mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 21:37:22 +00:00
Merge pull request #3766 from MicrosoftDocs/master
Publish 09/10/2020 3:35 PM
This commit is contained in:
Kelly Baker
GitHub
commit
c9ee609334
@ -439,9 +439,6 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
|
|||||||
<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
|
<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
|
||||||
<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
|
<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
|
||||||
<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
|
<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
|
||||||
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li>
|
|
||||||
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li>
|
|
||||||
<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>
|
|
||||||
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
|
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
|
||||||
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
|
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
|
||||||
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
|
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
|
||||||
@ -459,7 +456,6 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
|
|||||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic</li>
|
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic</li>
|
||||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers</li>
|
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers</li>
|
||||||
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
|
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
|
||||||
<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
|
|
||||||
<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
|
<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
|
||||||
<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li>
|
<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li>
|
||||||
<li>Notifications/DisallowCloudNotification</li>
|
<li>Notifications/DisallowCloudNotification</li>
|
||||||
@ -2000,8 +1996,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
|
|||||||
### September 2020
|
### September 2020
|
||||||
|New or updated topic | Description|
|
|New or updated topic | Description|
|
||||||
|--- | ---|
|
|--- | ---|
|
||||||
|
|[Policy CSP - LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:<br>- RecoveryConsole_AllowAutomaticAdministrativeLogon <br>- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways<br>- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible<br>- DomainMember_DisableMachineAccountPasswordChanges<br>- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems<br>|
|
||||||
|[Policy CSP - LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)|Removed the following policy setting from the documentation because it is not supported in Windows 10:<br> LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon <br>|
|
|
||||||
|
|
||||||
### August 2020
|
### August 2020
|
||||||
|New or updated topic | Description|
|
|New or updated topic | Description|
|
||||||
@ -2443,9 +2438,6 @@ How do I turn if off? | The service can be stopped from the "Services" console o
|
|||||||
<ul>
|
<ul>
|
||||||
<li>Bluetooth/AllowPromptedProximalConnections</li>
|
<li>Bluetooth/AllowPromptedProximalConnections</li>
|
||||||
<li>KioskBrowser/EnableEndSessionButton</li>
|
<li>KioskBrowser/EnableEndSessionButton</li>
|
||||||
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li>
|
|
||||||
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li>
|
|
||||||
<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>
|
|
||||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication</li>
|
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication</li>
|
||||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic</li>
|
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic</li>
|
||||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic</li>
|
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic</li>
|
||||||
@ -2654,7 +2646,6 @@ How do I turn if off? | The service can be stopped from the "Services" console o
|
|||||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</li>
|
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients</li>
|
||||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
|
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
|
||||||
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
|
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
|
||||||
<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
|
|
||||||
<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
|
<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
|
||||||
<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li>
|
<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li>
|
||||||
<li>RestrictedGroups/ConfigureGroupMembership</li>
|
<li>RestrictedGroups/ConfigureGroupMembership</li>
|
||||||
|
|||||||
@ -2498,15 +2498,6 @@ The following diagram shows the Policy configuration service provider in tree fo
|
|||||||
<dd>
|
<dd>
|
||||||
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly" id="localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly">LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</a>
|
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly" id="localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly">LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</a>
|
||||||
</dd>
|
</dd>
|
||||||
<dd>
|
|
||||||
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways" id="localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</a>
|
|
||||||
</dd>
|
|
||||||
<dd>
|
|
||||||
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible" id="localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</a>
|
|
||||||
</dd>
|
|
||||||
<dd>
|
|
||||||
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges" id="localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges">LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</a>
|
|
||||||
</dd>
|
|
||||||
<dd>
|
<dd>
|
||||||
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
|
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
|
||||||
</dd>
|
</dd>
|
||||||
@ -2591,9 +2582,6 @@ The following diagram shows the Policy configuration service provider in tree fo
|
|||||||
<dd>
|
<dd>
|
||||||
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile" id="localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile">LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</a>
|
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile" id="localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile">LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</a>
|
||||||
</dd>
|
</dd>
|
||||||
<dd>
|
|
||||||
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-systemobjects-requirecaseinsensitivityfornonwindowssubsystems" id="localpoliciessecurityoptions-systemobjects-requirecaseinsensitivityfornonwindowssubsystems">LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</a>
|
|
||||||
</dd>
|
|
||||||
<dd>
|
<dd>
|
||||||
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
|
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
|
||||||
</dd>
|
</dd>
|
||||||
|
|||||||
@ -45,15 +45,6 @@ manager: dansimp
|
|||||||
<dd>
|
<dd>
|
||||||
<a href="#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly">LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</a>
|
<a href="#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly">LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</a>
|
||||||
</dd>
|
</dd>
|
||||||
<dd>
|
|
||||||
<a href="#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</a>
|
|
||||||
</dd>
|
|
||||||
<dd>
|
|
||||||
<a href="#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible">LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</a>
|
|
||||||
</dd>
|
|
||||||
<dd>
|
|
||||||
<a href="#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges">LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</a>
|
|
||||||
</dd>
|
|
||||||
<dd>
|
<dd>
|
||||||
<a href="#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
|
<a href="#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
|
||||||
</dd>
|
</dd>
|
||||||
@ -138,9 +129,6 @@ manager: dansimp
|
|||||||
<dd>
|
<dd>
|
||||||
<a href="#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile">LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</a>
|
<a href="#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile">LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</a>
|
||||||
</dd>
|
</dd>
|
||||||
<dd>
|
|
||||||
<a href="#localpoliciessecurityoptions-systemobjects-requirecaseinsensitivityfornonwindowssubsystems">LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</a>
|
|
||||||
</dd>
|
|
||||||
<dd>
|
<dd>
|
||||||
<a href="#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
|
<a href="#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
|
||||||
</dd>
|
</dd>
|
||||||
@ -711,256 +699,6 @@ GP Info:
|
|||||||
|
|
||||||
<hr/>
|
<hr/>
|
||||||
|
|
||||||
<!--Policy-->
|
|
||||||
<a href="" id="localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways"></a>**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways**
|
|
||||||
|
|
||||||
<!--SupportedSKUs-->
|
|
||||||
<table>
|
|
||||||
<tr>
|
|
||||||
<th>Windows Edition</th>
|
|
||||||
<th>Supported?</th>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Home</td>
|
|
||||||
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Pro</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Business</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Enterprise</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Education</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<!--/SupportedSKUs-->
|
|
||||||
<hr/>
|
|
||||||
|
|
||||||
<!--Scope-->
|
|
||||||
[Scope](./policy-configuration-service-provider.md#policy-scope):
|
|
||||||
|
|
||||||
> [!div class = "checklist"]
|
|
||||||
> * Device
|
|
||||||
|
|
||||||
<hr/>
|
|
||||||
|
|
||||||
<!--/Scope-->
|
|
||||||
<!--Description-->
|
|
||||||
|
|
||||||
> [!WARNING]
|
|
||||||
> Starting in the version 1809 of Windows, this policy is deprecated.
|
|
||||||
|
|
||||||
Domain member: Digitally encrypt or sign secure channel data (always)
|
|
||||||
|
|
||||||
This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted.
|
|
||||||
|
|
||||||
When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc.
|
|
||||||
|
|
||||||
This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies:
|
|
||||||
|
|
||||||
Domain member: Digitally encrypt secure channel data (when possible)
|
|
||||||
Domain member: Digitally sign secure channel data (when possible)
|
|
||||||
|
|
||||||
Default: Enabled.
|
|
||||||
|
|
||||||
Notes:
|
|
||||||
|
|
||||||
If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
|
|
||||||
If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic.
|
|
||||||
Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not.
|
|
||||||
|
|
||||||
<!--/Description-->
|
|
||||||
<!--RegistryMapped-->
|
|
||||||
GP Info:
|
|
||||||
- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)*
|
|
||||||
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
|
|
||||||
|
|
||||||
<!--/RegistryMapped-->
|
|
||||||
<!--SupportedValues-->
|
|
||||||
|
|
||||||
<!--/SupportedValues-->
|
|
||||||
<!--Example-->
|
|
||||||
|
|
||||||
<!--/Example-->
|
|
||||||
<!--Validation-->
|
|
||||||
|
|
||||||
<!--/Validation-->
|
|
||||||
<!--/Policy-->
|
|
||||||
|
|
||||||
<hr/>
|
|
||||||
|
|
||||||
<!--Policy-->
|
|
||||||
<a href="" id="localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible"></a>**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible**
|
|
||||||
|
|
||||||
<!--SupportedSKUs-->
|
|
||||||
<table>
|
|
||||||
<tr>
|
|
||||||
<th>Windows Edition</th>
|
|
||||||
<th>Supported?</th>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Home</td>
|
|
||||||
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Pro</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Business</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Enterprise</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Education</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<!--/SupportedSKUs-->
|
|
||||||
<hr/>
|
|
||||||
|
|
||||||
<!--Scope-->
|
|
||||||
[Scope](./policy-configuration-service-provider.md#policy-scope):
|
|
||||||
|
|
||||||
> [!div class = "checklist"]
|
|
||||||
> * Device
|
|
||||||
|
|
||||||
<hr/>
|
|
||||||
|
|
||||||
<!--/Scope-->
|
|
||||||
<!--Description-->
|
|
||||||
|
|
||||||
> [!WARNING]
|
|
||||||
> Starting in the version 1809 of Windows, this policy is deprecated.
|
|
||||||
|
|
||||||
Domain member: Digitally encrypt secure channel data (when possible)
|
|
||||||
|
|
||||||
This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates.
|
|
||||||
|
|
||||||
When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc.
|
|
||||||
|
|
||||||
This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
|
|
||||||
|
|
||||||
Default: Enabled.
|
|
||||||
|
|
||||||
Important
|
|
||||||
|
|
||||||
There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted.
|
|
||||||
|
|
||||||
Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains.
|
|
||||||
|
|
||||||
<!--/Description-->
|
|
||||||
<!--RegistryMapped-->
|
|
||||||
GP Info:
|
|
||||||
- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)*
|
|
||||||
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
|
|
||||||
|
|
||||||
<!--/RegistryMapped-->
|
|
||||||
<!--SupportedValues-->
|
|
||||||
|
|
||||||
<!--/SupportedValues-->
|
|
||||||
<!--Example-->
|
|
||||||
|
|
||||||
<!--/Example-->
|
|
||||||
<!--Validation-->
|
|
||||||
|
|
||||||
<!--/Validation-->
|
|
||||||
<!--/Policy-->
|
|
||||||
|
|
||||||
<hr/>
|
|
||||||
|
|
||||||
<!--Policy-->
|
|
||||||
<a href="" id="localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges"></a>**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges**
|
|
||||||
|
|
||||||
<!--SupportedSKUs-->
|
|
||||||
<table>
|
|
||||||
<tr>
|
|
||||||
<th>Windows Edition</th>
|
|
||||||
<th>Supported?</th>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Home</td>
|
|
||||||
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Pro</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Business</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Enterprise</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Education</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<!--/SupportedSKUs-->
|
|
||||||
<hr/>
|
|
||||||
|
|
||||||
<!--Scope-->
|
|
||||||
[Scope](./policy-configuration-service-provider.md#policy-scope):
|
|
||||||
|
|
||||||
> [!div class = "checklist"]
|
|
||||||
> * Device
|
|
||||||
|
|
||||||
<hr/>
|
|
||||||
|
|
||||||
<!--/Scope-->
|
|
||||||
<!--Description-->
|
|
||||||
|
|
||||||
> [!WARNING]
|
|
||||||
> Starting in the version 1809 of Windows, this policy is deprecated.
|
|
||||||
|
|
||||||
Domain member: Disable machine account password changes
|
|
||||||
|
|
||||||
Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days.
|
|
||||||
|
|
||||||
Default: Disabled.
|
|
||||||
|
|
||||||
Notes
|
|
||||||
|
|
||||||
This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions.
|
|
||||||
This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names.
