deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into FromPrivateRepo

Browse Source
This commit is contained in:
Huaping Yu (Beyondsoft Consulting Inc) 2018-07-12 16:28:04 -07:00
commit ce6be16e7f
59 changed files with 1809 additions and 1303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1644,6 +1644,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>ApplicationManagement/LaunchAppAfterLogOn</li>
<li>ApplicationManagement/ScheduleForceRestartForUpdateFailures </li>
<li>TaskManager/AllowEndTask</li>
<li>WindowsLogon/DontDisplayNetworkSelectionUI</li>
</ul>
</td></tr>
</tbody>

29
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -389,6 +389,29 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
### BITS policies
<dl>
<dd>
<a href="./policy-csp-bits.md#bits-bandwidththrottlingendtime" id="bits-bandwidththrottlingendtime">BITS/BandwidthThrottlingEndTime</a>
</dd>
<dd>
<a href="./policy-csp-bits.md#bits-bandwidththrottlingstarttime" id="bits-bandwidththrottlingstarttime">BITS/BandwidthThrottlingStartTime</a>
</dd>
<dd>
<a href="./policy-csp-bits.md#bits-bandwidththrottlingtransferrate" id="bits-bandwidththrottlingtransferrate">BITS/BandwidthThrottlingTransferRate</a>
</dd>
<dd>
<a href="./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority" id="bits-costednetworkbehaviorbackgroundpriority">BITS/CostedNetworkBehaviorBackgroundPriority</a>
</dd>
<dd>
<a href="./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority" id="bits-costednetworkbehaviorforegroundpriority">BITS/CostedNetworkBehaviorForegroundPriority</a>
</dd>
<dd>
<a href="./policy-csp-bits.md#bits-jobinactivitytimeout" id="bits-jobinactivitytimeout">BITS/JobInactivityTimeout</a>
</dd>
</dl>
### Bluetooth policies
<dl>
@ -3991,6 +4014,12 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices)
- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior)
- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay)
- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime)
- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime)
- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate)
- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority)
- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority)
- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout)
- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown)
- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill)
- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies)

504
windows/client-management/mdm/policy-csp-bits.md Normal file
View File

@ -0,0 +1,504 @@
---
title: Policy CSP - BITS
description: Policy CSP - BITS
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 06/29/2018
---
# Policy CSP - BITS
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate.
- BITS/BandwidthThrottlingEndTime
- BITS/BandwidthThrottlingStartTime
- BITS/BandwidthThrottlingTransferRate
If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT defined, but BITS/BandwidthThrottlingTransferRate IS defined, then default values will be used for StartTime and EndTime (8am and 5pm respectively). The time policies are based on the 24-hour clock.
<hr/>
<!--Policies-->
## BITS policies
<dl>
<dd>
<a href="#bits-bandwidththrottlingendtime">BITS/BandwidthThrottlingEndTime</a>
</dd>
<dd>
<a href="#bits-bandwidththrottlingstarttime">BITS/BandwidthThrottlingStartTime</a>
</dd>
<dd>
<a href="#bits-bandwidththrottlingtransferrate">BITS/BandwidthThrottlingTransferRate</a>
</dd>
<dd>
<a href="#bits-costednetworkbehaviorbackgroundpriority">BITS/CostedNetworkBehaviorBackgroundPriority</a>
</dd>
<dd>
<a href="#bits-costednetworkbehaviorforegroundpriority">BITS/CostedNetworkBehaviorForegroundPriority</a>
</dd>
<dd>
<a href="#bits-jobinactivitytimeout">BITS/JobInactivityTimeout</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="bits-bandwidththrottlingendtime"></a>**BITS/BandwidthThrottlingEndTime**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies the bandwidth throttling **end time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock.
Value type is integer. Default value is 17 (5 pm).
Supported value range: 0 - 23
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Limit the maximum network bandwidth for BITS background transfers*
- GP name: *BITS_MaxBandwidth*
- GP element: *BITS_BandwidthLimitSchedTo*
- GP path: *Network/Background Intelligent Transfer Service (BITS)*
- GP ADMX file name: *Bits.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="bits-bandwidththrottlingstarttime"></a>**BITS/BandwidthThrottlingStartTime**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies the bandwidth throttling **start time** that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers. This policy is based on the 24-hour clock.
Value type is integer. Default value is 8 (8 am).
Supported value range: 0 - 23
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Limit the maximum network bandwidth for BITS background transfers*
- GP name: *BITS_MaxBandwidth*
- GP element: *BITS_BandwidthLimitSchedFrom*
- GP path: *Network/Background Intelligent Transfer Service (BITS)*
- GP ADMX file name: *Bits.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="bits-bandwidththrottlingtransferrate"></a>**BITS/BandwidthThrottlingTransferRate**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy specifies the bandwidth throttling **transfer rate** in kilobits per second (Kbps) that Background Intelligent Transfer Service (BITS) uses for background transfers. This policy setting does not affect foreground transfers.
Value type is integer. Default value is 1000.
Supported value range: 0 - 4294967200
You can specify a limit to use during a specific time interval and at all other times. For example, limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M., and use all available unused bandwidth the rest of the day's hours.
Using the three policies together (BandwidthThrottlingStartTime, BandwidthThrottlingEndTime, BandwidthThrottlingTransferRate), BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits, BITS will continue to use approximately 2 kilobits. To prevent BITS transfers from occurring, specify a limit of 0.
If you disable or do not configure this policy setting, BITS uses all available unused bandwidth.
Note: You should base the limit on the speed of the network link, not the computer's network interface card (NIC). This policy setting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose.
Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a fast network card (10Mbs), but is connected to the network via a slow link (56Kbs).
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Limit the maximum network bandwidth for BITS background transfers*
- GP name: *BITS_MaxBandwidth*
- GP element: *BITS_MaxTransferRateText*
- GP path: *Network/Background Intelligent Transfer Service (BITS)*
- GP ADMX file name: *Bits.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="bits-costednetworkbehaviorbackgroundpriority"></a>**BITS/CostedNetworkBehaviorBackgroundPriority**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of background transfers.
If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority.
For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:
- 1 - Always transfer
- 2 - Transfer unless roaming
- 3 - Transfer unless surcharge applies (when not roaming or overcap)
- 4 - Transfer unless nearing limit (when not roaming or nearing cap)
- 5 - Transfer only if unconstrained
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Set default download behavior for BITS jobs on costed networks*
- GP name: *BITS_SetTransferPolicyOnCostedNetwork*
- GP element: *BITS_TransferPolicyNormalPriorityValue*
- GP path: *Network/Background Intelligent Transfer Service (BITS)*
- GP ADMX file name: *Bits.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="bits-costednetworkbehaviorforegroundpriority"></a>**BITS/CostedNetworkBehaviorForegroundPriority**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting defines the default behavior that the foreground Intelligent Transfer Service (BITS) uses for foreground transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of foreground transfers.
If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority.
For example, you can specify that foreground jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:
- 1 - Always transfer
- 2 - Transfer unless roaming
- 3 - Transfer unless surcharge applies (when not roaming or overcap)
- 4 - Transfer unless nearing limit (when not roaming or nearing cap)
- 5 - Transfer only if unconstrained
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Set default download behavior for BITS jobs on costed networks*
- GP name: *BITS_SetTransferPolicyOnCostedNetwork*
- GP element: *BITS_TransferPolicyForegroundPriorityValue*
- GP path: *Network/Background Intelligent Transfer Service (BITS)*
- GP ADMX file name: *Bits.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="bits-jobinactivitytimeout"></a>**BITS/JobInactivityTimeout**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>5</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is deleted from BITS and any downloaded files for the job are deleted from the disk.
> [!Note]
> Any property changes to the job or any successful download action will reset this timeout.
Value type is integer. Default is 90 days.
Supported values range: 0 - 999
Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs.
Consider decreasing this value if you are concerned about orphaned jobs occupying disk space.
If you disable or do not configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Timeout for inactive BITS jobs*
- GP name: *BITS_Job_Timeout*
- GP element: *BITS_Job_Timeout_Time*
- GP path: *Network/Background Intelligent Transfer Service (BITS)*
- GP ADMX file name: *Bits.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Value type is integer. Default is 90 days.
Supported values range: 0 - 999
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in the next major release of Windows 10.
<!--/Policies-->

27
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 05/14/2018
ms.date: 07/12/2018
---
# Policy CSP - WindowsLogon
@ -143,6 +143,31 @@ If you enable this policy setting, the PC's network connectivity state cannot be
If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
Here is an example to enable this policy:
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Atomic>
<CmdID>300</CmdID>
<Replace>
<CmdID>301</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data><![CDATA[<enabled/>]]></Data>
</Item>
</Replace>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).

98
windows/deployment/upgrade/setupdiag.md
View File

@ -7,8 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
author: greg-lindsay
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 07/10/2018
ms.localizationpriority: high
---
# SetupDiag
@ -45,6 +45,7 @@ See the [Release notes](#release-notes) section at the bottom of this topic for
| /LogsPath:\<Path to logs\> | <ul><li>This optional parameter is required only when **/Mode:Offline** is specified. This tells SetupDiag.exe where to find the log files. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories. This parameter should be omitted when the **/Mode:Online** is specified.</ul> |
| /ZipLogs:\<True \| False\> | <ul><li>This optional parameter tells SetupDiag.exe to create a zip file continuing its results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.<li>Default: If not specified, a value of 'true' is used.</ul> |
| /Verbose | <ul><li>This optional parameter will output much more data to the log file produced by SetupDiag.exe. By default SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce a log file with debugging details, which can be useful when reporting a problem with SetupDiag.</ul> |
| /Format:\<xml \| json\> | <ul><li>This optional parameter can be used to output log files in xml or JSON format. If this parameter is not specified, text format is used by default.</ul> |
### Examples:
@ -346,10 +347,23 @@ Each rule name and its associated unique rule identifier are listed with a descr
- Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code.
41. FindFatalPluginFailure E48E3F1C-26F6-4AFB-859B-BF637DA49636
- Matches any plug in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code.
42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
- Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes.
43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9
- Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug in name, plug in action and error code.
44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9
- Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code.
## Release notes
07/10/2018 - SetupDiag v1.30 is released with 44 rules, as a standalone tool available from the Download Center.
- Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues.
- New feature: Ability to output logs in JSON and XML format.
- Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic.
- If the “/Format:xml” or “/Format:json” parameter is omitted, the log output format will default to text.
- New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive.
- 3 new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed.
05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center.
- Fixed a bug in device install failure detection in online mode.
- Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost.
@ -364,6 +378,84 @@ Each rule name and its associated unique rule identifier are listed with a descr
03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center.
## Sample logs
### Text log sample
```
Matching Profile found: OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6
System Information:
Machine Name = Offline
Manufacturer = MSI
Model = MS-7998
HostOSArchitecture = x64
FirmwareType = PCAT
BiosReleaseDate = 20160727000000.000000+000
BiosVendor = BIOS Date: 07/27/16 10:01:46 Ver: V1.70
BiosVersion = 1.70
HostOSVersion = 10.0.15063
HostOSBuildString = 15063.0.amd64fre.rs2_release.170317-1834
TargetOSBuildString = 10.0.16299.15 (rs3_release.170928-1534)
HostOSLanguageId = 2057
HostOSEdition = Core
RegisteredAV = Windows Defender,
FilterDrivers = WdFilter,wcifs,WIMMount,luafv,Wof,FileInfo,
UpgradeStartTime = 3/21/2018 9:47:16 PM
UpgradeEndTime = 3/21/2018 10:02:40 PM
UpgradeElapsedTime = 00:15:24
ReportId = dd4db176-4e3f-4451-aef6-22cf46de8bde
Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F
Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again.
Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015
Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-error-codes for error information.
```
### XML log sample
```
<?xml version="1.0" encoding="utf-16"?>
<SetupDiag xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="https://docs.microsoft.com/en-us/windows/deployment/upgrade/setupdiag">
<Version>1.3.0.0</Version>
<ProfileName>DiskSpaceBlockInDownLevel</ProfileName>
<ProfileGuid>6080AFAC-892E-4903-94EA-7A17E69E549E</ProfileGuid>
<SystemInfo>
<MachineName>Offline</MachineName>
<Manufacturer>Microsoft Corporation</Manufacturer>
<Model>Virtual Machine</Model>
<HostOSArchitecture>x64</HostOSArchitecture>
<FirmwareType>UEFI</FirmwareType>
<BiosReleaseDate>20171012000000.000000+000</BiosReleaseDate>
<BiosVendor>Hyper-V UEFI Release v2.5</BiosVendor>
<BiosVersion>Hyper-V UEFI Release v2.5</BiosVersion>
<HostOSVersion>10.0.14393</HostOSVersion>
<HostOSBuildString>14393.1794.amd64fre.rs1_release.171008-1615</HostOSBuildString>
<TargetOSBuildString>10.0.16299.15 (rs3_release.170928-1534)</TargetOSBuildString>
<HostOSLanguageId>1033</HostOSLanguageId>
<HostOSEdition>Core</HostOSEdition>
<RegisteredAV />
<FilterDrivers />
<UpgradeStartTime>2017-12-21T12:56:22</UpgradeStartTime>
<UpgradeElapsedTime />
<UpgradeEndTime>2017-12-21T13:22:46</UpgradeEndTime>
<RollbackStartTime>0001-01-01T00:00:00</RollbackStartTime>
<RollbackEndTime>0001-01-01T00:00:00</RollbackEndTime>
<RollbackElapsedTime />
<CommercialId>Offline</CommercialId>
<SetupReportId>06600fcd-acc0-40e4-b7f8-bb984dc8d05a</SetupReportId>
<ReportId>06600fcd-acc0-40e4-b7f8-bb984dc8d05a</ReportId>
</SystemInfo>
<FailureData>Warning: Found Disk Space Hard Block.</FailureData>
<Remediation>You must free up at least "6603" MB of space on the System Drive, and try again.</Remediation>
</SetupDiag>
```
### JSON log sample
```
{"Version":"1.3.0.0","ProfileName":"DiskSpaceBlockInDownLevel","ProfileGuid":"6080AFAC-892E-4903-94EA-7A17E69E549E","SystemInfo":{"BiosReleaseDate":"20171012000000.000000+000","BiosVendor":"Hyper-V UEFI Release v2.5","BiosVersion":"Hyper-V UEFI Release v2.5","CV":null,"CommercialId":"Offline","FilterDrivers":"","FirmwareType":"UEFI","HostOSArchitecture":"x64","HostOSBuildString":"14393.1794.amd64fre.rs1_release.171008-1615","HostOSEdition":"Core","HostOSLanguageId":"1033","HostOSVersion":"10.0.14393","MachineName":"Offline","Manufacturer":"Microsoft Corporation","Model":"Virtual Machine","RegisteredAV":"","ReportId":"06600fcd-acc0-40e4-b7f8-bb984dc8d05a","RollbackElapsedTime":"PT0S","RollbackEndTime":"\/Date(-62135568000000-0800)\/","RollbackStartTime":"\/Date(-62135568000000-0800)\/","SDMode":1,"SetupReportId":"06600fcd-acc0-40e4-b7f8-bb984dc8d05a","TargetOSArchitecture":null,"TargetOSBuildString":"10.0.16299.15 (rs3_release.170928-1534)","UpgradeElapsedTime":"PT26M24S","UpgradeEndTime":"\/Date(1513891366000-0800)\/","UpgradeStartTime":"\/Date(1513889782000-0800)\/"},"FailureData":["Warning: Found Disk Space Hard Block."],"DeviceDriverInfo":null,"Remediation":["You must free up at least \"6603\" MB of space on the System Drive, and try again."]}
```
## Related topics
[Resolve Windows 10 upgrade errors: Technical information for IT Pros](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolve-windows-10-upgrade-errors)

