From 9b57ccc26385d502613bfef5d8b73ef8d6290d17 Mon Sep 17 00:00:00 2001 From: Laura Newsad Date: Mon, 24 Aug 2020 16:53:38 -0700 Subject: [PATCH 1/9] Update enable-network-protection.md Added an arrow that was missing. Feedback from https://github.com/MicrosoftDocs/memdocs/issues/433 --- .../microsoft-defender-atp/enable-network-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index e737eb44d7..ade4a99c1b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -28,7 +28,7 @@ Check if network protection has been enabled on a local device by using Registry 1. Select the **Start** button in the task bar and type **regedit** to open Registry editor 1. Choose **HKEY_LOCAL_MACHINE** from the side menu -1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** **Windows Defender** > **Policy Manager** +1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** > **Windows Defender** > **Policy Manager** 1. Select **EnableNetworkProtection** to see the current state of network protection on the device * 0, or **Off** From fc25a88aadb820ce2e6a4a6049f76838d74cef96 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Tue, 25 Aug 2020 12:16:21 +0200 Subject: [PATCH 2/9] Update create-a-group-policy-object.md Added markdown for Note. --- .../windows-firewall/create-a-group-policy-object.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md index f003f3c604..b2cef93530 100644 --- a/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md +++ b/windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md @@ -39,7 +39,8 @@ To create a new GPO 4. In the **Name** text box, type the name for your new GPO. - >**Note:** Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs. + > [!NOTE] + > Be sure to use a name that clearly indicates the purpose of the GPO. Check to see if your organization has a naming convention for GPOs. 5. Leave **Source Starter GPO** set to **(none)**, and then click **OK**. From 06210723e87410ea68e04f03961d1418c73d464d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 25 Aug 2020 15:58:53 +0500 Subject: [PATCH 3/9] Update policy-csp-deviceguard.md --- windows/client-management/mdm/policy-csp-deviceguard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index 9512ffde73..2eae3ea3be 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -90,7 +90,7 @@ Secure Launch configuration: - 1 - Enables Secure Launch if supported by hardware - 2 - Disables Secure Launch. -For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How hardware-based containers help protect Windows 10](https://docs.microsoft.com/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows). +For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How a hardware-based root of trust helps protect Windows 10](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows). From d98f507ca03f29aa59a44fb9f17555e730216cf2 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 26 Aug 2020 15:00:22 +0500 Subject: [PATCH 4/9] Update accounts-block-microsoft-accounts.md --- .../accounts-block-microsoft-accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md index a41896c0f5..44ba58b22d 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md @@ -26,7 +26,7 @@ Describes the best practices, location, values, management, and security conside ## Reference -This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. +This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more details, see [Microsoft Accounts](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts). There are two options if this setting is enabled: From 7ee517141105189af4ae2c76a995bb6ded3a85d2 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 26 Aug 2020 16:17:44 +0500 Subject: [PATCH 5/9] Update configure-block-at-first-sight-microsoft-defender-antivirus.md --- ...t-first-sight-microsoft-defender-antivirus.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index 88892bd4a0..1fe1a15f6f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -86,7 +86,7 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D 5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**. ![Enable Advanced settings](images/defender/sccm-advanced-settings.png) -6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. +6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking suspicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds. ![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png) 7. Click **OK** to create the policy. @@ -99,9 +99,9 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: - - Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. + 1 Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. - - Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. + 2 Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. > [!WARNING] > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. @@ -112,6 +112,12 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D 2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**. +5. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MpEngine**: + + 1. Double-click **Select cloud protection level** and ensure the option is set to **Enabled**. + + 2. Ensure that **Select cloud blocking level** section on the same page is set to **High blocking level**, and then click **OK**. + If you had to change any of the settings, you should redeploy the Group Policy Object across your network to ensure all endpoints are covered. ### Confirm block at first sight is turned on with Registry editor @@ -129,7 +135,9 @@ If you had to change any of the settings, you should redeploy the Group Policy O 1. **DisableIOAVProtection** key is set to **0** 2. **DisableRealtimeMonitoring** key is set to **0** - + +4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that **MpCloudBlockLevel** key is set to **2** + ### Confirm Block at First Sight is enabled on individual clients You can confirm that block at first sight is enabled on individual clients using Windows security settings. From f0afb702a490f4a298c7d9467d272506562034c2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 26 Aug 2020 08:03:53 -0700 Subject: [PATCH 6/9] Update configure-block-at-first-sight-microsoft-defender-antivirus.md --- ...re-block-at-first-sight-microsoft-defender-antivirus.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index 1fe1a15f6f..83ec4426af 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -12,6 +12,7 @@ ms.author: deniseb ms.reviewer: manager: dansimp ms.custom: nextgen +ms.date: 08/26/2020 --- # Turn on block at first sight @@ -31,10 +32,10 @@ You can [specify how long the file should be prevented from running](configure-c When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat. -Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). +Microsoft Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, intelligent, and real-time protection. To learn more, see this blog: [Get to know the advanced technologies at the core of Microsoft Defender ATP next-generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/). ![List of Microsoft Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png) -In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. +In Windows 10, version 1803 or later, block at first sight can block non-portable executable files (such as JS, VBS, or macros) as well as executable files. Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file. @@ -177,7 +178,7 @@ You may choose to disable block at first sight if you want to retain the prerequ 4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**. > [!NOTE] - > Disabling block at first sight will not disable or alter the prerequisite group policies. + > Disabling block at first sight does not disable or alter the prerequisite group policies. ## See also From 25a0c40bf09c8432ce86590a33afb0be3e0fa217 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 26 Aug 2020 08:05:07 -0700 Subject: [PATCH 7/9] Update windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...nfigure-block-at-first-sight-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index 83ec4426af..be7223aa23 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -100,7 +100,7 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**: - 1 Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. + 1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. 2 Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. From af4ba4b8e89c86e243e5651bddc88722b02ad795 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 26 Aug 2020 08:05:16 -0700 Subject: [PATCH 8/9] Update windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...nfigure-block-at-first-sight-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index be7223aa23..51df0c5151 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -102,7 +102,7 @@ For a list of Microsoft Defender Antivirus device restrictions in Intune, see [D 1. Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**. - 2 Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. + 2. Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**. > [!WARNING] > Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function. From e78c7ea09bccfea07e5233f1e99776f412743083 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 26 Aug 2020 08:06:25 -0700 Subject: [PATCH 9/9] Update windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...nfigure-block-at-first-sight-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md index 51df0c5151..f11dc35650 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md @@ -137,7 +137,7 @@ If you had to change any of the settings, you should redeploy the Group Policy O 2. **DisableRealtimeMonitoring** key is set to **0** -4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that **MpCloudBlockLevel** key is set to **2** +4. Go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\MpEngine`, and make sure that the **MpCloudBlockLevel** key is set to **2** ### Confirm Block at First Sight is enabled on individual clients