|
|
||||||
|
|
||||||
<!--/Description-->
|
|
||||||
<!--RegistryMapped-->
|
|
||||||
GP Info:
|
|
||||||
- GP English name: *Domain member: Disable machine account password changes*
|
|
||||||
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
|
|
||||||
|
|
||||||
<!--/RegistryMapped-->
|
|
||||||
<!--SupportedValues-->
|
|
||||||
|
|
||||||
<!--/SupportedValues-->
|
|
||||||
<!--Example-->
|
|
||||||
|
|
||||||
<!--/Example-->
|
|
||||||
<!--Validation-->
|
|
||||||
|
|
||||||
<!--/Validation-->
|
|
||||||
<!--/Policy-->
|
|
||||||
|
|
||||||
<hr/>
|
|
||||||
|
|
||||||
<!--Policy-->
|
<!--Policy-->
|
||||||
<a href="" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
|
<a href="" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
|
||||||
|
|
||||||
@ -3038,63 +2776,6 @@ GP Info:
|
|||||||
|
|
||||||
<hr/>
|
<hr/>
|
||||||
|
|
||||||
<!--Policy-->
|
|
||||||
<a href="" id="localpoliciessecurityoptions-systemobjects-requirecaseinsensitivityfornonwindowssubsystems"></a>**LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems**
|
|
||||||
|
|
||||||
<!--SupportedSKUs-->
|
|
||||||
<table>
|
|
||||||
<tr>
|
|
||||||
<th>Windows Edition</th>
|
|
||||||
<th>Supported?</th>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Home</td>
|
|
||||||
<td><img src="images/crossmark.png" alt="cross mark" /></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Pro</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Business</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Enterprise</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
|
||||||
<td>Education</td>
|
|
||||||
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
|
|
||||||
</tr>
|
|
||||||
</table>
|
|
||||||
|
|
||||||
<!--/SupportedSKUs-->
|
|
||||||
<hr/>
|
|
||||||
|
|
||||||
<!--Scope-->
|
|
||||||
[Scope](./policy-configuration-service-provider.md#policy-scope):
|
|
||||||
|
|
||||||
> [!div class = "checklist"]
|
|
||||||
> * Device
|
|
||||||
|
|
||||||
<hr/>
|
|
||||||
|
|
||||||
<!--/Scope-->
|
|
||||||
<!--Description-->
|
|
||||||
System objects: Require case insensitivity for non-Windows subsystems
|
|
||||||
|
|
||||||
This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX.
|
|
||||||
|
|
||||||
If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting does not allow the Win32 subsystem to become case sensitive.
|
|
||||||
|
|
||||||
Default: Enabled.
|
|
||||||
|
|
||||||
<!--/Description-->
|
|
||||||
<!--/Policy-->
|
|
||||||
|
|
||||||
<hr/>
|
|
||||||
|
|
||||||
<!--Policy-->
|
<!--Policy-->
|
||||||
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
|
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
|
||||||
|
|
||||||
|
|||||||
@ -533,9 +533,6 @@ ms.date: 07/18/2019
|
|||||||
- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia)
|
- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia)
|
||||||
- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters)
|
- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters)
|
||||||
- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly)
|
- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly)
|
||||||
- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways)
|
|
||||||
- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible)
|
|
||||||
- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges)
|
|
||||||
- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked)
|
- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked)
|
||||||
- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin)
|
- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin)
|
||||||
- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin)
|
- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin)
|
||||||
|
|||||||
@ -19,6 +19,9 @@
|
|||||||
### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
|
### [Phase 1: Prepare](microsoft-defender-atp/prepare-deployment.md)
|
||||||
### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
|
### [Phase 2: Set up](microsoft-defender-atp/production-deployment.md)
|
||||||
### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
|
### [Phase 3: Onboard](microsoft-defender-atp/onboarding.md)
|
||||||
|
#### [Onboarding using Microsoft Endpoint Configuration Manager](microsoft-defender-atp/onboarding-endpoint-configuration-manager.md)
|
||||||
|
#### [Onboarding using Microsoft Endpoint Manager](microsoft-defender-atp/onboarding-endpoint-manager.md)
|
||||||
|
|
||||||
|
|
||||||
## [Migration guides](microsoft-defender-atp/migration-guides.md)
|
## [Migration guides](microsoft-defender-atp/migration-guides.md)
|
||||||
### [Switch from McAfee to Microsoft Defender ATP]()
|
### [Switch from McAfee to Microsoft Defender ATP]()
|
||||||
|
|||||||
@ -8,7 +8,6 @@ ms.pagetype: security
|
|||||||
ms.localizationpriority: medium
|
ms.localizationpriority: medium
|
||||||
ms.author: dansimp
|
ms.author: dansimp
|
||||||
author: dansimp
|
author: dansimp
|
||||||
ms.date: 10/04/2019
|
|
||||||
ms.reviewer: dansimp
|
ms.reviewer: dansimp
|
||||||
manager: dansimp
|
manager: dansimp
|
||||||
audience: ITPro
|
audience: ITPro
|
||||||
@ -23,7 +22,7 @@ Microsoft recommends [a layered approach to securing removable media](https://ak
|
|||||||
1. [Discover plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity.
|
1. [Discover plug and play connected events for peripherals in Microsoft Defender ATP advanced hunting](#discover-plug-and-play-connected-events). Identify or investigate suspicious usage activity.
|
||||||
|
|
||||||
2. Configure to allow or block only certain removable devices and prevent threats.
|
2. Configure to allow or block only certain removable devices and prevent threats.
|
||||||
1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by USB vendor IDs, product IDs, device IDs, or a combination. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
|
1. [Allow or block removable devices](#allow-or-block-removable-devices) based on granular configuration to deny write access to removable disks and approve or deny devices by using USB device IDs. Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices.
|
||||||
|
|
||||||
2. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
|
2. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling:
|
||||||
- Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
|
- Microsoft Defender Antivirus real-time protection (RTP) to scan removable storage for malware.
|
||||||
@ -98,35 +97,37 @@ In this example, the following classes needed to be added: HID, Keyboard, and {3
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. To find the vendor or product IDs, see [Look up device vendor ID or product ID](#look-up-device-vendor-id-or-product-id).
|
If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device ID that you want to add. Device ID is based on the vendor ID and product ID values for a device. For information on device ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
|
||||||
|
|
||||||
|
To find the device IDs, see [Look up device ID](#look-up-device-id).
|
||||||
|
|
||||||
For example:
|
For example:
|
||||||
|
|
||||||
1. Remove class USBDevice from the **Allow installation of devices using drivers that match these device setup**.
|
1. Remove class USBDevice from the **Allow installation of devices using drivers that match these device setup**.
|
||||||
2. Add the vendor ID or product ID to allow in the **Allow installation of device that match any of these device IDs**.
|
2. Add the device ID to allow in the **Allow installation of device that match any of these device IDs**.
|
||||||
|
|
||||||
|
|
||||||
#### Prevent installation and usage of USB drives and other peripherals
|
#### Prevent installation and usage of USB drives and other peripherals
|
||||||
|
|
||||||
If you want to prevent the installation of a device class or certain devices, you can use the prevent device installation policies:
|
If you want to prevent the installation of a device class or certain devices, you can use the prevent device installation policies:
|
||||||
|
|
||||||
1. Enable **Prevent installation of devices that match any of these device IDs**.
|
1. Enable **Prevent installation of devices that match any of these device IDs** and add these devices to the list.
|
||||||
2. Enable **Prevent installation of devices using drivers that match these device setup classes**.
|
2. Enable **Prevent installation of devices using drivers that match these device setup classes**.
|
||||||
|
|
||||||
> [!Note]
|
> [!Note]
|
||||||
> The prevent device installation policies take precedence over the allow device installation policies.
|
> The prevent device installation policies take precedence over the allow device installation policies.
|
||||||
|
|
||||||
The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of vendor or product IDs for devices that Windows is prevented from installing.
|
The **Prevent installation of devices that match any of these device IDs** policy allows you to specify a list of devices that Windows is prevented from installing.
|
||||||
|
|
||||||
To prevent installation of devices that match any of these device IDs:
|
To prevent installation of devices that match any of these device IDs:
|
||||||
|
|
||||||
1. [Look up device vendor ID or product ID](#look-up-device-vendor-id-or-product-id) for devices that you want Windows to prevent from installing.
|
1. [Look up device ID](#look-up-device-id) for devices that you want Windows to prevent from installing.
|
||||||
|
|
||||||
2. Enable **Prevent installation of devices that match any of these device IDs** and add the vendor or product IDs to the list.
|
2. Enable **Prevent installation of devices that match any of these device IDs** and add the vendor or product IDs to the list.
|
||||||
|
|
||||||
|
|
||||||
#### Look up device vendor ID or product ID
|
#### Look up device ID
|
||||||
You can use Device Manager to look up a device vendor or product ID.
|
You can use Device Manager to look up a device ID.
|
||||||
|
|
||||||
1. Open Device Manager.
|
1. Open Device Manager.
|
||||||
2. Click **View** and select **Devices by connection**.
|
2. Click **View** and select **Devices by connection**.
|
||||||
@ -135,11 +136,11 @@ You can use Device Manager to look up a device vendor or product ID.
|
|||||||
5. Click the **Property** drop-down list and select **Hardware Ids**.
|
5. Click the **Property** drop-down list and select **Hardware Ids**.
|
||||||
6. Right-click the top ID value and select **Copy**.
|
6. Right-click the top ID value and select **Copy**.
|
||||||
|
|
||||||
For information on vendor and product ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
|
For information about Device ID formats, see [Standard USB Identifiers](https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers).
|
||||||
|
|
||||||
For information on vendor IDs, see [USB members](https://www.usb.org/members).
|
For information on vendor IDs, see [USB members](https://www.usb.org/members).
|
||||||
|
|
||||||
The following is an example for looking up a device vendor ID or product ID using PowerShell:
|
The following is an example for looking up a device vendor ID or product ID (which is part of the device ID) using PowerShell:
|
||||||
``` PowerShell
|
``` PowerShell
|
||||||
Get-WMIObject -Class Win32_DiskDrive |
|
Get-WMIObject -Class Win32_DiskDrive |
|
||||||
Select-Object -Property *
|
Select-Object -Property *
|
||||||
|
|||||||
@ -13,7 +13,7 @@ ms.author: deniseb
|
|||||||
ms.custom: nextgen
|
ms.custom: nextgen
|
||||||
ms.reviewer:
|
ms.reviewer:
|
||||||
manager: dansimp
|
manager: dansimp
|
||||||
ms.date: 09/07/2020
|
ms.date: 09/10/2020
|
||||||
---
|
---
|
||||||
|
|
||||||
# Manage Microsoft Defender Antivirus updates and apply baselines
|
# Manage Microsoft Defender Antivirus updates and apply baselines
|
||||||
@ -31,6 +31,10 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u
|
|||||||
> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
|
> Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques.
|
||||||
> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
|
> This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).
|
||||||
|
|
||||||
|
> [!NOTE]
|
||||||
|
> You can use the below URL to find out what are the current versions:
|
||||||
|
> [https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info)
|
||||||
|
|
||||||
## Security intelligence updates
|
## Security intelligence updates
|
||||||
|
|
||||||
Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
|
Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection.
|
||||||
@ -59,7 +63,7 @@ All our updates contain:
|
|||||||
* integration improvements (Cloud, MTP)
|
* integration improvements (Cloud, MTP)
|
||||||
<br/>
|
<br/>
|
||||||
<details>
|
<details>
|
||||||
<summary> August-2020 (Platform: 4.18.2008.3 | Engine: 1.1.17400.5)</summary>
|
<summary> August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)</summary>
|
||||||
|
|
||||||
 Security intelligence update version: **1.323.9.0**
|
 Security intelligence update version: **1.323.9.0**
|
||||||
 Released: **August 27, 2020**
|
 Released: **August 27, 2020**
|
||||||
@ -72,6 +76,7 @@ All our updates contain:
|
|||||||
* Improved scan event telemetry
|
* Improved scan event telemetry
|
||||||
* Improved behavior monitoring for memory scans
|
* Improved behavior monitoring for memory scans
|
||||||
* Improved macro streams scanning
|
* Improved macro streams scanning
|
||||||
|
* Added "AMRunningMode" to Get-MpComputerStatus Powershell CmdLet
|
||||||
|
|
||||||
### Known Issues
|
### Known Issues
|
||||||
No known issues
|
No known issues
|
||||||
|
|||||||
Binary file not shown.
