deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates based on sync with Naama

Browse Source
This commit is contained in:
Joey Caparas
2016-07-28 18:25:04 +10:00
parent 82c109414f
commit c76113fd9e
7 changed files with 50 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/keep-secure/TOC.md
View File

@ -683,7 +683,6 @@
### [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
#### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
#### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
#### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
#### [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md)
##### [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
@ -711,6 +710,7 @@
##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
#### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md)
### [Windows Defender in Windows 10](windows-defender-in-windows-10.md)
#### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)
#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)

4
windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
View File

@ -44,6 +44,7 @@ author: mjcaparas
9. Click **OK** and close any open GPMC windows.
## Additional Windows Defender ATP configuration settings
For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
@ -65,6 +66,9 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
6. Choose to enable or disable sample sharing from your endpoints.
>[!NOTE]
> If you don't set a value, the default value is to enable sample collection.
### Offboard endpoints
For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name.

8
windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -49,20 +49,20 @@ You can use System Center Configuration Managers existing functionality to cr
a. Choose a predefined device collection to deploy the package to.
### Configure sample collection settings
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on an endpoint.
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure theyre complaint.
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
The configuration is set through the following registry key entry:
```
Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
Name: "SampleSharing"
Name: "AllowSampleCollection"
Value: 0 or 1
```
Where:<br>
Name type is a D-WORD. <br>
Key type is a D-WORD. <br>
Possible values are:
- 0 - doesn't allow sample sharing from this endpoint
- 1 - allows sharing of all file types from this endpoint

6
windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md
View File

@ -38,15 +38,15 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You
For for information on how you can manually validate that the endpoint is compliant and correctly reports telemetry see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md).
## Configure sample collection settings
You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file.
For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file.
The configuration is set through the following registry key entry:
```
Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection”
Name: "SampleSharing"
Name: "AllowSampleCollection"
Value: 0 or 1
```
Where:<br>

5
windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md
View File

@ -15,8 +15,11 @@ author: mjcaparas
**Applies to:**
- Windows 10, version 1607
- Windows Defender
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
The Windows Defender Advanced Threat Protection agent depends on Windows Defender for some capabilities such as file scanning.
If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender on that endpoint will enter into passive mode.
Windows Defender will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client.
@ -24,5 +27,3 @@ Windows Defender will continue to receive updates, and the *mspeng.exe* process
The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options.
For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).

42
windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md
View File

@ -68,14 +68,14 @@ For example, if endpoints are not appearing in the **Machines view** list, you m
<tr>
<td>4</td>
<td>Windows Defender Advanced Threat Protection service contacted the server at ```variable```.</td>
<td>variable = URL of the Windows Defender ATP processing servers.<br>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
This URL will match that seen in the Firewall or network activity.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>5</td>
<td>Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```.</td>
<td>variable = URL of the Windows Defender ATP processing servers.<br>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
The service could not contact the external processing servers at that URL.</td>
<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity).</td>
</tr>
@ -138,7 +138,7 @@ It may take several hours for the endpoint to appear in the portal.</td>
<tr>
<td>15</td>
<td>Windows Defender Advanced Threat Protection cannot start command channel with URL: ```variable```.</td>
<td>variable = URL of the Windows Defender ATP processing servers.<br>
<td>Variable = URL of the Windows Defender ATP processing servers.<br>
The service could not contact the external processing servers at that URL.</td>
<td>Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity).</td>
</tr>
@ -246,44 +246,38 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
<tr>
<td>36</td>
<td>Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code: ```variable```.</td>
<td>
</td>
<td></td>
<td>Registering Windows Defender Advanced Threat Protection with the Connected User Experiences and Telemetry service completed successfully.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>37</td>
<td>Windows Defender Advanced Threat Protection A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4.</td>
<td>
</td>
<td></td>
<td>The machine has almost used its allocated quota of the current 24-hour window. Its about to be throttled.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>38</td>
<td>Network connection is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
<td>
</td>
<td></td>
<td>The machine is using a metered/paid network and will be contacting the server less frequently.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>39</td>
<td>Network connection is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4.</td>
<td>
</td>
<td></td>
<td>The machine is not using a metered/paid connection and will contact the server as usual.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>40</td>
<td>Battery state is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
<td>
</td>
<td></td>
<td>The machine has low battery level and will contact the server less frequently.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>41</td>
<td>Battery state is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2.</td>
<td>
</td>
<td></td>
<td>The machine doesnt have low battery level and will contact the server as usual.</td>
<td>Normal operating notification; no action required.</td>
</tr>
<tr>
<td>42</td>
@ -306,14 +300,14 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen
<tr>
<td>45</td>
<td>Failed to register and to start the event trace session [%1]. Error code: %2</td>
<td>An error occurred on service startup while creating ETW session. This cause service start-up failure.</td>
<td>An error occurred on service startup while creating ETW session. This caused service start-up failure.</td>
<td>If this error persists, contact Support.</td>
</tr>
<tr>
<td>46</td>
<td>Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute.</td>
<td>An error occurred on service startup while creating ETW session due to lack of resources. The service started and running but doesnt report any sensors event until the ETW session is started.</td>
<td>No action required. the service will try to start the session every minutes.</td>
<td>An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but will not report any sensor event until the ETW session is started.</td>
<td>No action required. The service will try to start the session every minute.</td>
</tr>
<tr>
<td>47</td>

12
windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -43,7 +43,12 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t
> [!NOTE]
> Endpoints that are running Windows Server and mobile versions of Windows are not supported.
Internet connectivity on endpoints is also required. For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
#### Internet connectivity
Internet connectivity on endpoints is also required.
The daily bandwidth utilization on each endpoint is 5MB. The network bandwidth utilization requires ________ (ALON, PLEASE PROVIDE MISSING INFO).
For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section.
@ -92,8 +97,11 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the
```text
sc qc diagtrack
```
## Windows Defender signature updates are configured
The Windows Defender ATP agent depends on Windows Defenders ability to scan files and provide information about them, If Windows Defender is not the active Anti-Malware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md)
The Windows Defender ATP agent depends on Windows Defenders ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md).
When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection).
## Windows Defender Early Launch AntiMalware (ELAM) driver is enabled
If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard.