copy the workspace ID and workspace key 3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent: - - Manually install the agent using setup + - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard). On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)** - - [Install the agent using command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script) + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line). + - [Configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation). + + > [!NOTE] + > If you are a [US Government customer](gov.md), under "Azure Cloud" you'll need to choose "Azure US Government" if using the setup wizard, or if using a command line or a script - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. 4. If you're using a proxy to connect to the Internet see the Configure proxy settings section. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md index e3aea210fc..eefffe4525 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard-offline-machines.md @@ -1,11 +1,11 @@ --- -title: Onboard devices without Internet access to Microsoft Defender ATP +title: Onboard devices without Internet access to Microsoft Defender for Endpoint ms.reviewer: description: Onboard devices without Internet access so that they can send sensor data to the Microsoft Defender ATP sensor keywords: onboard, servers, vm, on-premise, oms gateway, log analytics, azure log analytics, mma search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Onboard devices without Internet access to Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index d35f1668f8..8c0015c6fc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -5,7 +5,7 @@ description: Configure and manage Microsoft Defender ATP capabilities such as at keywords: configure, manage, capabilities, attack surface reduction, next-generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Configure and manage Microsoft Defender for Endpoint capabilities diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md index 87b9afcb05..aad57b1401 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md @@ -1,9 +1,9 @@ --- -title: Onboarding using Microsoft Endpoint Configuration Manager -description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Configuration Manager -keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction +title: Onboarding using Microsoft Endpoint Configuration Manager +description: Learn how to onboard to Microsoft Defender for Endpoint using Microsoft Endpoint Configuration Manager +keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction, microsoft endpoint configuration manager search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,20 +13,35 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-scenario + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-scenario ms.topic: article +ms.technology: mde --- -# Onboarding using Microsoft Endpoint Configuration Manager +# Onboarding using Microsoft Endpoint Configuration Manager [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) -This article is part of the Deployment guide and acts as an example onboarding method that guides users in: + + +This article is part of the Deployment guide and acts as an example onboarding method. + +In the [Planning](deployment-strategy.md) topic, there were several methods provided to onboard devices to the service. This topic covers the co-management architecture. + + +*Diagram of environment architectures* + + +While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). + + + +This topic guides users in: - Step 1: Onboarding Windows devices to the service - Step 2: Configuring Defender for Endpoint capabilities @@ -37,9 +52,7 @@ This onboarding guidance will walk you through the following basic steps that yo >[!NOTE] >Only Windows devices are covered in this example deployment. -While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. -For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). ## Step 1: Onboard Windows devices using Microsoft Endpoint Configuration Manager diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md index 1c87de1aa1..ee5f9c54a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md @@ -1,9 +1,9 @@ --- -title: Onboarding using Microsoft Endpoint Manager -description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Manager -keywords: onboarding, configuration, deploy, deployment, endpoint manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction +title: Onboarding using Microsoft Endpoint Manager +description: Learn how to onboard to Microsoft Defender for Endpoint using Microsoft Endpoint Manager +keywords: onboarding, configuration, deploy, deployment, endpoint manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction, microsoft endpoint manager search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,13 +13,14 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-scenario + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-scenario ms.topic: article +ms.technology: mde --- -# Onboarding using Microsoft Endpoint Manager +# Onboarding using Microsoft Endpoint Manager [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] @@ -29,7 +30,20 @@ ms.topic: article -This article is part of the Deployment guide and acts as an example onboarding method that guides users in: +This article is part of the Deployment guide and acts as an example onboarding method. + +In the [Planning](deployment-strategy.md) topic, there were several methods provided to onboard devices to the service. This topic covers the cloud-native architecture. + + +*Diagram of environment architectures* + +While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). + + +[Microsoft Endpoint Manager](https://docs.microsoft.com/mem/endpoint-manager-overview) is a solution platform that unifies several services. It includes [Microsoft Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) for cloud-based device management. + + +This topic guides users in: - Step 1: Onboarding devices to the service by creating a group in Microsoft Endpoint Manager (MEM) to assign configurations on - Step 2: Configuring Defender for Endpoint capabilities using Microsoft Endpoint Manager @@ -43,9 +57,9 @@ This onboarding guidance will walk you through the following basic steps that yo - In Microsoft Endpoint Manager, we'll guide you in creating a separate policy for each capability. -While Defender for Endpoint supports onboarding of various endpoints and tools, this article does not cover them. -For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). + + ## Resources diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md index 452f25222e..7c5d617346 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-notification.md @@ -1,10 +1,10 @@ --- -title: Create an onboarding or offboarding notification rule +title: Create an onboarding or offboarding notification rule description: Get a notification when a local onboarding or offboarding script is used. keywords: onboarding, offboarding, local, script, notification, rule search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create a notification rule when a local onboarding or offboarding script is used diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index 5cbe6e5c30..e990c35bcf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -3,7 +3,7 @@ title: Onboard to the Microsoft Defender ATP service description: Learn how to onboard endpoints to Microsoft Defender ATP service keywords: search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,10 +13,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-scenario + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-scenario ms.topic: article +ms.technology: mde --- # Onboard to the Microsoft Defender for Endpoint service @@ -27,6 +28,8 @@ ms.topic: article - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +Learn about the various phases of deploying Microsoft Defender for Endpoint and how to configure the capabilities within the solution. + Deploying Defender for Endpoint is a three-phase process: | [](prepare-deployment.md) [Phase 1: Prepare](prepare-deployment.md) | [](production-deployment.md) [Phase 2: Setup](production-deployment.md) |  Phase 3: Onboard | @@ -43,6 +46,15 @@ These are the steps you need to take to deploy Defender for Endpoint: ## Step 1: Onboard endpoints using any of the supported management tools The [Plan deployment](deployment-strategy.md) topic outlines the general steps you need to take to deploy Defender for Endpoint. + +Watch this video for a quick overview of the onboarding process and learn about the available tools and methods. + + + +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4bGqr] + + + After identifying your architecture, you'll need to decide which deployment method to use. The deployment tool you choose influences how you onboard endpoints to the service. ### Onboarding tool options diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index 6f7a10acf3..60083b17cd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -5,7 +5,7 @@ description: Learn about the attack surface reduction capabilities of Microsoft keywords: asr, attack surface reduction, microsoft defender atp, microsoft defender advanced threat protection, microsoft defender, antivirus, av, windows defender search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ author: denisebmsft ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.custom: asr ms.topic: conceptual +ms.technology: mde --- # Overview of attack surface reduction diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md index 9135f4ebe0..2a4e3f129e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-custom-detections.md @@ -5,7 +5,7 @@ description: Understand how you can use advanced hunting to create custom detect keywords: custom detections, alerts, detection rules, advanced hunting, hunt, query, response actions, interval, mdatp, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Custom detections overview diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md index f79f0792f3..0441772cda 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response.md @@ -5,7 +5,7 @@ description: Learn about the endpoint detection and response capabilities in Mic keywords: search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Overview of endpoint detection and response diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md index c1705995b8..0e43599b7f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-hardware-based-isolation.md @@ -3,7 +3,7 @@ title: Hardware-based isolation (Windows 10) ms.reviewer: description: Learn about how hardware-based isolation in Windows 10 helps to combat malware. search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,10 +11,11 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual ms.author: macapara ms.date: 09/07/2018 +ms.technology: mde --- # Hardware-based isolation in Windows 10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md index af671e6890..d4b17c7972 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/partner-applications.md @@ -1,11 +1,11 @@ --- -title: Partner applications in Microsoft Defender ATP +title: Partner applications in Microsoft Defender ATP ms.reviewer: description: View supported partner applications to enhance the detection, investigation, and threat intelligence capabilities of the platform keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Partner applications in Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md index 349dc8d30d..5aae40dce1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/partner-integration.md @@ -5,7 +5,7 @@ description: Learn how you can extend existing security offerings on top of the keywords: API, partner, extend, open framework, apis, extensions, integrations, detection, management, response, vulnerabilities, intelligence search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender for Endpoint partner opportunities and scenarios diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md index e4679370bb..302c9405a3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md @@ -4,7 +4,7 @@ description: Microsoft Defender Security Center can monitor your enterprise netw keywords: Microsoft Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, devices list, settings, device management, advanced attacks search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual +ms.collection: M365-security-compliance +ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender Security Center portal overview diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md index ac9c3929ea..f019e3a9d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md @@ -3,7 +3,7 @@ title: Submit or Update Indicator API description: Learn how to use the Submit or Update Indicator API to submit or update a new Indicator entity in Microsoft Defender Advanced Threat Protection. keywords: apis, graph api, supported apis, submit, ti, indicator, update search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Submit or Update Indicator API @@ -32,7 +33,7 @@ ms.topic: article ## API description Submits or Updates new [Indicator](ti-indicator.md) entity. - CIDR notation for IPs is supported. + CIDR notation for IPs is not supported. ## Limitations 1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour. @@ -88,9 +89,11 @@ rbacGroupNames | String | Comma-separated list of RBAC group names the indicator Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/indicators -Content-type: application/json +``` + +```json { "indicatorValue": "220e7d15b011d7fac48f2bd61114db1022197f7f", "indicatorType": "FileSha1", diff --git a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md index 335e716372..aba7dce04f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preferences-setup.md @@ -4,7 +4,7 @@ description: Use the settings page to configure general settings, permissions, a keywords: settings, general settings, permissions, apis, rules search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure Microsoft Defender Security Center settings diff --git a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md index f93867d6d6..c39bab20ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment.md @@ -4,7 +4,7 @@ description: Prepare stakeholder approval, timelines, environment considerations keywords: deploy, prepare, stakeholder, timeline, environment, endpoint, server, management, adoption search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,10 +14,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-scenario -ms.topic: article + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-scenario +ms.topic: article +ms.technology: mde --- # Prepare Microsoft Defender for Endpoint deployment diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md index 8c1f70f474..f821f26626 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md @@ -4,7 +4,7 @@ description: Turn on the preview experience in Microsoft Defender Advanced Threa keywords: advanced features, settings, block file search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Turn on the preview experience in Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index ef3c2f75b8..508d8c7ff6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -4,7 +4,7 @@ description: Learn how to access Microsoft Defender Advanced Threat Protection p keywords: preview, preview experience, Microsoft Defender Advanced Threat Protection, features, updates search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender for Endpoint preview features diff --git a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md index 3f5f8aabcc..b773ed3d47 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md +++ b/windows/security/threat-protection/microsoft-defender-atp/production-deployment.md @@ -4,7 +4,7 @@ description: Learn how to setup the deployment for Microsoft Defender ATP keywords: deploy, setup, licensing validation, tenant configuration, network configuration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,10 +14,11 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-endpointprotect -- m365solution-scenario -ms.topic: article + - M365-security-compliance + - m365solution-endpointprotect + - m365solution-scenario +ms.topic: article +ms.technology: mde --- # Set up Microsoft Defender for Endpoint deployment diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 9587df251a..49d143d897 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -1,10 +1,10 @@ --- -title: Pull Microsoft Defender ATP detections using REST API -description: Learn how call an Microsoft Defender ATP endpoint to pull detections in JSON format using the SIEM REST API. +title: Pull Microsoft Defender for Endpoint detections using REST API +description: Learn how to call a Microsoft Defender for Endpoint API endpoint to pull detections in JSON format using the SIEM REST API. keywords: detections, pull detections, rest api, request, response search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Pull Microsoft Defender for Endpoint detections using SIEM REST API @@ -26,6 +27,8 @@ ms.topic: article - Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) +[!include[Microsoft Defender for Endpoint API URIs for US Government](../../includes/microsoft-defender-api-usgov.md)] + >[!Note] >- [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections. >- [Microsoft Defender for Endpoint Detection](api-portal-mapping.md) is composed from the suspicious event occurred on the Device and its related Alert details. @@ -64,7 +67,7 @@ Use the following method in the Microsoft Defender for Endpoint API to pull dete ## Get an access token Before creating calls to the endpoint, you'll need to get an access token. -You'll use the access token to access the protected resource, which are detections in Microsoft Defender for Endpoint. +You'll use the access token to access the protected resource, which is detections in Microsoft Defender for Endpoint. To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: @@ -81,10 +84,10 @@ The response will include an access token and expiry information. ```json { "token_type": "Bearer", - "expires_in": "3599", - "ext_expires_in": "0", - "expires_on": "1488720683", - "not_before": "1488720683", + "expires_in": 3599, + "ext_expires_in": 0, + "expires_on": 1488720683, + "not_before": 1488720683, "resource": "https://graph.windows.net", "access_token":"eyJ0eXaioJJOIneiowiouqSuzNiZ345FYOVkaJL0625TueyaJasjhIjEnbMlWqP..." } @@ -112,7 +115,7 @@ Name | Value| Description :---|:---|:--- sinceTimeUtc | DateTime | Defines the lower time bound alerts are retrieved from, based on field: `LastProcessedTimeUtc` The time range will be: from sinceTimeUtc time to current time. **NOTE**: When not specified, all alerts generated in the last two hours are retrieved. untilTimeUtc | DateTime | Defines the upper time bound alerts are retrieved. The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time. **NOTE**: When not specified, the default value will be the current time. -ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time. Value should be set according to **ISO 8601** duration format E.g. `ago=PT10M` will pull alerts received in the last 10 minutes. +ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time. Value should be set according to **ISO 8601** duration format Example: `ago=PT10M` will pull alerts received in the last 10 minutes. limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined. **NOTE**: When not specified, all alerts available in the time range will be retrieved. machinegroups | string | Specifies device groups to pull alerts from. **NOTE**: When not specified, alerts from all device groups will be retrieved. Example: ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` DeviceCreatedMachineTags | string | Single device tag from the registry. diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md index d04e995194..6fe781ca15 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -1,10 +1,10 @@ --- -title: Stream Microsoft Defender Advanced Threat Protection events to Azure Event Hubs +title: Stream Microsoft Defender Advanced Threat Protection events to Azure Event Hubs description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to your Event Hub. keywords: raw data export, streaming API, API, Azure Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Azure Event Hubs diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index 8dae2a2358..84b4d64c9c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -4,7 +4,7 @@ description: Learn how to configure Microsoft Defender ATP to stream Advanced Hu keywords: raw data export, streaming API, API, Event Hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Configure Microsoft Defender for Endpoint to stream Advanced Hunting events to your Storage account diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md index d619e6803f..5498729b00 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md @@ -1,10 +1,10 @@ --- -title: Stream Microsoft Defender Advanced Threat Protection event +title: Stream Microsoft Defender Advanced Threat Protection event description: Learn how to configure Microsoft Defender ATP to stream Advanced Hunting events to Event Hubs or Azure storage account keywords: raw data export, streaming API, API, Event hubs, Azure storage, storage account, Advanced Hunting, raw data sharing search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Raw Data Streaming API diff --git a/windows/security/threat-protection/microsoft-defender-atp/rbac.md b/windows/security/threat-protection/microsoft-defender-atp/rbac.md index 754b84fd55..2cbeaf06af 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/rbac.md +++ b/windows/security/threat-protection/microsoft-defender-atp/rbac.md @@ -4,7 +4,7 @@ description: Create roles and groups within your security operations to grant ac keywords: rbac, role, based, access, control, groups, control, tier, aad search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Manage portal access using role-based access control diff --git a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md index 6a3c3ce05d..bd7d795620 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/recommendation.md @@ -3,7 +3,7 @@ title: Recommendation methods and properties description: Retrieves top recent alerts. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Recommendation resource type diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 354a099a61..4040df0a11 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -4,7 +4,7 @@ description: Take response actions on file-related alerts by stopping and quaran keywords: respond, stop and quarantine, block file, deep analysis search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Take response actions on a file @@ -25,10 +26,10 @@ ms.topic: article **Applies to:** - [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - + [!include[Prerelease information](../../includes/prerelease.md)] ->Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink) +> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-responddile-abovefoldlink) Quickly respond to detected attacks by stopping and quarantining files or blocking a file. After taking action on files, you can check activity details in the Action center. @@ -46,12 +47,12 @@ You can also submit files for deep analysis, to run the file in a secure cloud s Some actions require certain permissions. The following table describes what action certain permissions can take on portable executable (PE) and non-PE files: -Permission | PE files | Non-PE files -:---|:---|:--- -View data | X | X -Alerts investigation | ☑ | X -Live response basic | X | X -Live response advanced | ☑ |☑ +| Permission | PE files | Non-PE files | +| :--------------------- | :------: | :----------: | +| View data | X | X | +| Alerts investigation | ☑ | X | +| Live response basic | X | X | +| Live response advanced | ☑ | ☑ | For more information on roles, see [Create and manage roles for role-based access control](user-roles.md). @@ -60,8 +61,8 @@ For more information on roles, see [Create and manage roles for role-based acces You can contain an attack in your organization by stopping the malicious process and quarantining the file where it was observed. ->[!IMPORTANT] ->You can only take this action if: +> [!IMPORTANT] +> You can only take this action if: > > - The device you're taking the action on is running Windows 10, version 1703 or later > - The file does not belong to trusted third-party publishers or not signed by Microsoft @@ -71,35 +72,36 @@ The **Stop and Quarantine File** action includes stopping running processes, qua This action takes effect on devices with Windows 10, version 1703 or later, where the file was observed in the last 30 days. ->[!NOTE] ->You’ll be able to restore the file from quarantine at any time. +> [!NOTE] +> You’ll be able to restore the file from quarantine at any time. ### Stop and quarantine files 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: - - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline - - **Search box** - select **File** from the drop–down menu and enter the file name + - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline + - **Search box** - select **File** from the drop–down menu and enter the file name - >[!NOTE] - >The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file). + > [!NOTE] + > The stop and quarantine file action is limited to a maximum of 1000 devices. To stop a file on a larger number of devices, see [Add indicator to block or allow file](#add-indicator-to-block-or-allow-a-file). 2. Go to the top bar and select **Stop and Quarantine File**. -  +  3. Specify a reason, then click **Confirm**. -  +  - The Action center shows the submission information: -  + The Action center shows the submission information: + +  - - **Submission time** - Shows when the action was submitted. - - **Success** - Shows the number of devices where the file has been stopped and quarantined. - - **Failed** - Shows the number of devices where the action failed and details about the failure. - - **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network. + - **Submission time** - Shows when the action was submitted. + - **Success** - Shows the number of devices where the file has been stopped and quarantined. + - **Failed** - Shows the number of devices where the action failed and details about the failure. + - **Pending** - Shows the number of devices where the file is yet to be stopped and quarantined from. This can take time for cases when the device is offline or not connected to the network. 4. Select any of the status indicators to view more information about the action. For example, select **Failed** to see where the action failed. @@ -118,38 +120,38 @@ You can roll back and remove a file from quarantine if you’ve determined that 1. Open an elevated command–line prompt on the device: - a. Go to **Start** and type _cmd_. + 1. Go to **Start** and type _cmd_. - b. Right–click **Command prompt** and select **Run as administrator**. + 1. Right–click **Command prompt** and select **Run as administrator**. 