|
After Width: | Height: | Size: 200 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 4.6 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 34 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 11 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 117 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 101 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 33 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 35 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 36 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 89 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 62 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 48 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 45 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 213 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 35 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 72 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 71 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 80 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 56 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 28 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 38 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 29 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 142 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 219 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 24 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 59 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 86 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 35 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 73 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 29 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 30 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 77 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 80 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 75 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 60 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 7.9 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 16 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 86 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 32 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 127 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 96 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 148 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 38 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 24 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 61 KiB |
@ -0,0 +1,355 @@
|
|||||||
|
---
|
||||||
|
title: Onboarding using Microsoft Endpoint Configuration Manager
|
||||||
|
description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Configuration Manager
|
||||||
|
keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction
|
||||||
|
search.product: eADQiWindows 10XVcnh
|
||||||
|
ms.prod: w10
|
||||||
|
ms.mktglfcycl: deploy
|
||||||
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
|
ms.author: macapara
|
||||||
|
author: mjcaparas
|
||||||
|
ms.localizationpriority: medium
|
||||||
|
manager: dansimp
|
||||||
|
audience: ITPro
|
||||||
|
ms.collection:
|
||||||
|
- M365-security-compliance
|
||||||
|
- m365solution-endpointprotect
|
||||||
|
ms.topic: article
|
||||||
|
---
|
||||||
|
|
||||||
|
# Onboarding using Microsoft Endpoint Configuration Manager
|
||||||
|
**Applies to:**
|
||||||
|
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||||
|
|
||||||
|
## Collection creation
|
||||||
|
To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
|
||||||
|
deployment can target either and existing collection or a new collection can be
|
||||||
|
created for testing. The onboarding like group policy or manual method does
|
||||||
|
not install any agent on the system. Within the Configuration Manager console
|
||||||
|
the onboarding process will be configured as part of the compliance settings
|
||||||
|
within the console. Any system that receives this required configuration will
|
||||||
|
maintain that configuration for as long as the Configuration Manager client
|
||||||
|
continues to receive this policy from the management point. Follow the steps
|
||||||
|
below to onboard systems with Configuration Manager.
|
||||||
|
|
||||||
|
1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
2. Right Click **Device Collection** and select **Create Device Collection**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. Provide a **Name** and **Limiting Collection**, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
4. Select **Add Rule** and choose **Query Rule**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
6. Select **Criteria** and then choose the star icon.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
8. Select **Next** and **Close**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
9. Select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
|
||||||
|
|
||||||
|
## Endpoint detection and response
|
||||||
|
### Windows 10
|
||||||
|
From within the Microsoft Defender Security Center it is possible to download
|
||||||
|
the '.onboarding' policy that can be used to create the policy in System Center Configuration
|
||||||
|
Manager and deploy that policy to Windows 10 devices.
|
||||||
|
|
||||||
|
1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. Select **Download package**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
4. Save the package to an accessible location.
|
||||||
|
5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
|
||||||
|
|
||||||
|
6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
8. Click **Browse**.
|
||||||
|
|
||||||
|
9. Navigate to the location of the downloaded file from step 4 above.
|
||||||
|
|
||||||
|
10. Click **Next**.
|
||||||
|
11. Configure the Agent with the appropriate samples (**None** or **All file types**).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
14. Verify the configuration, then click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
15. Click **Close** when the Wizard completes.
|
||||||
|
|
||||||
|
16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
17. On the right panel, select the previously created collection and click **OK**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Previous versions of Windows Client (Windows 7 and Windows 8.1)
|
||||||
|
Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
|
||||||
|
|
||||||
|
1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
|
||||||
|
|
||||||
|
2. Under operating system choose **Windows 7 SP1 and 8.1**.
|
||||||
|
|
||||||
|
3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
4. Install the Microsoft Monitoring Agent (MMA). <br>
|
||||||
|
MMA is currently (as of January 2019) supported on the following Windows Operating
|
||||||
|
Systems:
|
||||||
|
|
||||||
|
- Server SKUs: Windows Server 2008 SP1 or Newer
|
||||||
|
|
||||||
|
- Client SKUs: Windows 7 SP1 and later
|
||||||
|
|
||||||
|
The MMA agent will need to be installed on Windows devices. To install the
|
||||||
|
agent, some systems will need to download the [Update for customer experience
|
||||||
|
and diagnostic
|
||||||
|
telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
|
||||||
|
in order to collect the data with MMA. These system versions include but may not
|
||||||
|
be limited to:
|
||||||
|
|
||||||
|
- Windows 8.1
|
||||||
|
|
||||||
|
- Windows 7
|
||||||
|
|
||||||
|
- Windows Server 2016
|
||||||
|
|
||||||
|
- Windows Server 2012 R2
|
||||||
|
|
||||||
|
- Windows Server 2008 R2
|
||||||
|
|
||||||
|
Specifically, for Windows 7 SP1, the following patches must be installed:
|
||||||
|
|
||||||
|
- Install
|
||||||
|
[KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
|
||||||
|
|
||||||
|
- Install either [.NET Framework
|
||||||
|
4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or
|
||||||
|
later) **or**
|
||||||
|
[KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
|
||||||
|
Do not install both on the same system.
|
||||||
|
|
||||||
|
5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
|
||||||
|
|
||||||
|
Once completed, you should see onboarded endpoints in the portal within an hour.
|
||||||
|
|
||||||
|
## Next generation protection
|
||||||
|
Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers.
|
||||||
|
|
||||||
|
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
In certain industries or some select enterprise customers might have specific
|
||||||
|
needs on how Antivirus is configured.
|
||||||
|
|
||||||
|
|
||||||
|
[Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
|
||||||
|
|
||||||
|
For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. Right-click on the newly created antimalware policy and select **Deploy**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
After completing this task, you now have successfully configured Windows
|
||||||
|
Defender Antivirus.
|
||||||
|
|
||||||
|
## Attack surface reduction
|
||||||
|
The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
|
||||||
|
Protection.
|
||||||
|
|
||||||
|
All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode.
|
||||||
|
|
||||||
|
To set ASR rules in Audit mode:
|
||||||
|
|
||||||
|
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
2. Select **Attack Surface Reduction**.
|
||||||
|
|
||||||
|
|
||||||
|
3. Set rules to **Audit** and click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
4. Confirm the new Exploit Guard policy by clicking on **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
5. Once the policy is created click **Close**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
6. Right-click on the newly created policy and choose **Deploy**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
7. Target the policy to the newly created Windows 10 collection and click **OK**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
After completing this task, you now have successfully configured ASR rules in audit mode.
|
||||||
|
|
||||||
|
Below are additional steps to verify whether ASR rules are correctly applied to
|
||||||
|
endpoints. (This may take few minutes)
|
||||||
|
|
||||||
|
|
||||||
|
1. From a web browser, navigate to <https://securitycenter.windows.com>.
|
||||||
|
|
||||||
|
2. Select **Configuration management** from left side menu.
|
||||||
|
|
||||||
|
3. Click **Go to attack surface management** in the Attack surface management panel.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
5. Click each device shows configuration details of ASR rules.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
See [Optimize ASR rule deployment and
|
||||||
|
detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
|
||||||
|
|
||||||
|
|
||||||
|
### To set Network Protection rules in Audit mode:
|
||||||
|
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
2. Select **Network protection**.
|
||||||
|
|
||||||
|
3. Set the setting to **Audit** and click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
4. Confirm the new Exploit Guard Policy by clicking **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
5. Once the policy is created click on **Close**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
6. Right-click on the newly created policy and choose **Deploy**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
7. Select the policy to the newly created Windows 10 collection and choose **OK**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
After completing this task, you now have successfully configured Network
|
||||||
|
Protection in audit mode.
|
||||||
|
|
||||||
|
### To set Controlled Folder Access rules in Audit mode:
|
||||||
|
|
||||||
|
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
2. Select **Controlled folder access**.
|
||||||
|
|
||||||
|
3. Set the configuration to **Audit** and click **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
4. Confirm the new Exploit Guard Policy by clicking on **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
5. Once the policy is created click on **Close**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
6. Right-click on the newly created policy and choose **Deploy**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
7. Target the policy to the newly created Windows 10 collection and click **OK**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
You have now successfully configured Controlled folder access in audit mode.
|
||||||
|
|
||||||
|
## Related topic
|
||||||
|
- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
|
||||||
@ -0,0 +1,364 @@
|
|||||||
|
---
|
||||||
|
title: Onboarding using Microsoft Endpoint Manager
|
||||||
|
description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Manager
|
||||||
|
keywords: onboarding, configuration, deploy, deployment, endpoint manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction
|
||||||
|
search.product: eADQiWindows 10XVcnh
|
||||||
|
ms.prod: w10
|
||||||
|
ms.mktglfcycl: deploy
|
||||||
|
ms.sitesec: library
|
||||||
|
ms.pagetype: security
|
||||||
|
ms.author: macapara
|
||||||
|
author: mjcaparas
|
||||||
|
ms.localizationpriority: medium
|
||||||
|
manager: dansimp
|
||||||
|
audience: ITPro
|
||||||
|
ms.collection:
|
||||||
|
- M365-security-compliance
|
||||||
|
- m365solution-endpointprotect
|
||||||
|
ms.topic: article
|
||||||
|
---
|
||||||
|
|
||||||
|
# Onboarding using Microsoft Endpoint Manager
|
||||||
|
**Applies to:**
|
||||||
|
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||||
|
|
||||||
|
|
||||||
|
In this section, we will be using Microsoft Endpoint Manager (MEM) to deploy
|
||||||
|
Microsoft Defender ATP to your endpoints.
|
||||||
|
|
||||||
|
For more information about MEM, check out these resources:
|
||||||
|
- [Microsoft Endpoint Manager page](https://docs.microsoft.com/mem/)
|
||||||
|
- [Blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/)
|
||||||
|
- [Introduction video on MEM](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace)
|
||||||
|
|
||||||
|
|
||||||
|
This process is a multi-step process, you'll need to:
|
||||||
|
|
||||||
|
- Identify target devices or users
|
||||||
|
|
||||||
|
- Create an Azure Active Directory group (User or Device)
|
||||||
|
|
||||||
|
- Create a Configuration Profile
|
||||||
|
|
||||||
|
- In MEM, we'll guide you in creating a separate policy for each feature
|
||||||
|
|
||||||
|
## Resources
|
||||||
|
|
||||||
|
|
||||||
|
Here are the links you'll need for the rest of the process:
|
||||||
|
|
||||||
|
- [MEM portal](https://aka.ms/memac)
|
||||||
|
|
||||||
|
- [Security Center](https://securitycenter.windows.com/)
|
||||||
|
|
||||||
|
- [Intune Security baselines](https://docs.microsoft.com/mem/intune/protect/security-baseline-settings-defender-atp#microsoft-defender)
|
||||||
|
|
||||||
|
## Identify target devices or users
|
||||||
|
In this section, we will create a test group to assign your configurations on.
|
||||||
|
|
||||||
|
>[!NOTE]
|
||||||
|
>Intune uses Azure Active Directory (Azure AD) groups to manage devices and
|
||||||
|
users. As an Intune admin, you can set up groups to suit your organizational
|
||||||
|
needs.<br>
|
||||||
|
> For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/mem/intune/fundamentals/groups-add).
|
||||||
|
|
||||||
|
### Create a group
|
||||||
|
|
||||||
|
1. Open the MEM portal.
|
||||||
|
|
||||||
|
2. Open **Groups > New Group**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. Enter details and create a new group.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
4. Add your test user or device.
|
||||||
|
|
||||||
|
5. From the **Groups > All groups** pane, open your new group.
|
||||||
|
|
||||||
|
6. Select **Members > Add members**.
|
||||||
|
|
||||||
|
7. Find your test user or device and select it.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
8. Your testing group now has a member to test.
|
||||||
|
|
||||||
|
## Create configuration policies
|
||||||
|
In the following section, you'll create a number of configuration policies.
|
||||||
|
First is a configuration policy to select which groups of users or devices will
|
||||||
|
be onboarded to Microsoft Defender ATP. Then you will continue by creating several
|
||||||
|
different types of Endpoint security policies.
|
||||||
|
|
||||||
|
### Endpoint detection and response
|
||||||
|
|
||||||
|
1. Open the MEM portal.
|
||||||
|
|
||||||
|
2. Navigate to **Endpoint security > Endpoint detection and response**. Click
|
||||||
|
on **Create Profile**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. Under **Platform, select Windows 10 and Later, Profile - Endpoint detection
|
||||||
|
and response > Create**.
|
||||||
|
|
||||||
|
4. Enter a name and description, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
5. Select settings as required, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
>[!NOTE]
|
||||||
|
>In this instance, this has been auto populated as Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp). <br>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
6. Add scope tags if necessary, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
8. Review and accept, then select **Create**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
9. You can view your completed policy.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Next-generation protection
|
||||||
|
|
||||||
|
1. Open the MEM portal.
|
||||||
|
|
||||||
|
2. Navigate to **Endpoint security > Antivirus > Create Policy**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. Select **Platform - Windows 10 and Later - Windows and Profile – Microsoft
|
||||||
|
Defender Antivirus > Create**.
|
||||||
|
|
||||||
|
4. Enter name and description, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
5. In the **Configuration settings page**: Set the configurations you require for
|
||||||
|
Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time
|
||||||
|
Protection, and Remediation).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
6. Add scope tags if necessary, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
7. Select groups to include, assign to your test group, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
8. Review and create, then select **Create**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
9. You'll see the configuration policy you created.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Attack Surface Reduction – Attack surface reduction rules
|
||||||
|
|
||||||
|
1. Open the MEM portal.
|
||||||
|
|
||||||
|
2. Navigate to **Endpoint security > Attack surface reduction**.
|
||||||
|
|
||||||
|
3. Select **Create Policy**.
|
||||||
|
|
||||||
|
4. Select **Platform - Windows 10 and Later – Profile - Attack surface reduction
|
||||||
|
rules > Create**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
5. Enter a name and description, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
6. In the **Configuration settings page**: Set the configurations you require for
|
||||||
|
Attack surface reduction rules, then select **Next**.