2. Enter the following command, and press **Enter**: - ```Powershell + ```powershell “%ProgramFiles%\Windows Defender\MpCmdRun.exe” –Restore –Name EUS:Win32/CustomEnterpriseBlock –All ``` > [!NOTE] > In some scenarios, the **ThreatName** may appear as: EUS:Win32/CustomEnterpriseBlock!cl. -> +> > Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days. -> [!Important] -> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired. +> [!IMPORTANT] +> A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired. ## Add indicator to block or allow a file You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization. ->[!IMPORTANT] +> [!IMPORTANT] > ->- This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–delivered protection is enabled. For more information, see [Manage cloud–delivered protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). +> - This feature is available if your organization uses Microsoft Defender Antivirus and Cloud–delivered protection is enabled. For more information, see [Manage cloud–delivered protection](../microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md). > ->- The Antimalware client version must be 4.18.1901.x or later. ->- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. ->- This response action is available for devices on Windows 10, version 1703 or later. ->- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action. +> - The Antimalware client version must be 4.18.1901.x or later. +> - This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. +> - This response action is available for devices on Windows 10, version 1703 or later. +> - The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action. ->[!NOTE] +> [!NOTE] > The PE file needs to be in the device timeline for you to be able to take this action. > > There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked. @@ -157,14 +159,14 @@ You can prevent further propagation of an attack in your organization by banning ### Enable the block file feature To start blocking files, you first need to [turn the **Block or allow** feature on](advanced-features.md) in Settings. - + ### Allow or block file When you add an indicator hash for a file, you can choose to raise an alert and block the file whenever a device in your organization attempts to run it. Files automatically blocked by an indicator won't show up in the files's Action center, but the alerts will still be visible in the Alerts queue. - See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files. +See [manage indicators](manage-indicators.md) for more details on blocking and raising alerts on files. To stop blocking a file, remove the indicator. You can do so via the **Edit Indicator** action on the file's profile page. This action will be visible in the same position that the **Add Indicator** action was, before you added the indicator. @@ -215,10 +217,10 @@ The Deep analysis summary includes a list of observed *behaviors*, some of which Results of deep analysis are matched against threat intelligence and any matches will generate appropriate alerts. -Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page. +Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available within the **Deep analysis** tab, on the file's profile page. ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4aAYy?rel=0] **Submit for deep analysis** is enabled when the file is available in the Defender for Endpoint backend sample collection, or if it was observed on a Windows 10 device that supports submitting to deep analysis. @@ -232,7 +234,7 @@ You can also manually submit a sample through the [Microsoft Security Center Por When the sample is collected, Defender for Endpoint runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on devices, communication to IPs, and registry modifications. -**Submit files for deep analysis:** +#### Submit files for deep analysis 1. Select the file that you want to submit for deep analysis. You can select or search a file from any of the following views: @@ -242,17 +244,17 @@ When the sample is collected, Defender for Endpoint runs the file in is a secure 2. In the **Deep analysis** tab of the file view, click **Submit**. -  +  - > [!NOTE] - > Only PE files are supported, including _.exe_ and _.dll_ files. + > [!NOTE] + > Only PE files are supported, including _.exe_ and _.dll_ files. A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done. > [!NOTE] > Depending on device availability, sample collection time can vary. There is a 3–hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 device reporting at that time. You can re–submit files for deep analysis to get fresh data on the file. -**View deep analysis reports** +#### View deep analysis reports View the deep analysis report that Defender for Endpoint provides to see the details of the deep analysis that was conducted on the file you submitted. This feature is available in the file view context. @@ -268,16 +270,19 @@ The details provided can help you investigate if there are indications of a pote  -**Troubleshoot deep analysis** +#### Troubleshoot deep analysis If you encounter a problem when trying to submit a file, try each of the following troubleshooting steps. 1. Ensure that the file in question is a PE file. PE files typically have _.exe_ or _.dll_ extensions (executable programs or applications). + 1. Ensure the service has access to the file, that it still exists, and has not been corrupted or modified. + 1. You can wait a short while and try to submit the file again, in case the queue is full or there was a temporary connection or communication error. + 1. If the sample collection policy is not configured, then the default behavior is to allow sample collection. If it is configured, then verify the policy setting allows sample collection before submitting the file again. When sample collection is configured, then check the following registry value: - ```Powershell + ```powershell Path: HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection Name: AllowSampleCollection Type: DWORD @@ -287,6 +292,7 @@ If you encounter a problem when trying to submit a file, try each of the followi ``` 1. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp.md). + 1. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index 4bb5a90936..43c6ea2779 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -4,7 +4,7 @@ description: Take response actions on a device such as isolating devices, collec keywords: respond, isolate, isolate device, collect investigation package, action center, restrict, manage tags, av scan, restrict app search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Take response actions on a device diff --git a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md index 3c91b9c04c..a78424ca79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/restrict-code-execution.md @@ -3,7 +3,7 @@ title: Restrict app execution API description: Use this API to create calls related to restricting an application from executing. keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Restrict app execution API @@ -82,14 +83,15 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution -Content-type: application/json +``` + +```json { "Comment": "Restrict code execution due to alert 1234" } ``` -- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). - +- To remove code execution restriction from a device, see [Remove app restriction](unrestrict-code-execution.md). \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md index ebe2923713..3a560a21fe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/review-alerts.md @@ -2,20 +2,21 @@ title: Review alerts in Microsoft Defender Advanced Threat Protection description: Review alert information, including a visualized alert story and details for each step of the chain. keywords: incident, incidents, machines, devices, users, alerts, alert, investigation, graph, evidence -ms.prod: microsoft-365-enterprise +ms.prod: m365-security ms.pagetype: security -f1.keywords: -- NOCSH +f1.keywords: + - NOCSH ms.author: daniha -author: danihalfin +author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual ms.date: 5/1/2020 +ms.technology: mde --- # Review alerts in Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index 50b5f9255d..1f52029bfe 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -4,7 +4,7 @@ ms.reviewer: description: Learn to use the advanced hunting API to run advanced queries on Microsoft Defender Advanced Threat Protection. Find out about limitations and see an example. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Advanced hunting API @@ -34,10 +35,10 @@ ms.topic: article 1. You can only run a query on data from the last 30 days. 2. The results will include a maximum of 100,000 rows. 3. The number of executions is limited per tenant: - - API calls: Up to 15 calls per minute - - Execution time: 10 minutes of running time every hour and 4 hours of running time a day + - API calls: Up to 45 calls per minute. + - Execution time: 10 minutes of running time every hour and 3 hours of running time a day. 4. The maximal execution time of a single request is 10 minutes. -5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed. +5. 429 response will represent reaching quota limit either by number of requests or by CPU. Read response body to understand what limit has been reached. ## Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Microsoft Defender for Endpoint APIs](apis-intro.md) @@ -81,9 +82,11 @@ Request Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/advancedqueries/run -Content-type: application/json +``` + +```json { "Query":"DeviceProcessEvents | where InitiatingProcessFileName =~ 'powershell.exe' diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md index 247f300dac..3435095384 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-powershell.md @@ -4,7 +4,7 @@ ms.reviewer: description: Learn the basics of querying the Microsoft Defender Advanced Threat Protection API, using PowerShell. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Advanced Hunting using PowerShell diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md index 7cda7c8cd9..db8dce54e7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-python.md @@ -4,7 +4,7 @@ ms.reviewer: description: Learn how to query using the Microsoft Defender Advanced Threat Protection API, by using Python, with examples. keywords: apis, supported apis, advanced hunting, query search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Advanced Hunting using Python diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md index f2d979889c..68a10a5e99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-av-scan.md @@ -3,7 +3,7 @@ title: Run antivirus scan API description: Use this API to create calls related to running an antivirus scan on a device. keywords: apis, graph api, supported apis, remove device from isolation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Run antivirus scan API @@ -90,12 +91,14 @@ If successful, this method returns 201, Created response code and _MachineAction Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan -Content-type: application/json +``` + +```json { "Comment": "Check machine for viruses due to alert 3212", - “ScanType”: “Full” + "ScanType": "Full" } ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index 0ade180410..278c62f37e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -4,7 +4,7 @@ description: Run the detection script on a newly onboarded device to verify that keywords: detection test, detection, powershell, script, verify, onboarding, microsoft defender advanced threat protection onboarding, clients, servers, test search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Run a detection test on a newly onboarded Microsoft Defender for Endpoint device diff --git a/windows/security/threat-protection/microsoft-defender-atp/score.md b/windows/security/threat-protection/microsoft-defender-atp/score.md index aab54c586f..16a1f602bb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/score.md @@ -3,7 +3,7 @@ title: Score methods and properties description: Retrieves your organization's exposure score, device secure score, and exposure score by device group keywords: apis, graph api, supported apis, score, exposure score, device secure score, exposure score by device group search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Score resource type diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md index e0b381b7f9..4215777b33 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md @@ -4,7 +4,7 @@ description: Use the dashboard to identify devices at risk, keep track of the st keywords: dashboard, alerts, new, in progress, resolved, risk, devices at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender Security Center Security operations dashboard diff --git a/windows/security/threat-protection/microsoft-defender-atp/service-status.md b/windows/security/threat-protection/microsoft-defender-atp/service-status.md index fb69f1e1c3..e4c2b710e3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/service-status.md +++ b/windows/security/threat-protection/microsoft-defender-atp/service-status.md @@ -4,7 +4,7 @@ description: Check Microsoft Defender ATP service health, see if the service is keywords: dashboard, service, issues, service health, current status, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Check the Microsoft Defender for Endpoint service health diff --git a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md index 98266678c3..66e0dfcd99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md +++ b/windows/security/threat-protection/microsoft-defender-atp/set-device-value.md @@ -3,7 +3,7 @@ title: Set device value API description: Learn how to specify the value of a device using a Microsoft Defender Advanced Threat Protection API. keywords: apis, graph api, supported apis, tags, machine tags search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Set device value API @@ -72,12 +73,28 @@ Content-Type | string | application/json. **Required**. ## Request body -```json -{ - "DeviceValue": "{device value}" -} -``` +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +DeviceValue | Enum | Device value. Allowed values are: 'Normal', 'Low' and 'High'. **Required**. ## Response If successful, this method returns 200 - Ok response code and the updated Machine in the response body. + +## Example + +**Request** + +Here is an example of a request that adds machine tag. + +```http +POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/setDeviceValue +``` + +```json +{ + "DeviceValue" : "High" +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/software.md b/windows/security/threat-protection/microsoft-defender-atp/software.md index a471bd94f2..cbe9c7e0d5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/software.md @@ -3,7 +3,7 @@ title: Software methods and properties description: Retrieves top recent alerts. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Software resource type diff --git a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md index 83727872ac..6ab096b9f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md +++ b/windows/security/threat-protection/microsoft-defender-atp/stop-and-quarantine-file.md @@ -3,7 +3,7 @@ title: Stop and quarantine file API description: Learn how to stop running a file on a device and delete the file in Microsoft Defender Advanced Threat Protection. See an example. keywords: apis, graph api, supported apis, stop and quarantine file search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Stop and quarantine file API @@ -83,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile -Content-type: application/json +``` + +```json { "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9" diff --git a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md b/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md deleted file mode 100644 index 96ca537f4d..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/supported-response-apis.md +++ /dev/null @@ -1,51 +0,0 @@ ---- -title: Supported Microsoft Defender Advanced Threat Protection response APIs -description: Learn about the specific response-related Microsoft Defender Advanced Threat Protection API calls. -keywords: response apis, graph api, supported apis, actor, alerts, device, user, domain, ip, file -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: macapara -author: mjcaparas -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: M365-security-compliance -ms.topic: conceptual ---- - -# Supported Microsoft Defender for Endpoint query APIs - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -**Applies to:** -- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -> [!TIP] -> Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) - -Learn about the supported response-related API calls you can run and details such as the required request headers, and expected response from the calls. - -## In this section -Topic | Description -:---|:--- -Collect investigation package | Run this API to collect an investigation package from a device. -Isolate device | Run this API to isolate a device from the network. -Unisolate device | Remove a device from isolation. -Restrict code execution | Run this API to contain an attack by stopping malicious processes. You can also lock down a device and prevent subsequent attempts of potentially malicious programs from running. -Unrestrict code execution | Run this to reverse the restriction of applications policy after you have verified that the compromised device has been remediated. -Run antivirus scan | Remotely initiate an antivirus scan to help identify and remediate malware that might be present on a compromised device. -Stop and quarantine file | Run this call to stop running processes, quarantine files, and delete persistency such as registry keys. -Request sample | Run this call to request a sample of a file from a specific device. The file will be collected from the device and uploaded to a secure storage. -Block file | Run this API to prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. -Unblock file | Allow a file run in the organization using Microsoft Defender Antivirus. -Get package SAS URI | Run this API to get a URI that allows downloading an investigation package. -Get MachineAction object | Run this API to get MachineAction object. -Get MachineActions collection | Run this to get MachineAction collection. -Get FileActions collection | Run this API to get FileActions collection. -Get FileMachineAction object | Run this API to get FileMachineAction object. -Get FileMachineActions collection | Run this API to get FileMachineAction collection. diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md index 0a7421bb95..1780f55497 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-migration.md @@ -4,7 +4,7 @@ description: Make the switch to Microsoft Defender for Endpoint. Read this artic keywords: migration, windows defender advanced endpoint protection, for Endpoint, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,13 +14,14 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-migratetomdatp -- m365solution-overview + - M365-security-compliance + - m365solution-migratetomdatp + - m365solution-overview ms.topic: conceptual ms.custom: migrationguides ms.date: 09/24/2020 ms.reviewer: jesquive, chventou, jonix, chriggs, owtho +ms.technology: mde --- # Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md index 18422aba57..2a3c2f472f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-onboard.md @@ -4,8 +4,8 @@ description: This is phase 3, Onboard, for migrating from a non-Microsoft soluti keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,8 +15,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-migratetomdatp + - M365-security-compliance + - m365solution-migratetomdatp ms.custom: migrationguides ms.topic: article ms.date: 09/24/2020 diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md index c55bd95f20..a49d62bf03 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-prepare.md @@ -4,8 +4,8 @@ description: This is phase 1, Prepare, for migrating to Microsoft Defender for E keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,8 +15,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-migratetomdatp + - M365-security-compliance + - m365solution-migratetomdatp ms.topic: article ms.custom: migrationguides ms.date: 09/22/2020 diff --git a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md index c1ad46027c..6b6dd2a9cd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/switch-to-microsoft-defender-setup.md @@ -4,8 +4,8 @@ description: This is phase 2, Setup, for switching to Microsoft Defender for End keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,8 +15,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-migratetomdatp + - M365-security-compliance + - m365solution-migratetomdatp ms.topic: article ms.custom: migrationguides ms.date: 09/22/2020 @@ -138,7 +138,7 @@ Microsoft Defender Antivirus can run alongside your existing endpoint protection |Method |What to do | |---------|---------| |Command Prompt |1. On a Windows device, open Command Prompt as an administrator. 2. Type `sc query windefend`, and then press Enter. 3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | -|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator. 2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. 3. In the list of results, look for **AntivirusEnabled: True**. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator. 2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. 3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**. | > [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md index 0fe3fbf828..7f20e3e024 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md @@ -4,8 +4,8 @@ description: Get an overview of how to make the switch from Symantec to Microsof keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,9 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-symantecmigrate -- m365solution-overview + - M365-security-compliance + - m365solution-symantecmigrate + - m365solution-overview ms.topic: conceptual ms.date: 09/22/2020 ms.custom: migrationguides diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md index a80c0ae736..9ba924e18a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md @@ -4,8 +4,8 @@ description: This is Phase 3, Onboarding, of migrating from Symantec to Microsof keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,8 +15,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-symantecmigrate + - M365-security-compliance + - m365solution-symantecmigrate ms.topic: article ms.date: 09/24/2020 ms.custom: migrationguides diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md index 10e8d99bb4..4d58af47fd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md @@ -4,8 +4,8 @@ description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft D keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,8 +15,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-symantecmigrate + - M365-security-compliance + - m365solution-symantecmigrate ms.topic: article ms.date: 09/22/2020 ms.custom: migrationguides diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md index 72385ecf92..da69f9acd3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md @@ -4,8 +4,8 @@ description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Def keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 -ms.technology: windows +ms.prod: m365-security +ms.technology: mde ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,8 +15,8 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- M365-security-compliance -- m365solution-symantecmigrate + - M365-security-compliance + - m365solution-symantecmigrate ms.topic: article ms.date: 11/30/2020 ms.custom: migrationguides @@ -117,7 +117,7 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def |Method |What to do | |---------|---------| |Command Prompt |1. On a Windows device, open Command Prompt as an administrator. 2. Type `sc query windefend`, and then press Enter. 3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | -|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator. 2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. 3. In the list of results, look for **AntivirusEnabled: True**. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator. 2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet. 3. In the list of results, look for either **AMRunningMode: Passive Mode** or **AMRunningMode: SxS Passive Mode**.| > [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md index 30c8152b76..d65629d1ca 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics-analyst-reports.md @@ -2,10 +2,10 @@ title: Understand the analyst report section in threat analytics ms.reviewer: description: Learn about the analyst report section of each threat analytics report. Understand how it provides information about threats, mitigations, detections, advanced hunting queries, and more. -keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations, +keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: lomayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Understand the analyst report in threat analytics diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md index 5618f4c5a4..a7163a294f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-analytics.md @@ -2,10 +2,10 @@ title: Track and respond to emerging threats with Microsoft Defender ATP threat analytics ms.reviewer: description: Learn about emerging threats and attack techniques and how to stop them. Assess their impact to your organization and evaluate your organizational resilience. -keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status +keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,9 +15,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Track and respond to emerging threats with threat analytics diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md index 32cb4825cb..75b6243eea 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-event-timeline.md @@ -1,10 +1,10 @@ --- title: Event timeline in threat and vulnerability management -description: Event timeline is a "risk news feed" that helps you interpret how risk is introduced into the organization, and which mitigations happened to reduce it. +description: Event timeline is a risk news feed that helps you interpret how risk is introduced into the organization, and which mitigations happened to reduce it. keywords: event timeline, mdatp event timeline, mdatp tvm event timeline, threat and vulnerability management, Microsoft Defender Advanced Threat Protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Event timeline - threat and vulnerability management @@ -32,6 +33,9 @@ Event timeline is a risk news feed that helps you interpret how risk is introduc Event timeline also tells the story of your [exposure score](tvm-exposure-score.md) and [Microsoft Secure Score for Devices](tvm-microsoft-secure-score-devices.md) so you can determine the cause of large changes. Events can impact your devices or your score for devices. Reduce you exposure by addressing what needs to be remediated based on the prioritized [security recommendations](tvm-security-recommendation.md). +>[!TIP] +>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md) + ## Navigate to the Event timeline page There are also three entry points from the [threat and vulnerability management dashboard](tvm-dashboard-insights.md): diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md index b59077b758..6d076ba18e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md @@ -4,7 +4,7 @@ description: Create custom threat alerts for your organization and learn the con keywords: threat intelligence, alert definitions, indicators of compromise, ioc search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Understand threat intelligence concepts diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md index 133bcab341..f825bed722 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration.md @@ -3,7 +3,7 @@ title: Integrate Microsoft Defender for Endpoint with other Microsoft solutions description: Learn how Microsoft Defender for Endpoint integrates with other Microsoft solutions, including Microsoft Defender for Identity and Azure Security Center. author: mjcaparas ms.author: macapara -ms.prod: w10 +ms.prod: m365-security keywords: microsoft 365 defender, conditional access, office, advanced threat protection, microsoft defender for identity, microsoft defender for office, azure security center, microsoft cloud app security, azure sentinel search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -13,8 +13,9 @@ ms.pagetype: security ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Microsoft Defender for Endpoint and other Microsoft solutions diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md index 221de57589..de27be571b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-protection-reports.md @@ -4,7 +4,7 @@ description: Track alert detections, categories, and severity using the threat p keywords: alert detection, source, alert by category, alert severity, alert classification, determination search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Threat protection report in Microsoft Defender for Endpoint diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md index 39a5774d5c..1eb4f26891 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md @@ -3,7 +3,7 @@ title: Indicator resource type description: Specify the entity details and define the expiration of the indicator using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, supported apis, get, TiIndicator, Indicator, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Indicator resource type @@ -35,7 +36,8 @@ ms.topic: article Method|Return Type |Description :---|:---|:--- [List Indicators](get-ti-indicators-collection.md) | [Indicator](ti-indicator.md) Collection | List [Indicator](ti-indicator.md) entities. -[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submits [Indicator](ti-indicator.md) entity. +[Submit Indicator](post-ti-indicator.md) | [Indicator](ti-indicator.md) | Submit or update [Indicator](ti-indicator.md) entity. +[Import Indicators](import-ti-indicators.md) | [Indicator](ti-indicator.md) Collection | Submit or update [Indicators](ti-indicator.md) entities. [Delete Indicator](delete-ti-indicator-by-id.md) | No Content | Deletes [Indicator](ti-indicator.md) entity. diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md index f8fe1639aa..efce09619a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md @@ -4,7 +4,7 @@ description: Use the info contained here to configure the Microsoft Defender Sec keywords: settings, Microsoft Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Microsoft Defender Security Center time zone settings diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md index f860930a0a..c25e934d20 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr.md @@ -4,7 +4,7 @@ description: Resources and sample code to troubleshoot issues with attack surfac keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender atp, microsoft defender advanced threat protection search.product: eADQiWindows 10XVcnh ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.localizationpriority: medium @@ -15,6 +15,7 @@ ms.date: 03/27/2019 ms.reviewer: manager: dansimp ms.custom: asr +ms.technology: mde --- # Troubleshoot attack surface reduction rules @@ -28,9 +29,9 @@ ms.custom: asr When you use [attack surface reduction rules](attack-surface-reduction.md) you may run into issues, such as: -- A rule blocks a file, process, or performs some other action that it should not (false positive) +- A rule blocks a file, process, or performs some other action that it shouldn't (false positive) -- A rule does not work as described, or does not block a file or process that it should (false negative) +- A rule doesn't work as described, or doesn't block a file or process that it should (false negative) There are four steps to troubleshooting these problems: @@ -52,7 +53,7 @@ Attack surface reduction rules will only work on devices with the following cond - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. -- Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). +- Audit mode isn't enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). If these prerequisites have all been met, proceed to the next step to test the rule in audit mode. @@ -60,7 +61,7 @@ If these prerequisites have all been met, proceed to the next step to test the r You can visit the Windows Defender Test ground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only. -Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with. +Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you're encountering problems with. 1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run. @@ -68,19 +69,19 @@ Follow these instructions in [Use the demo tool to see how attack surface reduct 3. [Review the attack surface reduction rule event logs](attack-surface-reduction.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. -If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. +If a rule isn't blocking a file or process that you're expecting it should block, first check if audit mode is enabled. Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed. -If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation: +If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule isn't working as expected, proceed to either of the following sections based on your situation: -1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). +1. If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). -2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions). +2. If the attack surface reduction rule isn't blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data-for-file-submissions). ## Add exclusions for a false positive -If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. +If the attack surface reduction rule is blocking something that it shouldn't block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md). @@ -94,12 +95,12 @@ Use the [Windows Defender Security Intelligence web-based submission form](https ## Collect diagnostic data for file submissions -When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. +When you report a problem with attack surface reduction rules, you're asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. 1. Open an elevated command prompt and change to the Windows Defender directory: ```console - cd c:\program files\windows defender + cd "c:\program files\windows defender" ``` 2. Run this command to generate the diagnostic logs: @@ -108,7 +109,7 @@ When you report a problem with attack surface reduction rules, you are asked to mpcmdrun -getfiles ``` -3. By default, they are saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form. +3. By default, they're saved to `C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab`. Attach the file to the submission form. ## Related articles diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md index 6ef738803e..a0705e4829 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-collect-support-log.md @@ -1,10 +1,10 @@ --- -title: Collect support logs in Microsoft Defender ATP using live response -description: Learn how to collect logs using live response to troubleshoot Microsoft Defender ATP issues +title: Collect support logs in Microsoft Defender for Endpoints using live response +description: Learn how to collect logs using live response to troubleshoot Microsoft Defender for Endpoints issues keywords: support, log, collect, troubleshoot, live response, liveanalyzer, analyzer, live, response search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting +ms.technology: mde --- # Collect support logs in Microsoft Defender for Endpoint using live response @@ -28,9 +29,9 @@ When contacting support, you may be asked to provide the output package of the M This topic provides instructions on how to run the tool via Live Response. 1. Download the appropriate script - * Microsoft Defender for Endpoint client sensor logs only: [LiveAnalyzer.ps1 script](https://aka.ms/MDATPLiveAnalyzer). + * Microsoft Defender for Endpoint client sensor logs only: [LiveAnalyzer.ps1 script](https://aka.ms/MDELiveAnalyzer). - Result package approximate size: ~100Kb - * Microsoft Defender for Endpoint client sensor and Antivirus logs: [LiveAnalyzer+MDAV.ps1 script](https://aka.ms/MDATPLiveAnalyzerAV). + * Microsoft Defender for Endpoint client sensor and Antivirus logs: [LiveAnalyzer+MDAV.ps1 script](https://aka.ms/MDELiveAnalyzerAV). - Result package approximate size: ~10Mb 2. Initiate a [Live Response session](live-response.md#initiate-a-live-response-session-on-a-device) on the machine you need to investigate. @@ -43,7 +44,7 @@ This topic provides instructions on how to run the tool via Live Response.  -5. Select the downloaded file named MDATPLiveAnalyzer.ps1 and then click on **Confirm** +5. Select the downloaded file named MDELiveAnalyzer.ps1 and then click on **Confirm**  @@ -52,24 +53,24 @@ This topic provides instructions on how to run the tool via Live Response. 6. While still in the LiveResponse session, use the commands below to run the analyzer and collect the result file: ```console - Run MDATPLiveAnalyzer.ps1 - GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDATPClientAnalyzerResult.zip" -auto + Run MDELiveAnalyzer.ps1 + GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip" -auto ```  >[!NOTE] -> - The latest preview version of MDATPClientAnalyzer can be downloaded here: [https://aka.ms/Betamdatpanalyzer](https://aka.ms/Betamdatpanalyzer). +> - The latest preview version of MDEClientAnalyzer can be downloaded here: [https://aka.ms/Betamdeanalyzer](https://aka.ms/Betamdeanalyzer). > > - The LiveAnalyzer script downloads the troubleshooting package on the destination machine from: https://mdatpclientanalyzer.blob.core.windows.net. > -> If you cannot allow the machine to reach the above URL, then upload MDATPClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script: +> If you cannot allow the machine to reach the above URL, then upload MDEClientAnalyzerPreview.zip file to the library before running the LiveAnalyzer script: > > ```console -> PutFile MDATPClientAnalyzerPreview.zip -overwrite -> Run MDATPLiveAnalyzer.ps1 -> GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDATPClientAnalyzerResult.zip" -auto +> PutFile MDEClientAnalyzerPreview.zip -overwrite +> Run MDELiveAnalyzer.ps1 +> GetFile "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\MDEClientAnalyzerResult.zip" -auto > ``` > > - For more information on gathering data locally on a machine in case the machine isn't communicating with Microsoft Defender for Endpoint cloud services, or does not appear in Microsoft Defender for Endpoint portal as expected, see [Verify client connectivity to Microsoft Defender for Endpoint service URLs](configure-proxy-internet.md#verify-client-connectivity-to-microsoft-defender-atp-service-urls). diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md index 3b515a9853..6169ebd01f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations.md @@ -3,7 +3,7 @@ title: Troubleshoot exploit protection mitigations keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install description: Learn how to deal with unwanted mitigations in Windows Security, including a process to remove all mitigations and import a baseline configuration file instead. search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.author: dansimp ms.date: 08/09/2018 ms.reviewer: manager: dansimp +ms.technology: mde --- # Troubleshoot exploit protection mitigations diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md index 01ddeadebe..222234bfb9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-live-response.md @@ -1,10 +1,10 @@ --- title: Troubleshoot Microsoft Defender ATP live response issues -description: Troubleshoot issues that might arise when using live response in Microsoft Defender ATP +description: Troubleshoot issues that might arise when using live response in Microsoft Defender ATP keywords: troubleshoot live response, live, response, locked, file search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting +ms.technology: mde --- # Troubleshoot Microsoft Defender for Endpoint live response issues diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md index 01836bb8c5..00e7f45c28 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-mdatp.md @@ -1,10 +1,10 @@ --- -title: Troubleshoot Microsoft Defender Advanced Threat Protection service issues +title: Troubleshoot Microsoft Defender Advanced Threat Protection service issues description: Find solutions and work arounds to known issues such as server errors when trying to access the service. keywords: troubleshoot Microsoft Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, allow, event viewer search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting +ms.technology: mde --- # Troubleshoot service issues diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md index 522973a893..05563e45c4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-np.md @@ -3,7 +3,7 @@ title: Troubleshoot problems with Network protection description: Resources and sample code to troubleshoot issues with Network protection in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking, microsoft defender atp, microsoft defender advanced threat protection search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security @@ -11,9 +11,10 @@ ms.localizationpriority: medium audience: ITPro author: dansimp ms.author: dansimp -ms.date: 03/27/2019 +ms.date: 01/26/2021 ms.reviewer: manager: dansimp +ms.technology: mde --- # Troubleshoot network protection @@ -23,14 +24,13 @@ manager: dansimp **Applies to:** -* [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) - -* IT administrators +- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631) +- IT administrators When you use [Network protection](network-protection.md) you may encounter issues, such as: -* Network protection blocks a website that is safe (false positive) -* Network protection fails to block a suspicious or known malicious website (false negative) +- Network protection blocks a website that is safe (false positive) +- Network protection fails to block a suspicious or known malicious website (false negative) There are four steps to troubleshooting these problems: @@ -44,11 +44,11 @@ There are four steps to troubleshooting these problems: Network protection will only work on devices with the following conditions: >[!div class="checklist"] -> * Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update). -> * Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Microsoft Defender AV to disable itself](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). -> * [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. -> * [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. -> * Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). +> - Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher. +> - Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. [See what happens when you are using a non-Microsoft antivirus solution](../microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md). +> - [Real-time protection](../microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md) is enabled. +> - [Cloud-delivered protection](../microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md) is enabled. +> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). ## Use audit mode @@ -60,9 +60,9 @@ You can enable network protection in audit mode and then visit a website that we Set-MpPreference -EnableNetworkProtection AuditMode ``` -1. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). +2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). -1. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. +3. [Review the network protection event logs](network-protection.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. If network protection is not blocking a connection that you are expecting it should block, enable the feature. @@ -74,6 +74,8 @@ You can enable network protection in audit mode and then visit a website that we If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../microsoft-defender-atp/alerts-queue.md). +See [Address false positives/negatives in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives). + ## Exclude website from network protection scope To allow the website that is being blocked (false positive), add its URL to the [list of trusted sites](https://blogs.msdn.microsoft.com/asiatech/2014/08/19/how-to-add-web-sites-to-trusted-sites-via-gpo-from-dc-installed-ie10-or-higher-ie-version/). Web resources from this list bypass the network protection check. @@ -84,20 +86,21 @@ When you report a problem with network protection, you are asked to collect and 1. Open an elevated command prompt and change to the Windows Defender directory: - ```PowerShell + ```console cd c:\program files\windows defender ``` -1. Run this command to generate the diagnostic logs: +2. Run this command to generate the diagnostic logs: - ```PowerShell + ```console mpcmdrun -getfiles ``` -1. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. +3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. ## Related topics -* [Network protection](network-protection.md) -* [Evaluate network protection](evaluate-network-protection.md) -* [Enable network protection](enable-network-protection.md) +- [Network protection](network-protection.md) +- [Evaluate network protection](evaluate-network-protection.md) +- [Enable network protection](enable-network-protection.md) +- [Address false positives/negatives in Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives) diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md index 1ecd70b09d..995a0869a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding-error-messages.md @@ -4,7 +4,7 @@ description: Troubleshoot onboarding issues and error message while completing s keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, microsoft defender atp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting +ms.technology: mde --- # Troubleshoot subscription and portal access issues diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index f6e7c7fc29..52bbe320a4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -4,7 +4,7 @@ description: Troubleshoot issues that might arise during the onboarding of devic keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: troubleshooting +ms.technology: mde --- # Troubleshoot Microsoft Defender for Endpoint onboarding issues @@ -329,121 +330,121 @@ The steps below provide guidance for the following scenario: 1. Create an application in Microsoft Endpoint Configuration Manager. -  +  2. Select **Manually specify the application information**. -  +  3. Specify information about the application, then select **Next**. -  +  4. Specify information about the software center, then select **Next**. -  +  5. In **Deployment types** select **Add**. -  +  6. Select **Manually specify the deployment type information**, then select **Next**. -  +  7. Specify information about the deployment type, then select **Next**. -  +  8. In **Content** > **Installation program** specify the command: `net start sense`. -  +  9. In **Detection method**, select **Configure rules to detect the presence of this deployment type**, then select **Add Clause**. -  +  10. Specify the following detection rule details, then select **OK**: -  +  11. In **Detection method** select **Next**. -  +  12. In **User Experience**, specify the following information, then select **Next**: -  +  13. In **Requirements**, select **Next**. -  +  14. In **Dependencies**, select **Next**. -  +  15. In **Summary**, select **Next**. -  +  16. In **Completion**, select **Close**. -  +  17. In **Deployment types**, select **Next**. -  +  18. In **Summary**, select **Next**. -  +  The status is then displayed: -  +  19. In **Completion**, select **Close**. -  +  20. You can now deploy the application by right-clicking the app and selecting **Deploy**. -  +  21. In **General** select **Automatically distribute content for dependencies** and **Browse**. -  +  22. In **Content** select **Next**. -  +  23. In **Deployment settings**, select **Next**. -  +  24. In **Scheduling** select **As soon as possible after the available time**, then select **Next**. -  +  25. In **User experience**, select **Commit changes at deadline or during a maintenance window (requires restarts)**, then select **Next**. -  +  26. In **Alerts** select **Next**. -  +  27. In **Summary**, select **Next**. -  +  The status is then displayed -  +  28. In **Completion**, select **Close**. -  +  ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md index e98e9a3f71..d1f622f732 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md @@ -4,7 +4,7 @@ description: Troubleshoot issues that might arise when using SIEM tools with Mic keywords: troubleshoot, siem, client secret, secret search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: troubleshooting +ms.technology: mde --- # Troubleshoot SIEM tool integration issues diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md index 3e49cdb1c3..ba994dd266 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-assign-device-value.md @@ -4,7 +4,7 @@ description: Learn how to assign a low, normal, or high value to a device to hel keywords: microsoft defender atp device value, threat and vulnerability management device value, high value devices, device value exposure score search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Assign device value - threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index c1a94e108f..5eea3a7195 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -1,10 +1,10 @@ --- title: Dashboard insights - threat and vulnerability management description: The threat and vulnerability management dashboard can help SecOps and security admins address cybersecurity threats and build their organization's security resilience. -keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, threat and vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score +keywords: mdatp-tvm, mdatp-tvm dashboard, threat & vulnerability management, threat and vulnerability management, risk-based threat & vulnerability management, security configuration, Microsoft Secure Score for Devices, exposure score search.appverid: met150 search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Dashboard insights - threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md index 1b100207a8..c28f1e8ea5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-end-of-support-software.md @@ -4,7 +4,7 @@ description: Discover and plan for software and software versions that are no lo keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Plan for end-of-support software and software versions with threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md index 9bb2ff23bb..0a6e51b1a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exception.md @@ -1,10 +1,10 @@ --- title: Create and view exceptions for security recommendations - threat and vulnerability management -description: Create and monitor exceptions for security recommendations in threat and vulnerability management. +description: Create and monitor exceptions for security recommendations in threat and vulnerability management. keywords: microsoft defender atp tvm remediation, mdatp tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Create and view exceptions for security recommendations - threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md index 45f7973943..4c7a90fef7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-exposure-score.md @@ -4,7 +4,7 @@ description: The threat and vulnerability management exposure score reflects how keywords: exposure score, mdatp exposure score, mdatp tvm exposure score, organization exposure score, tvm organization exposure score, threat and vulnerability management, Microsoft Defender Advanced Threat Protection search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Exposure score - threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md index 2ce01e4071..9f049bbf57 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-hunt-exposed-devices.md @@ -1,10 +1,10 @@ --- -title: Hunt for exposed devices +title: Hunt for exposed devices description: Learn how threat and vulnerability management can be used to help security admins, IT admins, and SecOps collaborate. -keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls +keywords: mdatp-tvm scenarios, mdatp, tvm, tvm scenarios, reduce threat & vulnerability exposure, reduce threat and vulnerability, improve security configuration, increase Microsoft Secure Score for Devices, increase threat & vulnerability Microsoft Secure Score for Devices, Microsoft Secure Score for Devices, exposure score, security controls search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Hunt for exposed devices - threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md index 36959192bb..ca1b85ec5e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-microsoft-secure-score-devices.md @@ -4,7 +4,7 @@ description: Your score for devices shows the collective security configuration keywords: Microsoft Secure Score for Devices, mdatp Microsoft Secure Score for Devices, secure score, configuration score, threat and vulnerability management, security controls, improvement opportunities, security configuration score over time, security posture, baseline search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Microsoft Secure Score for Devices diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md index ef781abcdd..aabc368193 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-prerequisites.md @@ -4,7 +4,7 @@ description: Before you begin using threat and vulnerability management, make su keywords: threat & vulnerability management permissions prerequisites, threat and vulnerability management permissions prerequisites, MDATP TVM permissions prerequisites, vulnerability management search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Prerequisites & permissions - threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md index 2c7a81ec77..baad4cc61d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-remediation.md @@ -1,10 +1,10 @@ --- title: Remediate vulnerabilities with threat and vulnerability management -description: Remediate security weaknesses discovered through security recommendations, and create exceptions if needed, in threat and vulnerability management. +description: Remediate security weaknesses discovered through security recommendations, and create exceptions if needed, in threat and vulnerability management. keywords: microsoft defender atp tvm remediation, mdatp tvm, threat and vulnerability management, threat & vulnerability management, threat & vulnerability management remediation, tvm remediation intune, tvm remediation sccm search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Remediate vulnerabilities with threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 1a7f20a55c..dfa4d609a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -4,7 +4,7 @@ description: Get actionable security recommendations prioritized by threat, like keywords: threat and vulnerability management, mdatp tvm security recommendation, cybersecurity recommendation, actionable security recommendation search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Security recommendations - threat and vulnerability management @@ -33,6 +34,9 @@ Cybersecurity weaknesses identified in your organization are mapped to actionabl Each security recommendation includes actionable remediation steps. To help with task management, the recommendation can also be sent using Microsoft Intune and Microsoft Endpoint Configuration Manager. When the threat landscape changes, the recommendation also changes as it continuously collects information from your environment. +>[!TIP] +>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md) + ## How it works Each device in the organization is scored based on three important factors to help customers to focus on the right things at the right time. @@ -104,7 +108,7 @@ From the flyout, you can choose any of the following options: ### Investigate changes in device exposure or impact -If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and configuration score, then that security recommendation is worth investigating. +If there is a large jump in the number of exposed devices, or a sharp increase in the impact on your organization exposure score and Microsoft Secure Score for Devices, then that security recommendation is worth investigating. 