|
||||||
|
|
||||||
|
>[!NOTE]
|
||||||
|
>We will be configuring all of the Attack surface reduction rules to Audit.
|
||||||
|
|
||||||
|
For more information, see [Attack surface reduction rules](attack-surface-reduction.md).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
7. Add Scope Tags as required, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
8. Select groups to include and assign to test group, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
9. Review the details, then select **Create**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
10. View the policy.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Attack Surface Reduction – Web Protection
|
||||||
|
|
||||||
|
1. Open the MEM portal.
|
||||||
|
|
||||||
|
2. Navigate to **Endpoint security > Attack surface reduction**.
|
||||||
|
|
||||||
|
3. Select **Create Policy**.
|
||||||
|
|
||||||
|
4. Select **Windows 10 and Later – Web protection > Create**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
5. Enter a name and description, then select **Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
6. In the **Configuration settings page**: Set the configurations you require for
|
||||||
|
Web Protection, then select **Next**.
|
||||||
|
|
||||||
|
>[!NOTE]
|
||||||
|
>We are configuring Web Protection to Block.
|
||||||
|
|
||||||
|
For more information, see [Web Protection](web-protection-overview.md).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
7. Add **Scope Tags as required > Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
8. Select **Assign to test group > Next**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
9. Select **Review and Create > Create**.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
10. View the policy.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
## Validate configuration settings
|
||||||
|
|
||||||
|
|
||||||
|
### Confirm Policies have been applied
|
||||||
|
|
||||||
|
|
||||||
|
Once the Configuration policy has been assigned, it will take some time to apply.
|
||||||
|
|
||||||
|
For information on timing, see [Intune configuration information](https://docs.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
|
||||||
|
|
||||||
|
To confirm that the configuration policy has been applied to your test device, follow the following process for each configuration policy.
|
||||||
|
|
||||||
|
1. Open the MEM portal and navigate to the relevant policy as shown in the
|
||||||
|
steps above. The following example shows the next generation protection settings.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
2. Select the **Configuration Policy** to view the policy status.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. Select **Device Status** to see the status.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
4. Select **User Status** to see the status.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
5. Select **Per-setting status** to see the status.
|
||||||
|
|
||||||
|
>[!TIP]
|
||||||
|
>This view is very useful to identify any settings that conflict with another policy.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Endpoint detection and response
|
||||||
|
|
||||||
|
|
||||||
|
1. Before applying the configuration, the Microsoft Defender ATP
|
||||||
|
Protection service should not be started.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
2. After the configuration has been applied, the Microsoft Defender ATP
|
||||||
|
Protection Service should be started.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. After the services are running on the device, the device appears in Microsoft
|
||||||
|
Defender Security Center.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Next-generation protection
|
||||||
|
|
||||||
|
1. Before applying the policy on a test device, you should be able to manually
|
||||||
|
manage the settings as shown below.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
2. After the policy has been applied, you should not be able to manually manage
|
||||||
|
the settings.
|
||||||
|
|
||||||
|
>[!NOTE]
|
||||||
|
> In the following image **Turn on cloud-delivered protection** and
|
||||||
|
**Turn on real-time protection** are being shown as managed.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Attack Surface Reduction – Attack surface reduction rules
|
||||||
|
|
||||||
|
|
||||||
|
1. Before applying the policy on a test device, pen a PowerShell Window and type `Get-MpPreference`.
|
||||||
|
|
||||||
|
2. This should respond with the following lines with no content:
|
||||||
|
|
||||||
|
AttackSurfaceReductionOnlyExclusions:
|
||||||
|
|
||||||
|
AttackSurfaceReductionRules_Actions:
|
||||||
|
|
||||||
|
AttackSurfaceReductionRules_Ids:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`.
|
||||||
|
|
||||||
|
4. This should respond with the following lines with content as shown below:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
### Attack Surface Reduction – Web Protection
|
||||||
|
|
||||||
|
1. On the test device, open a PowerShell Windows and type
|
||||||
|
`(Get-MpPreference).EnableNetworkProtection`.
|
||||||
|
|
||||||
|
2. This should respond with a 0 as shown below.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
3. After applying the policy, open a PowerShell Windows and type
|
||||||
|
`(Get-MpPreference).EnableNetworkProtection`.
|
||||||
|
|
||||||
|
4. This should respond with a 1 as shown below.
|
||||||
|
|
||||||
|
|
||||||
@ -51,343 +51,21 @@ You are currently in the onboarding phase.
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements.
|
To deploy Microsoft Defender ATP, you'll need to onboard devices to the service.
|
||||||
|
|
||||||
The deployment guide uses Microsoft Endpoint Configuration Manager as the management tool to demonstrate an end-to-end deployment.
|
Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements.
|
||||||
|
|
||||||
This article will guide you on:
|
After onboarding the devices, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction.
|
||||||
- Setting up Microsoft Endpoint Configuration Manager
|
|
||||||
|
|
||||||
|
This article provides resources to guide you on:
|
||||||
|
- Using various management tools to onboard devices
|
||||||
|
- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
|
||||||
|
- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
|
||||||
- Endpoint detection and response configuration
|
- Endpoint detection and response configuration
|
||||||
- Next-generation protection configuration
|
- Next-generation protection configuration
|
||||||
- Attack surface reduction configuration
|
- Attack surface reduction configuration
|
||||||
|
|
||||||
## Onboarding using Microsoft Endpoint Configuration Manager
|
## Related topics
|
||||||
### Collection creation
|
- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
|
||||||
To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the
|
- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
|
||||||
deployment can target either and existing collection or a new collection can be
|
|
||||||
created for testing. The onboarding like group policy or manual method does
|
|
||||||
not install any agent on the system. Within the Configuration Manager console
|
|
||||||
the onboarding process will be configured as part of the compliance settings
|
|
||||||
within the console. Any system that receives this required configuration will
|
|
||||||
maintain that configuration for as long as the Configuration Manager client
|
|
||||||
continues to receive this policy from the management point. Follow the steps
|
|
||||||
below to onboard systems with Configuration Manager.
|
|
||||||
|
|
||||||
1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
2. Right Click **Device Collection** and select **Create Device Collection**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. Provide a **Name** and **Limiting Collection**, then select **Next**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Select **Add Rule** and choose **Query Rule**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Select **Criteria** and then choose the star icon.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Select **Next** and **Close**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
9. Select **Next**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment.
|
|
||||||
|
|
||||||
## Endpoint detection and response
|
|
||||||
### Windows 10
|
|
||||||
From within the Microsoft Defender Security Center it is possible to download
|
|
||||||
the '.onboarding' policy that can be used to create the policy in System Center Configuration
|
|
||||||
Manager and deploy that policy to Windows 10 devices.
|
|
||||||
|
|
||||||
1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding).