1. Select the recommendation and **Open software page** 2. Select the **Event timeline** tab to view all the impactful events related to that software, such as new vulnerabilities or new public exploits. [Learn more about event timeline](threat-and-vuln-mgt-event-timeline.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md index e927418779..f2a3b70362 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-software-inventory.md @@ -4,7 +4,7 @@ description: The software inventory page for Microsoft Defender ATP's threat and keywords: threat and vulnerability management, microsoft defender atp, microsoft defender atp software inventory, mdatp threat & vulnerability management, mdatp threat & vulnerability management software inventory, mdatp tvm software inventory, tvm software inventory search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Software inventory - threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md index d466083c34..30820fa2ac 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-supported-os.md @@ -4,7 +4,7 @@ description: Ensure that you meet the operating system or platform requisites fo keywords: threat & vulnerability management, threat and vulnerability management, operating system, platform requirements, prerequisites, mdatp-tvm supported os, mdatp-tvm, search.appverid: met150 search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Supported operating systems and platforms - threat and vulnerability management @@ -37,9 +38,9 @@ Before you begin, ensure that you meet the following operating system or platfor Operating system | Security assessment support :---|:--- Windows 7 | Operating System (OS) vulnerabilities -Windows 8.1 | Not supported -Windows 10 1607-1703 | Operating System (OS) vulnerabilities -Windows 10 1709+ |Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment +Windows 8.1 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment | +Windows 10, versions 1607-1703 | Operating System (OS) vulnerabilities +Windows 10, version 1709 or later |Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment Windows Server 2008 R2 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment Windows Server 2012 R2 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment Windows Server 2016 | Operating System (OS) vulnerabilities Software product vulnerabilities Operating System (OS) configuration assessment Security controls configuration assessment Software product configuration assessment diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md index 5ce499f8fe..9bf4ddccc7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-vulnerable-devices-report.md @@ -4,7 +4,7 @@ description: A report showing vulnerable device trends and current statistics. T keywords: mdatp-tvm vulnerable devices, mdatp, tvm, reduce threat & vulnerability exposure, reduce threat and vulnerability, monitor security configuration search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Vulnerable devices report - threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md index e9ead66986..dc46a51f0e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-weaknesses.md @@ -1,10 +1,10 @@ --- title: Vulnerabilities in my organization - threat and vulnerability management -description: Lists the common vulnerabilities and exposures (CVE) ID of weaknesses found in the software running in your organization. Discovered by the Microsoft Defender ATP threat and vulnerability management capability. -keywords: mdatp threat & vulnerability management, threat and vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm +description: Lists the common vulnerabilities and exposures (CVE) ID of weaknesses found in the software running in your organization. Discovered by the Microsoft Defender ATP threat and vulnerability management capability. +keywords: mdatp threat & vulnerability management, threat and vulnerability management, mdatp tvm weaknesses page, finding weaknesses through tvm, tvm vulnerability list, vulnerability details in tvm search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # Vulnerabilities in my organization - threat and vulnerability management @@ -35,12 +36,8 @@ The **Weaknesses** page lists the software vulnerabilities your devices are expo >[!NOTE] >If there is no official CVE-ID assigned to a vulnerability, the vulnerability name is assigned by threat and vulnerability management. ->[!IMPORTANT] ->To boost your vulnerability assessment detection rates, you can download the following mandatory security updates and deploy them in your network: ->- 19H1 customers | [KB 4512941](https://support.microsoft.com/help/4512941/windows-10-update-kb4512941) ->- RS5 customers | [KB 4516077](https://support.microsoft.com/help/4516077/windows-10-update-kb4516077) ->- RS4 customers | [KB 4516045](https://support.microsoft.com/help/4516045/windows-10-update-kb4516045) ->- RS3 customers | [KB 4516071](https://support.microsoft.com/help/4516071/windows-10-update-kb4516071) +>[!TIP] +>To get emails about new vulnerability events, see [Configure vulnerability email notifications in Microsoft Defender for Endpoint](configure-vulnerability-email-notifications.md) ## Navigate to the Weaknesses page diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md index 6a90da4f66..2a58bec532 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-zero-day-vulnerabilities.md @@ -4,7 +4,7 @@ description: Learn how to find and mitigate zero-day vulnerabilities in your env keywords: mdatp tvm zero day vulnerabilities, tvm, threat & vulnerability management, zero day, 0-day, mitigate 0 day vulnerabilities, vulnerable CVE search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: article +ms.technology: mde --- # Mitigate zero-day vulnerabilities - threat and vulnerability management diff --git a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md index 2f5e42faa5..9d41281585 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unisolate-machine.md @@ -3,7 +3,7 @@ title: Release device from isolation API description: Use this API to create calls related to release a device from isolation. keywords: apis, graph api, supported apis, remove device from isolation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,9 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article - +ms.technology: mde --- # Release device from isolation API @@ -84,9 +84,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate -Content-type: application/json +``` + +```json { "Comment": "Unisolate machine since it was clean and validated" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md index ef5ea2434a..41934f0380 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md +++ b/windows/security/threat-protection/microsoft-defender-atp/unrestrict-code-execution.md @@ -3,7 +3,7 @@ title: Remove app restriction API description: Use this API to create calls related to removing a restriction from applications from executing. keywords: apis, graph api, supported apis, remove device from isolation search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Remove app restriction API @@ -81,9 +82,11 @@ If successful, this method returns 201 - Created response code and [Machine Acti Here is an example of the request. -``` +```http POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution -Content-type: application/json +``` + +```json { "Comment": "Unrestrict code execution since machine was cleaned and validated" } diff --git a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md index 9e142b87bc..a19d0d51e1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/update-alert.md +++ b/windows/security/threat-protection/microsoft-defender-atp/update-alert.md @@ -3,7 +3,7 @@ title: Update alert entity API description: Learn how to update a Microsoft Defender ATP alert by using this API. You can update the status, determination, classification, and assignedTo properties. keywords: apis, graph api, supported apis, get, alert, information, id search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Update alert @@ -90,10 +91,11 @@ If successful, this method returns 200 OK, and the [alert](alerts.md) entity in Here is an example of the request. -``` +```http PATCH https://api.securitycenter.microsoft.com/api/alerts/121688558380765161_2136280442 -Content-Type: application/json +``` +```json { "status": "Resolved", "assignedTo": "secop2@contoso.com", @@ -101,4 +103,4 @@ Content-Type: application/json "determination": "Malware", "comment": "Resolve my alert and assign to secop2" } -``` +``` \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/use.md b/windows/security/threat-protection/microsoft-defender-atp/use.md index 3b37769671..777f2b2ae4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/use.md +++ b/windows/security/threat-protection/microsoft-defender-atp/use.md @@ -4,7 +4,7 @@ description: Learn about the features on Microsoft Defender Security Center, inc keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate devices, submit files, deep analysis, high, medium, low, severity, ioc, ioa search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Overview of Microsoft Defender Security Center @@ -36,6 +37,11 @@ Use the **Threat & Vulnerability Management** dashboard to expand your visibilit Use the **Threat analytics** dashboard to continually assess and control risk exposure to Spectre and Meltdown. +## Microsoft Defender for Endpoint interactive guide +In this interactive guide, you'll learn how to investigate threats to your organization with Microsoft Defender for Endpoint. You'll see how Microsoft Defender for Endpoint can help you identify suspicious activities, investigate risks to your organization, and remediate threats. + +> [!VIDEO https://aka.ms/MSDE-IG] + ### In this section Topic | Description diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index fa2af61c92..f312b2554c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -4,7 +4,7 @@ description: Create roles and define the permissions assigned to the role as par keywords: user roles, roles, access rbac search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Create and manage roles for role-based access control diff --git a/windows/security/threat-protection/microsoft-defender-atp/user.md b/windows/security/threat-protection/microsoft-defender-atp/user.md index 8d75aea649..ed14562c20 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user.md @@ -3,7 +3,7 @@ title: User resource type description: Retrieve recent Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) alerts related to users. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: mjcaparas ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # User resource type diff --git a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md index df9ae6390d..887ca33b19 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/view-incidents-queue.md @@ -5,7 +5,7 @@ description: See the list of incidents and learn how to apply filters to limit t keywords: view, organize, incidents, aggregate, investigations, queue, ttp search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,8 +14,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # View and organize the Microsoft Defender for Endpoint Incidents queue diff --git a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md index 924169d5d8..fa32bd8294 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md +++ b/windows/security/threat-protection/microsoft-defender-atp/vulnerability.md @@ -3,7 +3,7 @@ title: Vulnerability methods and properties description: Retrieves vulnerability information keywords: apis, graph api, supported apis, get, vulnerability search.product: eADQiWindows 10XVcnh -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,8 +12,9 @@ author: DulceMontemayor ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Vulnerability resource type diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index d8daf9644c..2fcb052cc9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -1,10 +1,10 @@ --- title: Web content filtering description: Use web content filtering in Microsoft Defender ATP to track and regulate access to websites based on their content categories. -keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Web content filtering @@ -32,7 +33,7 @@ Web content filtering is part of [Web protection](web-protection-overview.md) ca Configure policies across your device groups to block certain categories. Blocking a category prevents users within specified device groups from accessing URLs associated with the category. For any category that's not blocked, the URLs are automatically audited. Your users can access the URLs without disruption, and you'll gather access statistics to help create a more custom policy decision. Your users will see a block notification if an element on the page they're viewing is making calls to a blocked resource. -Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome and Firefox). For more information about browser support, see the prerequisites section. +Web content filtering is available on the major web browsers, with blocks performed by Windows Defender SmartScreen (Microsoft Edge) and Network Protection (Chrome, Firefox, Brave and Opera). For more information about browser support, see the prerequisites section. Summarizing the benefits: @@ -42,7 +43,7 @@ Summarizing the benefits: ## User experience -The blocking experience for Chrome/Firefox is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. +The blocking experience for 3rd party supported browsers is provided by Network Protection, which provides a system-level toast notifying the user of a blocked connection. For a more user-friendly in-browser experience, consider using Microsoft Edge. @@ -54,11 +55,11 @@ Before trying out this feature, make sure you have the following requirements: - Access to Microsoft Defender Security Center portal - Devices running Windows 10 Anniversary Update (version 1607) or later with the latest MoCAMP update. -If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. +If Windows Defender SmartScreen isn't turned on, Network Protection will take over the blocking. It requires [enabling Network Protection](enable-network-protection.md) on the device. Chrome, Firefox, Brave, and Opera are currently 3rd party browsers in which this feature is enabled. ## Data handling -We will follow whichever region you have elected to use as part of your [Microsoft Defender for Endpoint data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. However, we may send them aggregate data (across users and organizations) to help them improve their feeds. +We will follow whichever region you have elected to use as part of your [Microsoft Defender for Endpoint data handling settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). Your data will not leave the data center in that region. In addition, your data will not be shared with any third-parties, including our data providers. ## Turn on web content filtering @@ -78,7 +79,7 @@ To add a new policy: 2. Specify a name. 3. Select the categories to block. Use the expand icon to fully expand each parent category and select specific web content categories. 4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories. -5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices. +5. Review the summary and save the policy. The policy refresh may take up to 2 hours to apply to your selected devices. Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. @@ -138,7 +139,7 @@ Use the time range filter at the top left of the page to select a time period. Y ### Limitations and known issues in this preview -- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across Chrome/Firefox. +- Only Microsoft Edge is supported if your device's OS configuration is Server (cmd > Systeminfo > OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across supported 3rd party browsers. - Unassigned devices will have incorrect data shown within the report. In the Report details > Device groups pivot, you may see a row with a blank Device Group field. This group contains your unassigned devices before they get put into your specified group. The report for this row may not contain an accurate count of devices or access counts. diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md index 8bc1e5811a..835cbc6860 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-monitoring.md @@ -1,10 +1,10 @@ --- title: Monitoring web browsing security in Microsoft Defender ATP description: Use web protection in Microsoft Defender ATP to monitor web browsing security -keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +keywords: web protection, web threat protection, web browsing, monitoring, reports, cards, domain list, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Monitor web browsing security diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md index 998d416c2a..052d013832 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-overview.md @@ -1,10 +1,10 @@ --- title: Web protection description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization -keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, malicious websites +keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, malicious websites search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Web protection diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md index 4d52993b4d..3abe8edad9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-protection-response.md @@ -4,7 +4,7 @@ description: Respond to alerts related to malicious and unwanted websites. Under keywords: web protection, web threat protection, web browsing, alerts, response, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser, notifications, end users, Windows notifications, blocking page, search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Respond to web threats diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md index f6b119e508..77a0809bf4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-threat-protection.md @@ -1,10 +1,10 @@ --- title: Protect your organization against web threats description: Learn about web protection in Microsoft Defender ATP and how it can protect your organization -keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser +keywords: web protection, web threat protection, web browsing, security, phishing, malware, exploit, websites, network protection, Edge, Internet Explorer, Chrome, Firefox, web browser search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -13,8 +13,9 @@ author: levinec ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: article +ms.technology: mde --- # Protect your organization against web threats diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 9a8ae62bdb..1eb35c6079 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -4,7 +4,7 @@ description: See what features are generally available (GA) in the latest releas keywords: what's new in microsoft defender atp, ga, generally available, capabilities, available, new search.product: eADQiWindows 10XVcnh search.appverid: met150 -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: secure ms.sitesec: library ms.pagetype: security @@ -14,9 +14,10 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint + - m365-security-compliance + - m365initiative-defender-endpoint ms.topic: conceptual +ms.technology: mde --- # What's new in Microsoft Defender for Endpoint @@ -40,6 +41,11 @@ For more information preview features, see [Preview features](https://docs.micro > https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us > ``` + +## January 2021 + +- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/) Microsoft Defender for Endpoint now adds support for Windows Virtual Desktop. + ## December 2020 - [Microsoft Defender for Endpoint for iOS](microsoft-defender-atp-ios.md) Microsoft Defender for Endpoint now adds support for iOS. Learn how to install, configure, update, and use Microsoft Defender for Endpoint for iOS. diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index ef53ba233b..ace344e032 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -2,7 +2,7 @@ title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows 10) description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings. keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ ms.date: 09/28/2020 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings **Applies to:** diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index 0c20744eee..9b7c62b617 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -2,7 +2,7 @@ title: Microsoft Defender SmartScreen overview (Windows 10) description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security @@ -13,6 +13,7 @@ ms.localizationpriority: high ms.date: 11/27/2019 ms.reviewer: manager: dansimp +ms.technology: mde --- # Microsoft Defender SmartScreen diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md index 728d759855..6b4f9fc6e2 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md @@ -2,7 +2,7 @@ title: Set up and use Microsoft Defender SmartScreen on individual devices (Windows 10) description: Learn how employees can use Windows Security to set up Microsoft Defender SmartScreen. Microsoft Defender SmartScreen protects users from running malicious apps. keywords: SmartScreen Filter, Windows SmartScreen, Microsoft Defender SmartScreen -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security @@ -12,6 +12,7 @@ ms.date: 10/13/2017 ms.reviewer: manager: dansimp ms.author: macapara +ms.technology: mde --- # Set up and use Microsoft Defender SmartScreen on individual devices diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md index 3e5cd564fb..c792222c8a 100644 --- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md @@ -4,12 +4,13 @@ ms.author: dansimp title: Override Process Mitigation Options (Windows 10) description: How to use Group Policy to override individual Process Mitigation Options settings and to help enforce specific app-related security policies. keywords: Process Mitigation Options, Mitigation Options, Group Policy Mitigation Options -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library author: dulcemontemayor ms.localizationpriority: medium +ms.technology: mde --- diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index ca627315b9..3237437499 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -1,16 +1,17 @@ --- title: Mitigate threats by using Windows 10 security features (Windows 10) description: An overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: dulcemontemayor +author: dansimp ms.date: 10/13/2017 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # Mitigate threats by using Windows 10 security features diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 905bf8c06a..00e7c27ee7 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -6,13 +6,14 @@ ms.reviewer: manager: dansimp ms.author: dansimp keywords: security, BYOD, malware, device health attestation, mobile -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security, devices author: dulcemontemayor ms.date: 10/13/2017 ms.localizationpriority: medium +ms.technology: mde --- # Control the health of Windows 10-based devices diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index e8dd6ab29f..509869f9e5 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -2,7 +2,7 @@ title: Microsoft Security Compliance Toolkit 1.0 description: This article describes how to use the Security Compliance Toolkit in your organization keywords: virtualization, security, malware -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: dansimp @@ -13,6 +13,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/21/2019 ms.reviewer: +ms.technology: mde --- # Microsoft Security Compliance Toolkit 1.0 @@ -33,7 +34,6 @@ The Security Compliance Toolkit consists of: - Windows 10 Version 1903 (May 2019 Update) - Windows 10 Version 1809 (October 2018 Update) - Windows 10 Version 1803 (April 2018 Update) - - Windows 10 Version 1709 (Fall Creators Update) - Windows 10 Version 1607 (Anniversary Update) - Windows 10 Version 1507 @@ -47,6 +47,9 @@ The Security Compliance Toolkit consists of: - Microsoft Edge security baseline - Version 85 + +- Windows Update security baseline + - Windows 10 20H2 and below (October 2020 Update) - Tools - Policy Analyzer tool diff --git a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md index 073cfbd4cb..152f6711fe 100644 --- a/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md +++ b/windows/security/threat-protection/security-policy-settings/access-credential-manager-as-a-trusted-caller.md @@ -4,7 +4,7 @@ description: Describes best practices, security considerations, and more for the ms.assetid: a51820d2-ca5b-47dd-8e9b-d7008603db88 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Access Credential Manager as a trusted caller diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index 06d067f006..d20934b1f3 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: f6767bc2-83d1-45f1-847c-54f5362db022 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Access this computer from the network - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index 4394099acc..4df87c418a 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: a4167bf4-27c3-4a9b-8ef0-04e3c6ec3aa4 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Account lockout duration diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md index 852449d7ce..26ba3362f0 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md @@ -4,7 +4,7 @@ description: Describes the Account Lockout Policy settings and links to informat ms.assetid: eb968c28-17c5-405f-b413-50728cb7b724 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/11/2018 +ms.technology: mde --- # Account Lockout Policy diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index d9c2770ad4..d7dacae92e 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 4904bb40-a2bd-4fef-a102-260ba8d74e30 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/02/2018 +ms.technology: mde --- # Account lockout threshold diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md index f740ced849..42f0509874 100644 --- a/windows/security/threat-protection/security-policy-settings/account-policies.md +++ b/windows/security/threat-protection/security-policy-settings/account-policies.md @@ -4,7 +4,7 @@ description: An overview of account policies in Windows and provides links to po ms.assetid: 711b3797-b87a-4cd9-a2e3-1f8ef18688fb ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Account Policies diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md index 242f47b39f..983c8abe93 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 71a3bd48-1014-49e0-a936-bfe9433af23e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/01/2017 +ms.technology: mde --- # Accounts: Administrator account status diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md index 44ba58b22d..999953b0f6 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, management, and sec ms.assetid: 94c76f45-057c-4d80-8d01-033cf28ef2f7 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/10/2017 +ms.technology: mde --- # Accounts: Block Microsoft accounts diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md index 0677dbe5ed..1828f74f0d 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 07e53fc5-b495-4d02-ab42-5b245d10d0ce ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Accounts: Guest account status - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md index 429a6e932a..88adc7aa01 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md @@ -4,7 +4,7 @@ description: Learn best practices, security considerations, and more for the pol ms.assetid: a1bfb58b-1ae8-4de9-832b-aa889a6e64bd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Accounts: Limit local account use of blank passwords to console logon only diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md index 416c761dd9..1bf1c8e328 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md @@ -4,7 +4,7 @@ description: This security policy reference topic for the IT professional descri ms.assetid: d21308eb-7c60-4e48-8747-62b8109844f9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Accounts: Rename administrator account diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md index 4e136d6fc7..5694b75065 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 9b8052b4-bbb9-4cc1-bfee-ce25390db707 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Accounts: Rename guest account - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md index b32355b82a..dfd593bde8 100644 --- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md +++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c1b7e084-a9f7-4377-b678-07cc913c8b0c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Act as part of the operating system diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md index e961da2395..c2cfbb9858 100644 --- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md +++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management a ms.assetid: b0c21af4-c928-4344-b1f1-58ef162ad0b3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Add workstations to domain diff --git a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md index fc90fa5e4b..154ecd7c75 100644 --- a/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md +++ b/windows/security/threat-protection/security-policy-settings/adjust-memory-quotas-for-a-process.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 6754a2c8-6d07-4567-9af3-335fd8dd7626 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Adjust memory quotas for a process diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md index 378bc21d36..0e4d3680f2 100644 --- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md @@ -4,7 +4,7 @@ description: This article discusses different methods to administer security pol ms.assetid: 7617d885-9d28-437a-9371-171197407599 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Administer security policy settings diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md index ee0f5f1b86..3bb3d64326 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Allow log on locally - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md index 518c760a7e..044f3c2fe5 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Allow log on through Remote Desktop Services diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index ef5a46869a..4015f85f3f 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit: Audit the access of global system objects diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md index 4c8003e0f3..3c398b2262 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -4,7 +4,7 @@ description: "Describes the best practices, location, values, and security consi ms.assetid: f656a2bb-e8d6-447b-8902-53df3a7756c5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/01/2019 +ms.technology: mde --- # Audit: Audit the use of Backup and Restore privilege diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md index 023e1eac23..3c64ae947a 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md @@ -4,7 +4,7 @@ description: Learn more about the security policy setting, Audit Force audit pol ms.assetid: 8ddc06bc-b6d6-4bac-9051-e0d77035bd4e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings diff --git a/windows/security/threat-protection/security-policy-settings/audit-policy.md b/windows/security/threat-protection/security-policy-settings/audit-policy.md index 01e76f7782..351b357bb8 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-policy.md +++ b/windows/security/threat-protection/security-policy-settings/audit-policy.md @@ -4,7 +4,7 @@ description: Provides information about basic audit policies that are available ms.assetid: 2e8ea400-e555-43e5-89d6-0898cb89da90 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit Policy diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index e9e6d09cf2..6b2a642f91 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 2cd23cd9-0e44-4d0b-a1f1-39fc29303826 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Audit: Shut down system immediately if unable to log security audits diff --git a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md index a431f30baf..67a1efe7b8 100644 --- a/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories.md @@ -4,7 +4,7 @@ description: Describes the recommended practices, location, values, policy manag ms.assetid: 1cd6bdd5-1501-41f4-98b9-acf29ac173ae ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Back up files and directories - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md index af394cc02a..b82df05bd9 100644 --- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md +++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 1c828655-68d3-4140-aa0f-caa903a7087e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Bypass traverse checking diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md index 3729af5440..611c4f29c6 100644 --- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md +++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: f2f6637d-acbc-4352-8ca3-ec563f918e65 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Change the system time - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md index 21918a8f75..f9251b7542 100644 --- a/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md +++ b/windows/security/threat-protection/security-policy-settings/change-the-time-zone.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 3b1afae4-68bb-472f-a43e-49e300d73e50 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Change the time zone - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md index 55281194fb..eaca0ecfbb 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: dc087897-459d-414b-abe0-cd86c8dccdea ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create a pagefile - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md index 2aab29e91a..52fb6a0e53 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: bfbf52fc-6ba4-442a-9df7-bd277e55729c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create a token object diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md index 6093dfc046..c29a2716ee 100644 --- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 9cb6247b-44fc-4815-86f2-cb59b6f0221e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create global objects diff --git a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md index 99d3c81d18..33b84b4ddd 100644 --- a/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-permanent-shared-objects.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 6a58438d-65ca-4c4a-a584-450eed976649 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create permanent shared objects diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md index 696c309ef6..70f390d16a 100644 --- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md +++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 882922b9-0ff8-4ee9-8afc-4475515ee3fd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Create symbolic links diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index dbef4f23b0..8b5c1ba80d 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -4,7 +4,7 @@ description: Learn about best practices and more for the syntax policy setting, ms.assetid: 0fe3521a-5252-44df-8a47-8d92cf936e7c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 1e3fb1aac8..46bcee01d5 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, DCOM Machi ms.assetid: 4b95d45f-dd62-4c34-ba32-43954528dabe ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax diff --git a/windows/security/threat-protection/security-policy-settings/debug-programs.md b/windows/security/threat-protection/security-policy-settings/debug-programs.md index 8e9e1de135..ee678fa038 100644 --- a/windows/security/threat-protection/security-policy-settings/debug-programs.md +++ b/windows/security/threat-protection/security-policy-settings/debug-programs.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 594d9f2c-8ffc-444b-9522-75615ec87786 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Debug programs diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md index c7de16a3ed..426bbb78d9 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 935e9f89-951b-4163-b186-fc325682bb0b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Deny access to this computer from the network diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md index 3705d5c84b..33371b5594 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 0ac36ebd-5e28-4b6a-9b4e-8924c6ecf44b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Deny log on as a batch job diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md index ae1ff7ad09..e93b14011b 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: f1114964-df86-4278-9b11-e35c66949794 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Deny log on as a service diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md index c29d301d15..16aac6c38f 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 00150e88-ec9c-43e1-a70d-33bfe10434db ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Deny log on locally diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md index 5ba0488e44..e618426e9d 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Deny log on through Remote Desktop Services diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md index b9c5b91f0b..1c8ec83ad6 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Devices: Allow undock without having to log on diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md index 63a755d174..4a2d451bd1 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: d1b42425-7244-4ab1-9d46-d68de823459c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Devices: Allowed to format and eject removable media diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md index 6b2c51d931..15e9f97f5d 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: ab70a122-f7f9-47e0-ad8c-541f30a27ec3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Devices: Prevent users from installing printer drivers diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index 45bae7d793..14b745deaf 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 8b8f44bb-84ce-4f18-af30-ab89910e234d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Devices: Restrict CD-ROM access to locally logged-on user only diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index f0de6a47fe..0b64be01ad 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 92997910-da95-4c03-ae6f-832915423898 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Devices: Restrict floppy access to locally logged-on user only diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md index 42e3ec17e1..6708f52037 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 198b12a4-8a5d-48e8-a752-2073b8a2cb0d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain controller: Allow server operators to schedule tasks diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md index 933e46f0a1..ba471b4b00 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: fe122179-7571-465b-98d0-b8ce0f224390 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain controller: LDAP server signing requirements diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md index 0115f58fc6..7a2193fd9c 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 5a7fa2e2-e1a8-4833-90f7-aa83e3b456a9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain controller: Refuse machine account password changes diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md index 065ea3434c..9c02ea6441 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md @@ -4,7 +4,7 @@ description: Best practices, location, values, and security considerations for t ms.assetid: 4480c7cb-adca-4f29-b4b8-06eb68d272bf ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain member: Digitally encrypt or sign secure channel data (always) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md index 0540ffa16a..cc788fbe2b 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 73e6023e-0af3-4531-8238-82f0f0e4965b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain member: Digitally encrypt secure channel data (when possible) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md index e0127d72d7..5d0ee13652 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md @@ -4,7 +4,7 @@ description: Best practices, location, values, and security considerations for t ms.assetid: a643e491-4f45-40ea-b12c-4dbe47e54f34 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain member: Digitally sign secure channel data (when possible) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md index af37ad2e44..16e25c74bf 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 1f660300-a07a-4243-a09f-140aa1ab8867 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/27/2019 +ms.technology: mde --- # Domain member: Disable machine account password changes diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index 1c74391497..ff2d29cc14 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 0ec6f7c1-4d82-4339-94c0-debb2d1ac109 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 05/29/2020 +ms.technology: mde --- # Domain member: Maximum machine account password age diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md index 9660f69829..544c028497 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -4,7 +4,7 @@ description: Best practices, location, values, and security considerations for t ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Domain member: Require strong (Windows 2000 or later) session key diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index 1968ce5913..cd3439ae58 100644 --- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: 524062d4-1595-41f3-8ce1-9c85fd21497b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Enable computer and user accounts to be trusted for delegation diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md index 43ed37c3fc..796779c714 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 8b2ab871-3e52-4dd1-9776-68bb1e935442 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Enforce password history diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md index ac0af26a19..71615ceabb 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 5891cb73-f1ec-48b9-b703-39249e48a29f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Enforce user logon restrictions diff --git a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md index fb56241385..e6585a09a3 100644 --- a/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md +++ b/windows/security/threat-protection/security-policy-settings/force-shutdown-from-a-remote-system.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 63129243-31ea-42a4-a598-c7064f48a3df ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Force shutdown from a remote system diff --git a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md index d6a7cf2241..40e5ca7ef1 100644 --- a/windows/security/threat-protection/security-policy-settings/generate-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/generate-security-audits.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c0e1cd80-840e-4c74-917c-5c2349de885f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Generate security audits diff --git a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md index 3f70c13716..7ad1fc41a6 100644 --- a/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings.md @@ -4,8 +4,7 @@ description: Describes steps to configure a security policy setting on the local ms.assetid: 63b0967b-a9fe-4d92-90af-67469ee20320 ms.reviewer: ms.author: dansimp - -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Configure security policy settings diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md index 1d241529ee..c341629510 100644 --- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 4cd241e2-c680-4b43-8ed0-3b391925cec5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Impersonate a client after authentication diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md index 1225e25cd9..4473a058bb 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md +++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: b742ad96-37f3-4686-b8f7-f2b48367105b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Increase a process working set diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 5d4835f444..1cd8ae7179 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: fbec5973-d35e-4797-9626-d0d56061527f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 2/6/2020 +ms.technology: mde --- # Increase scheduling priority diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md index c9e784c755..eb88a41772 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Display user information when the session is locked diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md index dbb2b2c45b..dc34342e33 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md @@ -1,7 +1,7 @@ --- title: Interactive logon Don't display last signed-in (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ ms.topic: conceptual ms.date: 04/19/2017 ms.reviewer: ms.author: dansimp +ms.technology: mde --- # Interactive logon: Don't display last signed-in diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index 47257f0e50..e209f6f824 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 04e2c000-2eb2-4d4b-8179-1e2cb4793e18 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Do not require CTRL+ALT+DEL diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md index 84ae5e963d..dc75f23f03 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md @@ -2,9 +2,9 @@ title: Interactive logon Don't display username at sign-in (Windows 10) description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display username at sign-in security policy setting. ms.assetid: 98b24b03-95fe-4edc-8e97-cbdaa8e314fd -ms.reviewer: +ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Don't display username at sign-in diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md index 384e9959b1..ea490bea9a 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md @@ -4,7 +4,7 @@ description: Best practices, location, values, management, and security consider ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Machine account lockout threshold diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index 07e009dc0e..b42c080ea0 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, management, and sec ms.assetid: 7065b4a9-0d52-41d5-afc4-5aedfc4162b5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/18/2018 +ms.technology: mde --- # Interactive logon: Machine inactivity limit diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index 61a261c4bd..554fcc6d63 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Message text for users attempting to log on diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md index bf4611c235..3f2be2aad0 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Message title for users attempting to log on diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index ebfbd65b83..f1248b1825 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, Interactiv ms.assetid: 660e925e-cc3e-4098-a41e-eb8db8062d8d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/27/2018 +ms.technology: mde --- # Interactive logon: Number of previous logons to cache (in case domain controller is not available) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index b98d74a6bb..0eada407ca 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -1,10 +1,10 @@ --- -title: Interactive log-on prompt user to change password before expiration (Windows 10) +title: Interactive log-on prompt user to change password before expiration (Windows 10) description: Best practices and security considerations for an interactive log-on prompt for users to change passwords before expiration. ms.assetid: 8fe94781-40f7-4fbe-8cfd-5e116e6833e9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive log on: Prompt the user to change passwords before expiration diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md index 216de3c43e..e08474cde8 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md @@ -4,7 +4,7 @@ description: Best practices security considerations, and more for the policy set ms.assetid: 97618ed3-e946-47db-a212-b5e7a4fc6ffc ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Require Domain Controller authentication to unlock workstation diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md index 33b628cb5e..1235ce1f89 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-smart-card.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c6a8c040-cbc7-472d-8bc5-579ddf3cbd6c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Require smart card - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md index 3c4204523c..822699cbe5 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-smart-card-removal-behavior.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 61487820-9d49-4979-b15d-c7e735999460 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Interactive logon: Smart card removal behavior diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md index b99dec5d92..4dde3dafa0 100644 --- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md +++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md @@ -4,7 +4,7 @@ description: Describes the Kerberos Policy settings and provides links to policy ms.assetid: 94017dd9-b1a3-4624-af9f-b29161b4bf38 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Kerberos Policy diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md index d80474a5ab..ece23d6a1b 100644 --- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 66262532-c610-470c-9792-35ff4389430f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Load and unload device drivers diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md index 9c53d5bb73..9f512271e5 100644 --- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md +++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: cc724979-aec0-496d-be4e-7009aef660a3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Lock pages in memory diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md index 7ad5326697..e4997ab361 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 4eaddb51-0a18-470e-9d3d-5e7cd7970b41 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Log on as a batch job diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md index 7539cb89c0..a170ea805c 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-service.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: acc9a9e0-fd88-4cda-ab54-503120ba1f42 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Log on as a service diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md index cec2f34a4c..057b9c3219 100644 --- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md +++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 4b946c0d-f904-43db-b2d5-7f0917575347 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Manage auditing and security log diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md index 2ba4e7f98c..4c5b767250 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 484bf05a-3858-47fc-bc02-6599ca860247 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Maximum lifetime for service ticket diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md index d4fc263448..4298be4ed3 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: f88cd819-3dd1-4e38-b560-13fe6881b609 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Maximum lifetime for user ticket renewal diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md index 46cd7ecb25..c9f03e275f 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: bcb4ff59-334d-4c2f-99af-eca2b64011dc ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Maximum lifetime for user ticket diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md index 5eacf443c4..18d09c4627 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 2d6e70e7-c8b0-44fb-8113-870c6120871d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Maximum password age diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md index 880ce8d6ab..98e58336ac 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: ba2cf59e-d69d-469e-95e3-8e6a0ba643af ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Maximum tolerance for computer clock synchronization diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md index 457ba6494f..f2c0e59130 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md @@ -5,13 +5,14 @@ ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76 ms.reviewer: manager: dansimp ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.date: 06/28/2018 +ms.technology: mde --- # Microsoft network client: Digitally sign communications (always) diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index 0eb20f0245..3fca806b68 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -4,7 +4,7 @@ description: Learn about best practices and more for the security policy setting ms.assetid: 97a76b93-afa7-4dd9-bb52-7c9e289b6017 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index 7bfb786b1e..df04135ddb 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 8227842a-569d-480f-b43c-43450bbaa722 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Microsoft network server: Amount of idle time required before suspending session diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index 473585fba5..bf80e3d066 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -4,7 +4,7 @@ description: Learn about the security policy setting, Microsoft network server A ms.assetid: e4508387-35ed-4a3f-a47c-27f8396adbba ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Microsoft network server: Attempt S4U2Self to obtain claim information diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md index 2e7b8cc704..aa8327994b 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/21/2018 +ms.technology: mde --- # Microsoft network server: Digitally sign communications (always) diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md index d763e077ca..c63ba1fa9c 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md @@ -4,7 +4,7 @@ description: Best practices, location, values, and security considerations for t ms.assetid: 48b5c424-9ba8-416d-be7d-ccaabb3f49af ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Microsoft network server: Disconnect clients when logon hours expire diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md index f45ef84792..934085e4f4 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 18337f78-eb45-42fd-bdbd-f8cd02c3e154 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Microsoft network server: Server SPN target name validation level diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 9995735537..177a7d0222 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -5,13 +5,14 @@ ms.assetid: 91915cb2-1b3f-4fb7-afa0-d03df95e8161 ms.reviewer: manager: dansimp ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.date: 11/13/2018 +ms.technology: mde --- # Minimum password age diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index ae21ed863f..c14de4b2fc 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 3d22eb9a-859a-4b6f-82f5-c270c427e17e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Minimum password length diff --git a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md index 9775374e5e..baa5e9c04b 100644 --- a/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md +++ b/windows/security/threat-protection/security-policy-settings/modify-an-object-label.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 3e5a97dd-d363-43a8-ae80-452e866ebfd5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Modify an object label diff --git a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md index 7ad95e9f59..5022db6039 100644 --- a/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md +++ b/windows/security/threat-protection/security-policy-settings/modify-firmware-environment-values.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 80bad5c4-d9eb-4e3a-a5dc-dcb742b83fca ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Modify firmware environment values diff --git a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md index 0b21eb13c9..b78e43e706 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-allow-anonymous-sidname-translation.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management and security co ms.assetid: 0144477f-22a6-4d06-b70a-9c9c2196e99e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Allow anonymous SID/Name translation diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md index b679530985..23a4d0c815 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md @@ -4,7 +4,7 @@ description: Learn about best practices and more for the security policy setting ms.assetid: 3686788d-4cc7-4222-9163-cbc7c3362d73 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Do not allow anonymous enumeration of SAM accounts and shares diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md index e957638eb9..3243d8261b 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 6ee25b33-ad43-4097-b031-7be680f64c7c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Do not allow anonymous enumeration of SAM accounts diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 3668aaef4c..b22b8e05fe 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -4,7 +4,7 @@ description: Learn about best practices and more for the security policy setting ms.assetid: b9b64360-36ea-40fa-b795-2d6558c46563 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Do not allow storage of passwords and credentials for network authentication diff --git a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md index 6ea98c4a06..816f4d78b1 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: cdbc5159-9173-497e-b46b-7325f4256353 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Let Everyone permissions apply to anonymous users diff --git a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md index ca8b104079..bb01d6c117 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md @@ -4,7 +4,7 @@ description: Describes best practices, security considerations and more for the ms.assetid: 8897d2a4-813e-4d2b-8518-fcee71e1cf2c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Named Pipes that can be accessed anonymously diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md index a221329ce9..078753c170 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md @@ -4,7 +4,7 @@ description: Describes best practices, location, values, and security considerat ms.assetid: 3fcbbf70-a002-4f85-8e86-8dabad21928e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Remotely accessible registry paths and subpaths diff --git a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md index 62e028051b..ab9370f9dd 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-remotely-accessible-registry-paths.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management and security co ms.assetid: 977f86ea-864f-4f1b-9756-22220efce0bd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Remotely accessible registry paths diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md index 7f2010f35f..9fea7c3077 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: e66cd708-7322-4d49-9b57-1bf8ec7a4c10 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Restrict anonymous access to Named Pipes and Shares diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index c93ec93b11..fdcc0c6faf 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -1,7 +1,7 @@ --- title: Network access - Restrict clients allowed to make remote calls to SAM description: Security policy setting that controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database. -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security @@ -11,6 +11,7 @@ ms.date: 09/17/2018 ms.reviewer: manager: dansimp ms.author: dansimp +ms.technology: mde --- # Network access: Restrict clients allowed to make remote calls to SAM diff --git a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md index 1fbdd1c98d..125d609e61 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations, and more for t ms.assetid: f3e4b919-8279-4972-b415-5f815e2f0a1a ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Shares that can be accessed anonymously diff --git a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md index 8ae8bcfd3d..359010211d 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 0b3d703c-ea27-488f-8f59-b345af75b994 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network access: Sharing and security model for local accounts diff --git a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md index 4ac7af5f3c..69ecb0c119 100644 --- a/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md +++ b/windows/security/threat-protection/security-policy-settings/network-list-manager-policies.md @@ -4,7 +4,7 @@ description: Network List Manager policies are security settings that configure ms.assetid: bd8109d4-b07c-4beb-a9a6-affae2ba2fda ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network List Manager policies diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md index 4d792d0457..40a53c2736 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md @@ -4,7 +4,7 @@ description: Location, values, policy management, and security considerations fo ms.assetid: c46a658d-b7a4-4139-b7ea-b9268c240053 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Allow Local System to use computer identity for NTLM diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md index 2a4db2ba09..3f67d9dfbf 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-localsystem-null-session-fallback.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 5b72edaa-bec7-4572-b6f0-648fc38f5395 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Allow LocalSystem NULL session fallback diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 14f67ae3d2..716b1da171 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -4,7 +4,7 @@ description: Best practices for the Network Security Allow PKU2U authentication ms.assetid: e04a854e-d94d-4306-9fb3-56e9bd7bb926 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Allow PKU2U authentication requests to this computer to use online identities diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index 51a84cfb6f..d6813adc8f 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -4,7 +4,7 @@ description: Best practices, location, values and security considerations for th ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Configure encryption types allowed for Kerberos diff --git a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md index 32ad4fc2b7..23140d7b81 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 6452b268-e5ba-4889-9d38-db28f919af51 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Do not store LAN Manager hash value on next password change diff --git a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md index 9abafe6715..d82ba2d356 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: 64d5dde4-58e4-4217-b2c4-73bd554ec926 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Force logoff when logon hours expire diff --git a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md index 8cf1d1ef2a..90ab68bf7a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management and security co ms.assetid: bbe1a98c-420a-41e7-9d3c-3a2fe0f1843e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: LAN Manager authentication level diff --git a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md index 2e91b3b1b6..deb400f637 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-ldap-client-signing-requirements.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management and security co ms.assetid: 38b35489-eb5b-4035-bc87-df63de50509c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: LDAP client signing requirements diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md index 5a6ed1a602..7da3832813 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, Network se ms.assetid: 89903de8-23d0-4e0f-9bef-c00cb7aebf00 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 07/27/2017 +ms.technology: mde --- # Network security: Minimum session security for NTLM SSP based (including secure RPC) clients diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index aa05ac30a3..fd5bcf7731 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -4,7 +4,7 @@ description: Best practices and security considerations for the policy setting, ms.assetid: c6a60c1b-bc8d-4d02-9481-f847a411b4fc ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Minimum session security for NTLM SSP based (including secure RPC) servers diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md index f45e969f85..4f61542115 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 9b017399-0a54-4580-bfae-614c2beda3a1 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md index 190741c9b6..ad33075c6d 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 2f981b68-6aa7-4dd9-b53d-d88551277cc0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: Add server exceptions in this domain diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md index 573acd03e5..466fe77336 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md @@ -4,7 +4,7 @@ description: Best practices, security considerations and more for the security p ms.assetid: 37e380c2-22e1-44cd-9993-e12815b845cf ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: Audit incoming NTLM traffic diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index 872e3aaf36..595f2d660a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 33183ef9-53b5-4258-8605-73dc46335e6e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: Audit NTLM authentication in this domain diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md index 2b0c20bc29..1c4ca789c3 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: c0eff7d3-ed59-4004-908a-2205295fefb8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: Incoming NTLM traffic diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md index a88bb90887..947f4ab587 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: 4c7884e9-cc11-4402-96b6-89c77dc908f8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: NTLM authentication in this domain diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index 582a95f107..1a547615d6 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: 63437a90-764b-4f06-aed8-a4a26cf81bd1 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index c1ccd042f6..c40865f9da 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 94482ae3-9dda-42df-9782-2f66196e6afe ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Password must meet complexity requirements diff --git a/windows/security/threat-protection/security-policy-settings/password-policy.md b/windows/security/threat-protection/security-policy-settings/password-policy.md index 4e9a967608..d0a560e42b 100644 --- a/windows/security/threat-protection/security-policy-settings/password-policy.md +++ b/windows/security/threat-protection/security-policy-settings/password-policy.md @@ -4,7 +4,7 @@ description: An overview of password policies for Windows and links to informati ms.assetid: aec1220d-a875-4575-9050-f02f9c54a3b6 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Password Policy diff --git a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md index 185ef547a9..44ce6c881a 100644 --- a/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/perform-volume-maintenance-tasks.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: b6990813-3898-43e2-8221-c9c06d893244 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Perform volume maintenance tasks diff --git a/windows/security/threat-protection/security-policy-settings/profile-single-process.md b/windows/security/threat-protection/security-policy-settings/profile-single-process.md index 3ea61190ff..fc3af3e372 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-single-process.md +++ b/windows/security/threat-protection/security-policy-settings/profile-single-process.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c0963de4-4f5e-430e-bfcd-dfd68e66a075 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Profile single process diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md index c39e1de1d2..37a46be943 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md +++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Profile system performance diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md index ac9b2c0104..8d560cc318 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-automatic-administrative-logon.md @@ -4,7 +4,7 @@ description: Best practices, location, values, policy management, and security c ms.assetid: be2498fc-48f4-43f3-ad09-74664e45e596 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Recovery console: Allow automatic administrative logon diff --git a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md index 0fb4445f92..2d90c0a80f 100644 --- a/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md +++ b/windows/security/threat-protection/security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: a5b4ac0c-f33d-42b5-a866-72afa7cbd0bd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Recovery console: Allow floppy copy and access to all drives and folders diff --git a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md index a19803baed..099396d96b 100644 --- a/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md +++ b/windows/security/threat-protection/security-policy-settings/remove-computer-from-docking-station.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 229a385a-a862-4973-899a-413b1b5b6c30 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Remove computer from docking station - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md index 6b6b9fbf97..497b00f4d5 100644 --- a/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md +++ b/windows/security/threat-protection/security-policy-settings/replace-a-process-level-token.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 5add02db-6339-489e-ba21-ccc3ccbe8745 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Replace a process level token diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index d4c0f55aa6..7dd3bc674f 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: d5ccf6dd-5ba7-44a9-8e0b-c478d8b1442c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/02/2018 +ms.technology: mde --- # Reset account lockout counter after diff --git a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md index edb41ef508..56932252a4 100644 --- a/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md +++ b/windows/security/threat-protection/security-policy-settings/restore-files-and-directories.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c673c0fa-6f49-4edd-8c1f-c5e8513f701d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Restore files and directories - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md index 5836257990..58e86eb700 100644 --- a/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/secpol-advanced-security-audit-policy-settings.md @@ -4,7 +4,7 @@ description: Provides information about the advanced security audit policy setti ms.assetid: 6BF9A642-DBC3-4101-94A3-B2316C553CE3 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Advanced security audit policy settings diff --git a/windows/security/threat-protection/security-policy-settings/security-options.md b/windows/security/threat-protection/security-policy-settings/security-options.md index 46dbab8860..b31d7a38cd 100644 --- a/windows/security/threat-protection/security-policy-settings/security-options.md +++ b/windows/security/threat-protection/security-policy-settings/security-options.md @@ -5,13 +5,14 @@ ms.assetid: 405ea253-8116-4e57-b08e-14a8dcdca92b ms.reviewer: manager: dansimp ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.date: 06/28/2018 +ms.technology: mde --- # Security Options diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md index a129a83f56..690b97fddb 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings-reference.md @@ -4,7 +4,7 @@ description: This reference of security settings provides information about how ms.assetid: ef5a4579-15a8-4507-9a43-b7ccddcb0ed1 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Security policy settings reference diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md index a8bd08c42d..1e283c3673 100644 --- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md @@ -4,7 +4,7 @@ description: This reference topic describes the common scenarios, architecture, ms.assetid: e7ac5204-7f6c-4708-a9f6-6af712ca43b9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Security policy settings diff --git a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md index 368f3b722b..1b5d5a161d 100644 --- a/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md +++ b/windows/security/threat-protection/security-policy-settings/shut-down-the-system.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: c8e8f890-153a-401e-a957-ba6a130304bf ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Shut down the system - security policy setting diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md index 49cf09a6db..5f9aec2590 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: f3964767-5377-4416-8eb3-e14d553a7315 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Shutdown: Allow system to be shut down without having to log on diff --git a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md index b3e5bb9c6c..b556412de2 100644 --- a/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/shutdown-clear-virtual-memory-pagefile.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management a ms.assetid: 31400078-6c56-4891-a6df-6dfb403c4bc9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 08/01/2017 +ms.technology: mde --- # Shutdown: Clear virtual memory pagefile diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md index a8d2183e51..996a278b07 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: 4b7b0298-b130-40f8-960d-60418ba85f76 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/04/2019 +ms.technology: mde --- # SMBv1 Microsoft network client: Digitally sign communications (always) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 47483249d7..6b4331de2f 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -4,7 +4,7 @@ description: Best practices, location, values, and security considerations for t ms.assetid: e553f700-aae5-425c-8650-f251c90ba5dd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/04/2019 +ms.technology: mde --- # SMBv1 Microsoft network client: Digitally sign communications (if server agrees) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md index dffc41d41d..0c427716aa 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 2007b622-7bc2-44e8-9cf1-d34b62117ea8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/04/2019 +ms.technology: mde --- # SMB v1 Microsoft network server: Digitally sign communications (always) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md index 45e242b7fc..032bb6d057 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -4,7 +4,7 @@ description: Best practices, security considerations and more for the security p ms.assetid: c92b2e3d-1dbf-4337-a145-b17a585f4fc1 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 01/04/2019 +ms.technology: mde --- # SMBv1 Microsoft network server: Digitally sign communications (if client agrees) diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md index 8541cc65f4..fa3693209f 100644 --- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md +++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, and security consid ms.assetid: 57f958c2-f1e9-48bf-871b-0a9b3299e238 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Store passwords using reversible encryption diff --git a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md index 576180c4a9..04d2c905ec 100644 --- a/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md +++ b/windows/security/threat-protection/security-policy-settings/synchronize-directory-service-data.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 97b0aaa4-674f-40f4-8974-b4bfb12c232c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Synchronize directory service data diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md index fd0f6851b0..0ab38e9139 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 8cbff267-881e-4bf6-920d-b583a5ff7de0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # System cryptography: Force strong key protection for user keys stored on the computer diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index b3c9f04138..9994949948 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/16/2018 +ms.technology: mde --- # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md index f2b1daed5b..7d3fdb17cd 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md @@ -4,7 +4,7 @@ description: Best practices, security considerations and more for the security p ms.assetid: 340d6769-8f33-4067-8470-1458978d1522 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # System objects: Require case insensitivity for non-Windows subsystems diff --git a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md index 7e622b901f..731ff816b1 100644 --- a/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, System obj ms.assetid: 3a592097-9cf5-4fd0-a504-7cbfab050bb6 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # System objects: Strengthen default permissions of internal system objects (for example, Symbolic Links) diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md index af6a91841d..05dc5f7a16 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-optional-subsystems.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: 5cb6519a-4f84-4b45-8072-e2aa8a72fb78 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # System settings: Optional subsystems diff --git a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md index d261330b49..85d1c3a9c8 100644 --- a/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md +++ b/windows/security/threat-protection/security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, System set ms.assetid: 2380d93b-b553-4e56-a0c0-d1ef740d089c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # System settings: Use certificate rules on Windows executables for Software Restriction Policies diff --git a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md index be428efa89..45985b786a 100644 --- a/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md +++ b/windows/security/threat-protection/security-policy-settings/take-ownership-of-files-or-other-objects.md @@ -4,7 +4,7 @@ description: Describes the best practices, location, values, policy management, ms.assetid: cb8595d1-74cc-4176-bb15-d97663eebb2d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # Take ownership of files or other objects diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index c55c11df6a..3a71b45166 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2017 +ms.technology: mde --- # User Account Control: Admin Approval Mode for the Built-in Administrator account diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md index 6c3bb8ace6..09f6411652 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md @@ -4,7 +4,7 @@ description: Best practices and more for the policy setting, User Account Contro ms.assetid: fce20472-3c93-449d-b520-13c4c74a9892 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index 5b6f5b139e..82939414e0 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -4,7 +4,7 @@ description: Best practices and more for the security policy setting, User Accou ms.assetid: 46a3c3a2-1d2e-4a6f-b5e6-29f9592f535d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/08/2017 +ms.technology: mde --- # User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index 659b235720..de0490479f 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations, and more for t ms.assetid: 1eae7def-8f6c-43b6-9474-23911fdc01ba ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Behavior of the elevation prompt for standard users diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md index 2fd36ac32f..be33709e17 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md @@ -4,7 +4,7 @@ description: Learn about best practices and more for the security policy setting ms.assetid: 3f8cb170-ba77-4c9f-abb3-c3ed1ef264fc ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Detect application installations and prompt for elevation diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md index 014e882384..62665872ff 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the security ms.assetid: 64950a95-6985-4db6-9905-1db18557352d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Only elevate executables that are signed and validated diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md index e9d0d85e91..06e3831a67 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md @@ -4,7 +4,7 @@ description: Learn about best practices and more for the policy setting, User Ac ms.assetid: 4333409e-a5be-4f2f-8808-618f53abd22c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Only elevate UIAccess applications that are installed in secure locations diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md index fb06a1c928..da3fbca962 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md @@ -4,7 +4,7 @@ description: Learn about best practices, security considerations and more for th ms.assetid: b838c561-7bfc-41ef-a7a5-55857259c7bf ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Run all administrators in Admin Approval Mode diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md index 8d3f8b2d1b..6b34c92be1 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md @@ -4,7 +4,7 @@ description: Best practices, security considerations, and more for the policy se ms.assetid: 77a067db-c70d-4b02-9861-027503311b8b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Switch to the secure desktop when prompting for elevation diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md index 8fb6f6ead6..e8bf2f6497 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md @@ -4,7 +4,7 @@ description: Best practices, security considerations and more for the policy set ms.assetid: a7b47420-cc41-4b1c-b03e-f67a05221261 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Account Control: Virtualize file and registry write failures to per-user locations diff --git a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md index 03d0a20cf4..5efa422cb9 100644 --- a/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md +++ b/windows/security/threat-protection/security-policy-settings/user-rights-assignment.md @@ -4,7 +4,7 @@ description: Provides an overview and links to information about the User Rights ms.assetid: 99340252-60be-4c79-b0a5-56fbe1a9b0c5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/19/2017 +ms.technology: mde --- # User Rights Assignment @@ -69,6 +70,7 @@ The following table links to each security policy setting and provides the const | [Manage auditing and security log](manage-auditing-and-security-log.md)| SeSecurityPrivilege| | [Modify an object label](modify-an-object-label.md) | SeRelabelPrivilege| | [Modify firmware environment values](modify-firmware-environment-values.md)| SeSystemEnvironmentPrivilege| +| [Obtain an impersonation token for another user in the same session](impersonate-a-client-after-authentication.md) | SeDelegateSessionUserImpersonatePrivilege| | [Perform volume maintenance tasks](perform-volume-maintenance-tasks.md) | SeManageVolumePrivilege| | [Profile single process](profile-single-process.md) | SeProfileSingleProcessPrivilege| | [Profile system performance](profile-system-performance.md) | SeSystemProfilePrivilege| @@ -78,6 +80,7 @@ The following table links to each security policy setting and provides the const | [Shut down the system](shut-down-the-system.md) | SeShutdownPrivilege| | [Synchronize directory service data](synchronize-directory-service-data.md)| SeSyncAgentPrivilege| | [Take ownership of files or other objects](take-ownership-of-files-or-other-objects.md) | SeTakeOwnershipPrivilege| + ## Related topics diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 58051a41aa..db7887046c 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -5,13 +5,14 @@ ms.assetid: 733263E5-7FD1-45D2-914A-184B9E3E6A3F ms.reviewer: manager: dansimp ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: dulcemontemayor ms.date: 02/28/2019 ms.localizationpriority: medium +ms.technology: mde --- # Use Windows Event Forwarding to help with intrusion detection diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md index 5ce47adcb7..2e7e17d540 100644 --- a/windows/security/threat-protection/windows-10-mobile-security-guide.md +++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md @@ -6,13 +6,14 @@ ms.reviewer: manager: dansimp ms.author: dansimp keywords: data protection, encryption, malware resistance, smartphone, device, Microsoft Store -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security, mobile ms.localizationpriority: medium author: dulcemontemayor ms.date: 10/13/2017 +ms.technology: mde --- # Windows 10 Mobile security guide diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index 7ec755da77..9a6947372a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -1,9 +1,9 @@ --- title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows 10) description: Using WDAC supplemental policies, you can expand the S mode base policy on your Intune-managed devices. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 10/30/2019 +ms.technology: mde --- # Allow Line-of-Business Win32 Apps on Intune-Managed S Mode Devices diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 79c0d8087a..81a97e652b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -21,6 +21,12 @@ ##### [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) ##### [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md) ##### [Create a WDAC policy for fixed-workload devices](create-initial-default-policy.md) +##### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) +#### [Using the WDAC Wizard tool](wdac-wizard.md) +##### [Create a base WDAC policy with the Wizard](wdac-wizard-create-base-policy.md) +##### [Create a supplemental WDAC policy with the Wizard](wdac-wizard-create-supplemental-policy.md) +##### [Editing a WDAC policy with the Wizard](wdac-wizard-editing-policy.md) +##### [Merging multiple WDAC policies with the Wizard](wdac-wizard-merging-policies.md) ## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index fd016ed909..1a451b7545 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -1,9 +1,9 @@ --- title: Allow COM object registration in a WDAC policy (Windows 10) description: You can allow COM object registration in a Windows Defender Application Control policy. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/21/2019 +ms.technology: mde --- # Allow COM object registration in a Windows Defender Application Control policy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index f762644195..aafd72be3d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to update your existi ms.assetid: 758c2a9f-c2a3-418c-83bc-fd335a94097f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Add rules for packaged apps to existing AppLocker rule-set diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 8730c6c545..28e35129ba 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -4,7 +4,7 @@ description: This topic for IT professionals provides links to specific procedur ms.assetid: 511a3b6a-175f-4d6d-a6e0-c1780c02e818 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 02/28/2019 +ms.technology: mde --- # Administer AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md index f7a0f16873..04a1ea12ad 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md @@ -4,7 +4,7 @@ description: This topic for IT professional describes AppLocker’s basic archit ms.assetid: efdd8494-553c-443f-bd5f-c8976535135a ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker architecture and components diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md index 277bc78753..3e9ab04bfc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md @@ -4,7 +4,7 @@ description: This article for the IT professional lists the functions and securi ms.assetid: bf704198-9e74-4731-8c5a-ee0512df34d2 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker functions diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index b7d7885b7f..b7dcbcddd8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -4,7 +4,7 @@ description: This topic provides a description of AppLocker and can help you dec ms.assetid: 94b57864-2112-43b6-96fb-2863c985dc9a ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/16/2017 +ms.technology: mde --- # AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index e92450d695..60bc44e368 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -4,7 +4,7 @@ description: This topic for IT professionals introduces the concepts and describ ms.assetid: 38632795-be13-46b0-a7af-487a4340bea1 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md index d723d9a054..960362fe53 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -4,7 +4,7 @@ description: This topic for the IT professional introduces the design and planni ms.assetid: 1c8e4a7b-3164-4eb4-9277-11b1d5a09c7b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker design guide diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md index 3e660d6659..897753b906 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md @@ -4,7 +4,7 @@ description: This topic for the IT professional lists the various application co ms.assetid: 33f71578-89f0-4063-ac04-cf4f4ca5c31f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker policy use scenarios diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md index de1860a1a6..0ffdf6a6e0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes the process dependenci ms.assetid: 0beec616-6040-4be7-8703-b6c919755d8e ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker processes and interactions diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md index f289a40fe7..56d2fcb24d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md @@ -4,7 +4,7 @@ description: This topic for the IT professional lists the settings used by AppLo ms.assetid: 9cb4aa19-77c0-4415-9968-bd07dab86839 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker settings diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md index 031ce25230..db60e0f7bc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md @@ -4,7 +4,7 @@ description: This overview topic for IT professionals provides links to the topi ms.assetid: 2b2678f8-c46b-4e1d-b8c5-037c0be255ab ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # AppLocker technical reference diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md index 2dd978d52b..8995d1c8cf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to set AppLocker poli ms.assetid: 10bc87d5-cc7f-4500-b7b3-9006e50afa50 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 06/08/2018 +ms.technology: mde --- # Configure an AppLocker policy for audit only diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md index 36cce5baec..1f3d8928cf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to enable the A ms.assetid: 5dbbb290-a5ae-4f88-82b3-21e95972e66c ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Configure an AppLocker policy for enforce rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md index dfb7c8814a..fea958441d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to specify whic ms.assetid: d15c9d84-c14b-488d-9f48-bf31ff7ff0c5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Add exceptions for an AppLocker rule diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md index a3a2d593bb..9b81e3d6fe 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes the steps to create an ms.assetid: 034bd367-146d-4956-873c-e1e09e6fefee ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Configure the AppLocker reference device diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 488a8cc411..610728b4d6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -5,7 +5,7 @@ ms.assetid: dc469599-37fd-448b-b23e-5b8e4f17e561 ms.reviewer: ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 04/02/2018 +ms.technology: mde --- # Configure the Application Identity service diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index 619e173000..e7c76c7e98 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -4,7 +4,7 @@ description: This article for IT professionals shows how to create an AppLocker ms.assetid: e4ffd400-7860-47b3-9118-0e6853c3dfa0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create a rule for packaged apps diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md index f7689c76f7..c68870383e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md @@ -4,7 +4,7 @@ description: This topic for IT professionals shows how to create an AppLocker ru ms.assetid: eb3b3524-1b3b-4979-ba5a-0a0b1280c5c7 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create a rule that uses a file hash condition diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md index 728693dc35..fd4ebfd86a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md @@ -4,7 +4,7 @@ description: This topic for IT professionals shows how to create an AppLocker ru ms.assetid: 9b2093f5-5976-45fa-90c3-da1e0e845d95 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create a rule that uses a path condition diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md index 5a875b4b84..f7f9061767 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md @@ -4,7 +4,7 @@ description: This topic for IT professionals shows how to create an AppLocker ru ms.assetid: 345ad45f-2bc1-4c4c-946f-17804e29f55b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create a rule that uses a publisher condition diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md index 4bf66b9c31..8e818f8d12 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to create a sta ms.assetid: 21e9dc68-a6f4-4ebe-ac28-4c66a7ab6e18 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create AppLocker default rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 24ab242eb1..9d57825f8a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -4,7 +4,7 @@ description: This topic describes the process of gathering app usage requirement ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create a list of apps deployed to each business group diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md index 4cb2f24434..d0a53377ec 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md @@ -4,7 +4,7 @@ description: This overview topic for the IT professional describes the steps to ms.assetid: d339dee2-4da2-4d4a-b46e-f1dfb7cb4bf0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create Your AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md index 6d75ecfc99..dd866880d3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes what you need to know ms.assetid: b684a3a5-929c-4f70-8742-04088022f232 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Create Your AppLocker rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index a63318645f..80c31abf85 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -4,7 +4,7 @@ description: This article for IT professionals describes the steps to delete an ms.assetid: 382b4be3-0df9-4308-89b2-dcf9df351eb5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 11/09/2020 +ms.technology: mde --- # Delete an AppLocker rule diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 65374479fc..bd480092c0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to deploy AppLo ms.assetid: fd3a3d25-ff3b-4060-8390-6262a90749ba ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Deploy AppLocker policies by using the enforce rules setting diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md index 058e736230..64f60860f0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes the tasks that should ms.assetid: ebbb1907-92dc-499e-8cee-8e637483c9ae ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Deploy the AppLocker policy into production diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index e03376d487..fdeb9db2dc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -4,7 +4,7 @@ description: This overview topic describes the process to follow when you are pl ms.assetid: f435fcbe-c7ac-4ef0-9702-729aab64163f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Determine the Group Policy structure and rule enforcement diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index 099c30bac7..a0770cfdb3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes how to use AppLocker l ms.assetid: 24609a6b-fdcb-4083-b234-73e23ff8bcb8 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Determine which apps are digitally signed on a reference device diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index dd86101ae7..516f7eaff2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -4,7 +4,7 @@ description: Determine which applications to control and how to control them by ms.assetid: 0e84003e-6095-46fb-8c4e-2065869bb53b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Determine your application control objectives diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index f87c93e451..4f89790b1c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -5,7 +5,7 @@ ms.assetid: 9a2534a5-d1fa-48a9-93c6-989d4857cf85 ms.reviewer: ms.author: dansimp ms.pagetype: security -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Display a custom URL message when users try to run a blocked app diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md index be5c338598..aec41fda97 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md @@ -4,7 +4,7 @@ description: This topic describes the file formats and available default rules f ms.assetid: a083fd08-c07e-4534-b0e7-1e15d932ce8f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # DLL rules in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index 0e40237b7b..7c80353023 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -4,7 +4,7 @@ description: This planning topic describes what you need to investigate, determi ms.assetid: 389ffa8e-11fc-49ff-b0b1-89553e6fb6e5 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium @@ -15,6 +15,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.pagetype: security ms.date: 09/21/2017 +ms.technology: mde --- # Document the Group Policy structure and AppLocker rule enforcement diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md index c43cf96fee..64318e0bd7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md @@ -4,7 +4,7 @@ description: This planning topic describes the app information that you should d ms.assetid: b155284b-f75d-4405-aecf-b74221622dc0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Document your app list diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md index 9f6e032b66..1000876fbf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -4,7 +4,7 @@ description: Learn how to document your AppLocker rules and associate rule condi ms.assetid: 91a198ce-104a-45ff-b49b-487fb40cd2dd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Document your AppLocker rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index 03b04a1190..9865b4a5d9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps required to mod ms.assetid: dbc72d1f-3fe0-46c2-aeeb-96621fce7637 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Edit an AppLocker policy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md index 028a8237bc..9fba4220b8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to edit a publi ms.assetid: 80016cda-b915-46a0-83c6-5e6b0b958e32 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Edit AppLocker rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md index 575de45499..33f8fc5205 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to enable the D ms.assetid: 88ef9561-6eb2-491a-803a-b8cdbfebae27 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Enable the DLL rule collection diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md index b396db1cfb..977c71d0cf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to enforce applicatio ms.assetid: e1528b7b-77f2-4419-8e27-c9cc3721d96d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Enforce AppLocker rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md index ffdc7ace8c..13e0194acf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md @@ -4,7 +4,7 @@ description: This topic describes the file formats and available default rules f ms.assetid: 65e62f90-6caa-48f8-836a-91f8ac9018ee ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Executable rules in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md index 0443b67c6b..6f17980018 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to export an Ap ms.assetid: 7db59719-a8be-418b-bbfd-22cf2176c9c0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Export an AppLocker policy from a GPO diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md index 6856386f4a..a2c2fda488 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to export an Ap ms.assetid: 979bd23f-6815-478b-a6a4-a25239cb1080 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Export an AppLocker policy to an XML file diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md index b4adeb4b33..6e4827d32a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md @@ -4,7 +4,7 @@ description: This topic for the IT professional provides links to topics about A ms.assetid: 24bb1d73-0ff5-4af7-8b8a-2fa44d4ddbcd ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # How AppLocker works diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index eaa7c7aa78..572410407e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to import an AppLocke ms.assetid: b48cb2b2-8ef8-4cc0-89bd-309d0b1832f6 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Import an AppLocker policy from another computer diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md index ac5ac53cd5..10cdc3f2c5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to import an Ap ms.assetid: 0629ce44-f5e2-48a8-ba47-06544c73261f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Import an AppLocker policy into a GPO diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md index 3e7f0169c7..67545f9094 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -4,7 +4,7 @@ description: Learn how to maintain rules within AppLocker policies. View common ms.assetid: b4fbfdfe-ef3d-49e0-a390-f2dfe74602bc ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -14,6 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual +ms.technology: mde --- # Maintain AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md index e33dc7ed87..fc27d49a00 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md @@ -4,7 +4,7 @@ description: Learn concepts and lists procedures to help you manage packaged app ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Manage packaged apps with AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 47c7db9884..ffe44d7fae 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to merge AppLoc ms.assetid: f1c7d5c0-463e-4fe2-a410-844a404f18d0 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Merge AppLocker policies by using Set-ApplockerPolicy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index f40ead0fc0..7567707461 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to manually mer ms.assetid: 3605f293-e5f2-481d-8efd-775f9f23c30f ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Merge AppLocker policies manually diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index d0aa573b21..56d201be4e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to monitor app usage ms.assetid: 0516da6e-ebe4-45b4-a97b-31daba96d1cf ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Monitor app usage with AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md index d669f7c890..e050d78690 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how to optimize AppLocker ms.assetid: a20efa20-bc98-40fe-bd81-28ec4905e0f6 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Optimize AppLocker performance diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index 1057121e64..5889dda71b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -4,7 +4,7 @@ description: This topic explains the AppLocker rule collection for packaged app ms.assetid: 8fd44d08-a0c2-4c5b-a91f-5cb9989f971d ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/13/2017 +ms.technology: mde --- # Packaged apps and packaged app installer rules in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index 35e51ee350..7bdb71f127 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -4,7 +4,7 @@ description: This topic for describes the decisions you need to make to establis ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Plan for AppLocker policy management diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index 9e6a10f475..462a865a4f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to force an upd ms.assetid: 3f24fcbc-3926-46b9-a1a2-dd036edab8a9 ms.reviewer: ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Refresh an AppLocker policy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index 1d132ac242..acabab7d69 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -4,7 +4,7 @@ description: This deployment topic for the IT professional lists the requirement ms.assetid: 3e55bda2-3cd7-42c7-bad3-c7dfbe193d48 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Requirements for deploying AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 42347224a4..0b4fd786bf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -4,7 +4,7 @@ description: This topic for the IT professional lists software requirements to u ms.assetid: dc380535-071e-4794-8f9d-e5d1858156f0 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Requirements to use AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md index a87df1bc69..da19e309e8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes steps to run the wizard t ms.assetid: 8cad1e14-d5b2-437c-8f88-70cffd7b3d8e ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Run the Automatically Generate Rules wizard diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index 1854e961d1..db4968297c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -4,7 +4,7 @@ description: This topic describes the file formats and available default rules f ms.assetid: fee24ca4-935a-4c5e-8a92-8cf1d134d35f ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Script rules in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 02e8dd5393..92928f7068 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes the security considera ms.assetid: 354a5abb-7b31-4bea-a442-aa9666117625 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Security considerations for AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index 4daacad66d..174e5d8a77 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -4,7 +4,7 @@ description: This topic lists resources you can use when selecting your applicat ms.assetid: 14751169-0ed1-47cc-822c-8c01a7477784 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Select the types of rules to create diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md index 00511d0f23..fd78e7c563 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes the steps to test an AppL ms.assetid: 048bfa38-6825-4a9a-ab20-776cf79f402a ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Test an AppLocker policy by using Test-AppLockerPolicy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index 6306c10479..2027085b0e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -4,7 +4,7 @@ description: This topic discusses the steps required to test an AppLocker policy ms.assetid: 7d53cbef-078c-4d20-8b00-e821e33b6ea1 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Test and update an AppLocker policy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index 974a0000cc..51d801a909 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes the tools available to ms.assetid: db2b7cb3-7643-4be5-84eb-46ba551e1ad1 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Tools to use with AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index 0cd67f03d8..cbd1b7c62e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -4,7 +4,7 @@ description: This topic describes the AppLocker enforcement settings for rule co ms.assetid: 48773007-a343-40bf-8961-b3ff0a450d7e ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understand AppLocker enforcement settings diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index a8bfeff845..95dcad5fe6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -4,7 +4,7 @@ description: Review some common considerations while you are planning to use App ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 10/13/2017 +ms.technology: mde --- # Understand AppLocker policy design decisions diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index ce6f6d4292..5350f5c843 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes how application contro ms.assetid: c1c5a3d3-540a-4698-83b5-0dab5d27d871 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understand AppLocker rules and enforcement setting inheritance in Group Policy diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index 5e0c80b55d..0f909bdf3d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -4,7 +4,7 @@ description: This planning and deployment topic for the IT professional describe ms.assetid: 4cfd95c1-fbd3-41fa-8efc-d23c1ea6fb16 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understand the AppLocker policy deployment process diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index f9cdae7831..941aa4f30d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -4,7 +4,7 @@ description: This topic explains the differences between allow and deny actions ms.assetid: ea0370fa-2086-46b5-a0a4-4a7ead8cbed9 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding AppLocker allow and deny actions on rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md index 02228d1867..e9e449b52e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md @@ -4,7 +4,7 @@ description: This topic for IT professional describes the set of rules that can ms.assetid: bdb03d71-05b7-41fb-96e3-a289ce1866e1 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding AppLocker default rules diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md index cbb7806a6b..041eee8f69 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md @@ -4,7 +4,7 @@ description: This topic describes how AppLocker rules are enforced by using the ms.assetid: 3e2738a3-8041-4095-8a84-45c1894c97d0 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding AppLocker rule behavior diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md index 0392b51405..319c895fd9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md @@ -4,7 +4,7 @@ description: This topic explains the five different types