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. Select **Download package**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Save the package to an accessible location.
|
|
||||||
5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**.
|
|
||||||
|
|
||||||
6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. Enter the name and description, verify **Onboarding** is selected, then select **Next**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
8. Click **Browse**.
|
|
||||||
|
|
||||||
9. Navigate to the location of the downloaded file from step 4 above.
|
|
||||||
|
|
||||||
10. Click **Next**.
|
|
||||||
11. Configure the Agent with the appropriate samples (**None** or **All file types**).
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
14. Verify the configuration, then click **Next**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
15. Click **Close** when the Wizard completes.
|
|
||||||
|
|
||||||
16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
17. On the right panel, select the previously created collection and click **OK**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### Previous versions of Windows Client (Windows 7 and Windows 8.1)
|
|
||||||
Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows.
|
|
||||||
|
|
||||||
1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**.
|
|
||||||
|
|
||||||
2. Under operating system choose **Windows 7 SP1 and 8.1**.
|
|
||||||
|
|
||||||
3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Install the Microsoft Monitoring Agent (MMA). <br>
|
|
||||||
MMA is currently (as of January 2019) supported on the following Windows Operating
|
|
||||||
Systems:
|
|
||||||
|
|
||||||
- Server SKUs: Windows Server 2008 SP1 or Newer
|
|
||||||
|
|
||||||
- Client SKUs: Windows 7 SP1 and later
|
|
||||||
|
|
||||||
The MMA agent will need to be installed on Windows devices. To install the
|
|
||||||
agent, some systems will need to download the [Update for customer experience
|
|
||||||
and diagnostic
|
|
||||||
telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry)
|
|
||||||
in order to collect the data with MMA. These system versions include but may not
|
|
||||||
be limited to:
|
|
||||||
|
|
||||||
- Windows 8.1
|
|
||||||
|
|
||||||
- Windows 7
|
|
||||||
|
|
||||||
- Windows Server 2016
|
|
||||||
|
|
||||||
- Windows Server 2012 R2
|
|
||||||
|
|
||||||
- Windows Server 2008 R2
|
|
||||||
|
|
||||||
Specifically, for Windows 7 SP1, the following patches must be installed:
|
|
||||||
|
|
||||||
- Install
|
|
||||||
[KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
|
|
||||||
|
|
||||||
- Install either [.NET Framework
|
|
||||||
4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or
|
|
||||||
later) **or**
|
|
||||||
[KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework).
|
|
||||||
Do not install both on the same system.
|
|
||||||
|
|
||||||
5. If you're using a proxy to connect to the Internet see the Configure proxy settings section.
|
|
||||||
|
|
||||||
Once completed, you should see onboarded endpoints in the portal within an hour.
|
|
||||||
|
|
||||||
## next-generation protection
|
|
||||||
Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers.
|
|
||||||
|
|
||||||
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
In certain industries or some select enterprise customers might have specific
|
|
||||||
needs on how Antivirus is configured.
|
|
||||||
|
|
||||||
|
|
||||||
[Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan)
|
|
||||||
|
|
||||||
For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework)
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. Right-click on the newly created antimalware policy and select **Deploy**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Target the new antimalware policy to your Windows 10 collection and click **OK**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
After completing this task, you now have successfully configured Windows
|
|
||||||
Defender Antivirus.
|
|
||||||
|
|
||||||
## Attack surface reduction
|
|
||||||
The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit
|
|
||||||
Protection.
|
|
||||||
|
|
||||||
All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode.
|
|
||||||
|
|
||||||
To set ASR rules in Audit mode:
|
|
||||||
|
|
||||||
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
2. Select **Attack Surface Reduction**.
|
|
||||||
|
|
||||||
|
|
||||||
3. Set rules to **Audit** and click **Next**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Confirm the new Exploit Guard policy by clicking on **Next**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Once the policy is created click **Close**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Right-click on the newly created policy and choose **Deploy**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. Target the policy to the newly created Windows 10 collection and click **OK**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
After completing this task, you now have successfully configured ASR rules in audit mode.
|
|
||||||
|
|
||||||
Below are additional steps to verify whether ASR rules are correctly applied to
|
|
||||||
endpoints. (This may take few minutes)
|
|
||||||
|
|
||||||
|
|
||||||
1. From a web browser, navigate to <https://securitycenter.windows.com>.
|
|
||||||
|
|
||||||
2. Select **Configuration management** from left side menu.
|
|
||||||
|
|
||||||
3. Click **Go to attack surface management** in the Attack surface management panel.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Click each device shows configuration details of ASR rules.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
See [Optimize ASR rule deployment and
|
|
||||||
detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
|
|
||||||
|
|
||||||
|
|
||||||
### To set Network Protection rules in Audit mode:
|
|
||||||
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
2. Select **Network protection**.
|
|
||||||
|
|
||||||
3. Set the setting to **Audit** and click **Next**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Confirm the new Exploit Guard Policy by clicking **Next**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Once the policy is created click on **Close**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Right-click on the newly created policy and choose **Deploy**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. Select the policy to the newly created Windows 10 collection and choose **OK**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
After completing this task, you now have successfully configured Network
|
|
||||||
Protection in audit mode.
|
|
||||||
|
|
||||||
### To set Controlled Folder Access rules in Audit mode:
|
|
||||||
|
|
||||||
1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
2. Select **Controlled folder access**.
|
|
||||||
|
|
||||||
3. Set the configuration to **Audit** and click **Next**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
4. Confirm the new Exploit Guard Policy by clicking on **Next**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
5. Once the policy is created click on **Close**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
6. Right-click on the newly created policy and choose **Deploy**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
7. Target the policy to the newly created Windows 10 collection and click **OK**.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
You have now successfully configured Controlled folder access in audit mode.
|
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user