of AppLocker rules use ms.assetid: 03c05466-4fb3-4880-8d3c-0f6f59fc5579 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding AppLocker rule collections diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md index 44c123c7a2..8dfb91c58e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes the three types of App ms.assetid: c21af67f-60a1-4f7d-952c-a6f769c74729 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding AppLocker rule condition types diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md index 9420c1f20f..eb3084b691 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md @@ -4,7 +4,7 @@ description: This topic describes the result of applying AppLocker rule exceptio ms.assetid: e6bb349f-ee60-4c8d-91cd-6442f2d0eb9c ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding AppLocker rule exceptions diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index b0e028c79d..7a8bfc63d1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -4,7 +4,7 @@ description: This topic explains the AppLocker file hash rule condition, the adv ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding the file hash rule condition in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index 95863340c0..057a3dabde 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -4,7 +4,7 @@ description: This topic explains the AppLocker path rule condition, the advantag ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding the path rule condition in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index 73bd0d992a..8636e3b8dd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -4,7 +4,7 @@ description: This topic explains the AppLocker publisher rule condition, what co ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Understanding the publisher rule condition in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index f051177f0c..72eea2c6c1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -1,9 +1,9 @@ --- -title: "Use a reference device to create and maintain AppLocker policies (Windows 10)" +title: Use a reference device to create and maintain AppLocker policies (Windows 10) description: This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. ms.assetid: 10c3597f-f44c-4c8e-8fe5-105d4ac016a6 ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 ms.reviewer: +ms.technology: mde --- # Use a reference device to create and maintain AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 4e49ccf26f..b6018803fb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes concepts and procedures t ms.assetid: 2b7e0cec-df62-49d6-a2b7-6b8e30180943 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Use AppLocker and Software Restriction Policies in the same domain diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index 58edb0059e..65ade4ae02 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -4,7 +4,7 @@ description: This topic for IT professionals describes how each AppLocker Window ms.assetid: 374e029c-5c0a-44ab-a57a-2a9dd17dc57d ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Use the AppLocker Windows PowerShell cmdlets diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 78c04357c6..7895373d6e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -4,7 +4,7 @@ description: This topic lists AppLocker events and describes how to use Event Vi ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Using Event Viewer with AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md index 1dd5197ddd..5e34495965 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes how to use Software Re ms.assetid: c3366be7-e632-4add-bd10-9df088f74c6d ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Use Software Restriction Policies and AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index eab62e36b7..5e8f5b2efb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -4,7 +4,7 @@ description: This topic for the IT professional describes what AppLocker is and ms.assetid: 44a8a2bb-0f83-4f95-828e-1f364fb65869 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # What Is AppLocker? diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md index 50fff5a7b2..77b78c5a84 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md @@ -4,7 +4,7 @@ description: This topic describes the file formats and available default rules f ms.assetid: 3fecde5b-88b3-4040-81fa-a2d36d052ec9 ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Windows Installer rules in AppLocker diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md index 2bde016bc2..276960c4b0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -4,7 +4,7 @@ description: This topic for IT professionals provides links to procedural topics ms.assetid: 7062d2e0-9cbb-4cb8-aa8c-b24945c3771d ms.reviewer: ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual ms.date: 09/21/2017 +ms.technology: mde --- # Working with AppLocker policies diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 1b92efcccf..67910704f3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -5,14 +5,15 @@ ms.assetid: 3966b35b-f2da-4371-8b5f-aec031db6bc9 ms.reviewer: manager: dansimp ms.author: macapara -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: mjcaparas +author: dansimp ms.localizationpriority: medium msauthor: v-anbic ms.date: 08/27/2018 +ms.technology: mde --- # Working with AppLocker rules diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index c5f703e0aa..c35dfc5108 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -1,9 +1,9 @@ --- title: Audit Windows Defender Application Control policies (Windows 10) description: Audits allow admins to discover apps that were missed during an initial policy scan and to identify new apps that were installed since the policy was created. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Audit Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index b7f98f9949..91186d9798 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -1,9 +1,9 @@ --- title: Configure a WDAC managed installer (Windows 10) description: Explains how to configure a custom Manged Installer. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 08/14/2020 +ms.technology: mde --- # Configuring a managed installer with AppLocker and Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index da15b10af4..f3b993cbc0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -1,9 +1,9 @@ --- title: Create a code signing cert for Windows Defender Application Control (Windows 10) description: Learn how to set up a publicly-issued code signing certificate, so you can sign catalog files or WDAC policies internally. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 02/28/2018 +ms.technology: mde --- # Optional: Create a code signing cert for Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index d755422a84..37cb5bd513 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -1,9 +1,9 @@ --- title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows 10) description: To create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within your organization, follow this guide. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Create a WDAC policy for fixed-workload devices using a reference computer diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 8b4a0fa4ff..bec0d684e1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -1,10 +1,10 @@ --- title: Create a WDAC policy for fully-managed devices (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. -keywords: security, malware +keywords: security, malware ms.topic: conceptual ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 11/20/2019 +ms.technology: mde --- # Create a WDAC policy for fully-managed devices diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 89cecfc78b..85a6d9cfdc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -1,10 +1,10 @@ --- title: Create a WDAC policy for lightly-managed devices (Windows 10) description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core. -keywords: security, malware +keywords: security, malware ms.topic: conceptual ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 11/15/2019 +ms.technology: mde --- # Create a WDAC policy for lightly-managed devices diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 3abf426167..9dd3b2efa3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -1,9 +1,9 @@ --- title: Deploy catalog files to support Windows Defender Application Control (Windows 10) description: Catalog files simplify running unsigned applications in the presence of a Windows Defender Application Control (WDAC) policy. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 02/28/2018 +ms.technology: mde --- # Deploy catalog files to support Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 31c3deaf6b..d52c5a2d88 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -1,9 +1,9 @@ --- title: Use multiple Windows Defender Application Control Policies (Windows 10) description: Windows Defender Application Control supports multiple code integrity policies for one device. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 11/13/2020 +ms.technology: mde --- # Use multiple Windows Defender Application Control Policies diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index 9151364753..4246d0b428 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -1,9 +1,9 @@ --- title: Deploy WDAC policies via Group Policy (Windows 10) description: Windows Defender Application Control (WDAC) policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 02/28/2018 +ms.technology: mde --- # Deploy Windows Defender Application Control policies by using Group Policy diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 651222522b..8eb3de7a42 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -1,9 +1,9 @@ --- title: Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Intune (Windows 10) description: You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 04/29/2020 +ms.technology: mde --- # Deploy Windows Defender Application Control policies by using Microsoft Intune diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 9b387d559d..a84b17e822 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -1,9 +1,9 @@ --- title: Disable Windows Defender Application Control policies (Windows 10) description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Disable Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 9d9abf86c3..86bf4600dd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -1,9 +1,9 @@ --- title: Enforce Windows Defender Application Control (WDAC) policies (Windows 10) description: Learn how to test a Windows Defender Application Control (WDAC) policy in enforced mode by following these steps in an elevated Windows PowerShell session. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Enforce Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 444430a762..b464707f61 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -1,9 +1,9 @@ --- title: Understanding Application Control event IDs (Windows 10) description: Learn what different Windows Defender Application Control event IDs signify. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 3/17/2020 +ms.technology: mde --- # Understanding Application Control events diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md index 455177e5c9..6ee1d70486 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md @@ -1,9 +1,9 @@ --- title: Understanding Application Control event tags (Windows 10) description: Learn what different Windows Defender Application Control event tags signify. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 8/27/2020 +ms.technology: mde --- # Understanding Application Control event tags diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 293ed79adc..e6ce58fcd0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -1,10 +1,10 @@ --- title: Example WDAC base policies (Windows 10) description: When creating a WDAC policy for an organization, start from one of the many available example base policies. -keywords: security, malware +keywords: security, malware ms.topic: article ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 11/15/2019 +ms.technology: mde --- # Windows Defender Application Control example base policies diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md index 638d0f40cd..bf9cd09f77 100644 --- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md +++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md @@ -1,9 +1,9 @@ --- title: Feature Availability description: Compare WDAC and AppLocker feature availability. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ ms.author: deniseb manager: dansimp ms.date: 04/15/2020 ms.custom: asr +ms.technology: mde --- # WDAC and AppLocker feature availability diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-confirm-base-policy-modification.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-confirm-base-policy-modification.png new file mode 100644 index 0000000000..17ab235dc3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-confirm-base-policy-modification.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-file-attribute-rule.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-file-attribute-rule.png new file mode 100644 index 0000000000..a285f6a6bc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-file-attribute-rule.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-publisher-rule.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-publisher-rule.png new file mode 100644 index 0000000000..0a8e9e6259 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-custom-publisher-rule.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-policy-rules.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-policy-rules.png new file mode 100644 index 0000000000..fbbad28cf2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-policy-rules.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-remove-file-rule.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-remove-file-rule.png new file mode 100644 index 0000000000..74cf1a5f45 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-edit-remove-file-rule.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-merge.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-merge.png new file mode 100644 index 0000000000..13d3a31cec Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-merge.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI-advanced-collapsed.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI-advanced-collapsed.png new file mode 100644 index 0000000000..de3197aabb Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI-advanced-collapsed.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI.png new file mode 100644 index 0000000000..c8792c45c7 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-rule-options-UI.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-expandable.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-expandable.png new file mode 100644 index 0000000000..d595591525 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-expandable.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-base.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-base.png new file mode 100644 index 0000000000..0f28e5f409 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-base.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png new file mode 100644 index 0000000000..67df953a08 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-not-expandable.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-policy-rule-options-UI.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-policy-rule-options-UI.png new file mode 100644 index 0000000000..53b924fcd9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-supplemental-policy-rule-options-UI.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-template-selection.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-template-selection.png new file mode 100644 index 0000000000..d523a7f6b0 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-template-selection.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index 0c2cbcf366..4d5cd8178f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -1,9 +1,9 @@ --- title: Manage packaged apps with WDAC (Windows 10) description: Packaged apps, also known as Universal Windows apps, allow you to control the entire app by using a single Windows Defender Application Control (WDAC) rule. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/29/2020 +ms.technology: mde --- # Manage Packaged Apps with Windows Defender Application Control diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index 8437b48c3c..97f364c353 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -1,9 +1,9 @@ --- title: Merge Windows Defender Application Control policies (Windows 10) description: Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. Learn how with this guide. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Merge Windows Defender Application Control policies diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 620cfbcd0b..33c5abdbce 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -1,9 +1,9 @@ --- title: Microsoft recommended block rules (Windows 10) -description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community. -keywords: security, malware +description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community. +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 04/09/2019 +ms.technology: mde --- # Microsoft recommended block rules diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 7d56cdbe9e..3c8a72ac23 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -1,9 +1,9 @@ --- title: Microsoft recommended driver block rules (Windows 10) -description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community. -keywords: security, malware, kernel mode, driver +description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community. +keywords: security, malware, kernel mode, driver ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 10/15/2020 +ms.technology: mde --- # Microsoft recommended driver block rules diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index b64d307ca9..13d6752759 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -1,9 +1,9 @@ --- title: Plan for WDAC policy management (Windows 10) description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 02/21/2018 +ms.technology: mde --- # Plan for Windows Defender Application Control lifecycle policy management diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md index 1e729211c5..ed001ad80e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -1,9 +1,9 @@ --- title: Query Application Control events with Advanced Hunting (Windows 10) description: Learn how to query Windows Defender Application Control events across your entire organization by using Advanced Hunting. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 12/06/2018 +ms.technology: mde --- # Querying Application Control events centrally using Advanced hunting diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 134df74024..b692c51861 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -1,9 +1,9 @@ --- title: Understand WDAC policy rules and file rules (Windows 10) description: Learn how Windows Defender Application Control provides control over a computer running Windows 10 by using policies that include policy rules and file rules. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 03/04/2020 +ms.technology: mde --- # Understand WDAC policy rules and file rules diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index 91a81e3359..936314d342 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -3,7 +3,7 @@ title: Policy creation for common WDAC usage scenarios (Windows 10) description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 03/01/2018 +ms.technology: mde --- # Windows Defender Application Control deployment in different scenarios: types of devices diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index ae0cd53f63..9443134723 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -1,10 +1,10 @@ --- title: Understand Windows Defender Application Control policy design decisions (Windows 10) -description: Understand Windows Defender Application Control policy design decisions. -keywords: security, malware +description: Understand Windows Defender Application Control policy design decisions. +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb manager: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp ms.date: 02/08/2018 +ms.technology: mde --- # Understand Windows Defender Application Control policy design decisions diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index f49176ee48..8e289e4bf3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -1,9 +1,9 @@ --- title: Use code signing to simplify application control for classic Windows applications (Windows 10) description: With embedded signing, your WDAC policies typically do not have to be updated when an app is updated. To set this up, you can choose from a variety of methods. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Use code signing to simplify application control for classic Windows applications diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md index 766037be4b..4703d016ee 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md @@ -4,7 +4,7 @@ description: You can sign code integrity policies with the Device Guard signing keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ author: jsuther1974 ms.reviewer: isbrahm manager: dansimp ms.date: 02/19/2019 +ms.technology: mde --- # Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index f5a09fc5c6..c951c3b825 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -1,9 +1,9 @@ --- title: Use signed policies to protect Windows Defender Application Control against tampering (Windows 10) -description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. -keywords: security, malware +description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 05/03/2018 +ms.technology: mde --- # Use signed policies to protect Windows Defender Application Control against tampering diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index fc7de322fe..5392e5253b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -5,7 +5,7 @@ keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb manager: dansimp ms.author: dansimp -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.collection: M365-security-compliance author: jsuther1974 ms.reviewer: isbrahm ms.date: 05/03/2018 +ms.technology: mde --- # Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 5490ef7a77..9670e64011 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -1,9 +1,9 @@ --- title: Windows Defender Application Control and .NET Hardening (Windows 10) description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime. -keywords: security, malware +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 08/20/2018 +ms.technology: mde --- # Windows Defender Application Control and .NET hardening diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 5b14874133..089a7ea67f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -3,7 +3,7 @@ title: Authorize reputable apps with the Intelligent Security Graph (ISG) (Windo description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 03/10/2020 +ms.technology: mde --- # Authorize reputable apps with the Intelligent Security Graph (ISG) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md index d6810894b4..c3397bfba4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md @@ -1,9 +1,9 @@ --- title: Authorize apps deployed with a WDAC managed installer (Windows 10) -description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager. -keywords: security, malware +description: Explains how you can use a managed installer to automatically authorize applications deployed and installed by a designated software distribution solution, such as Microsoft Endpoint Configuration Manager. +keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -15,6 +15,7 @@ ms.reviewer: isbrahm ms.author: dansimp manager: dansimp ms.date: 08/14/2020 +ms.technology: mde --- # Authorize apps deployed with a WDAC managed installer diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index 9fe4c819a1..03f0eb6f0d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -3,7 +3,7 @@ title: WDAC and AppLocker Overview description: Compare Windows application control technologies. keywords: security, malware, allow-list, block-list ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb -ms.prod: w10 +ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -16,6 +16,7 @@ ms.author: deniseb manager: dansimp ms.date: 09/30/2020 ms.custom: asr +ms.technology: mde --- # Windows Defender Application Control and AppLocker Overview diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md new file mode 100644 index 0000000000..46ef9319e7 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -0,0 +1,139 @@ +--- +title: Windows Defender Application Control Wizard Base Policy Creation +description: Creating new base application control policies with the Microsoft Windows Defender Application (WDAC) Wizard. +keywords: allow listing, block listing, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: jgeurten +ms.reviewer: isbrahm +ms.author: dansimp +manager: dansimp +ms.topic: conceptual +ms.date: 10/14/2020 +ms.technology: mde +--- + +# Creating a new Base Policy with the Wizard + +**Applies to** +- Windows 10 +- Windows Server 2016 and above + +When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start with a template policy and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules. + + +## Template Base Policies + +Each of the template policies has a unique set of policy allow list rules that will affect the circle-of-trust and security model of the policy. The following table lists the policies in increasing order of trust and freedom. For instance, the Default Windows mode policy trusts fewer application publishers and signers than the Signed and Reputable mode policy. The Default Windows policy will have a smaller circle-of-trust with better security than the Signed and Reputable policy, but at the expense of compatibility. + + +| Template Base Policy | Description | +|---------------------------------|-------------------------------------------------------------------| +| **Default Windows Mode** | Default Windows mode will authorize the following components:
-[What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog. -[What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server. -[Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features. -[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10. -[Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers. -[What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses. -[What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features. -[Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features. -[Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed. + - [What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog. + - [What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog. + - [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server. + - [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features. + - [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10. + - [Start developing on Windows 10, version 2004 today](https://blogs.windows.com/windowsdeveloper/2020/05/12/start-developing-on-windows-10-version-2004-today/): New and updated features in Windows 10 that are of interest to developers. + - [What's new for business in Windows 10 Insider Preview Builds](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-whats-new): A preview of new features for businesses. + - [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features. + - [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features. + - [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed. |