6
windows/security/TOC.md
View File

@ -1,5 +1,7 @@
# [Security](index.yml)
## [Identity and access management](identity-protection/index.md)
## [Threat protection](threat-protection/index.md)
## [Information protection](information-protection/index.md)
## [Hardware-based protection](hardware-protection/index.md)
## [Hardware-based protection](hardware-protection/index.md)
## [Threat protection](threat-protection/index.md)

4
windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
View File

@ -28,7 +28,7 @@ With TPM 1.2 and Windows 10, version 1507 or 1511, you can also take the followi
- [Turn on or turn off the TPM](#turn-on-or-turn-off)
For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps).
## About TPM initialization and ownership
@ -165,7 +165,7 @@ This capability was fully removed from TPM.msc in later versions of Windows.
## Use the TPM cmdlets
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx).
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps).
## Related topics

210
windows/security/index.yml
View File

@ -14,7 +14,7 @@ metadata:
keywords: protect, company, data, Windows, device, app, management, Microsoft365, e5, e3
ms.localizationpriority: medium
ms.localizationpriority: high
author: brianlic-msft
@ -22,7 +22,7 @@ metadata:
manager: brianlic
ms.date: 02/06/2018
ms.date: 07/12/2018
ms.topic: article
@ -78,199 +78,17 @@ sections:
title: Information protection
- title: Security features built in to Windows 10
- title: Windows Defender Advanced Threat Protection
items:
- type: paragraph
text: 'Windows 10 enables critical security features to protect your device right from the start.'
- type: list
style: cards
className: cardsM
columns: 3
items:
- href: \windows\security\hardware-protection\how-hardware-based-containers-help-protect-windows
html: <p>Protect the boot process and maintain system integrity</p>
image:
src: https://docs.microsoft.com/media/common/i_identity-protection.svg
title: Windows Defender System Guard
- href: \windows\security\threat-protection\windows-defender-antivirus\windows-defender-antivirus-in-windows-10
html: <p>Protect against malware management using next-generation antivirus technologies</p>
image:
src: https://docs.microsoft.com/media/common/i_threat-protection.svg
title: Windows Defender Antivirus
- href: \windows\security\information-protection\bitlocker\bitlocker-overview
html: <p>Prevent data theft from lost or stolen devices</p>
image:
src: https://docs.microsoft.com/media/common/i_information-protection.svg
title: BitLocker
- title: Security features in Microsoft 365 E3
items:
- type: paragraph
text: 'Windows 10 Enterprise provides the foundation for Microsoft 365 E3 and a secure modern workplace.'
- type: list
style: cards
className: cardsM
columns: 3
items:
- href: \windows\security\identity-protection\hello-for-business\hello-overview
html: <p>Give users a more personal and secure way to access their devices</p>
image:
src: https://docs.microsoft.com/media/common/i_identity-protection.svg
title: Windows Hello for Business
- href: \windows\security\threat-protection\windows-defender-application-control\windows-defender-application-control
html: <p>Lock down applications that run on a device</p>
image:
src: https://docs.microsoft.com/media/common/i_threat-protection.svg
title: Windows Defender Application Control
- href: \windows\security\information-protection\windows-information-protection\protect-enterprise-data-using-wip
html: <p>Prevent accidental data leaks from enterprise devices</p>
image:
src: https://docs.microsoft.com/media/common/i_information-protection.svg
title: Windows Information Protection
- title: Security features in Microsoft 365 E5
items:
- type: paragraph
text: 'Get all of the protection from Microsoft 365 E3 security, plus these cloud-based security features to help you defend against even the most advanced threats.'
- type: list
style: cards
className: cardsM
columns: 3
items:
- href: https://docs.microsoft.com/azure/active-directory/active-directory-identityprotection
html: <p>Identity Protection and Privileged Identity Management</p>
image:
src: https://docs.microsoft.com/media/common/i_identity-protection.svg
title: Azure Active Directory P2
- href: \windows\security\threat-protection\Windows-defender-atp\windows-defender-advanced-threat-protection
html: <p>Detect, investigate, and respond to advanced cyberattacks</p>
image:
src: https://docs.microsoft.com/media/common/i_threat-protection.svg
title: Windows Defender Advanced Threat Protection
- href: https://www.microsoft.com/cloud-platform/azure-information-protection
html: <p>Protect documents and email automatically</p>
image:
src: https://docs.microsoft.com/media/common/i_information-protection.svg
title: Azure Information Protection P2
- title: Videos
items:
- type: markdown
text: ">[![VIDEO](images/next-generation-windows-security-vision.png)](https://www.youtube.com/watch?v=IvZySDNfNpo)"
- type: markdown
text: ">[![VIDEO](images/fall-creators-update-next-gen-security.png)](https://www.youtube.com/watch?v=JDGMNFwyUg8)"
- title: Additional security features in Windows 10
items:
- type: paragraph
text: 'These additional security features are also built in to Windows 10 Enterprise.'
- type: list
style: unordered
items:
- html: <a href="/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security">Windows Defender Firewall</a>
- html: <a href="/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard">Windows Defender Exploit Guard</a>
- html: <a href="/windows/security/identity-protection/credential-guard/credential-guard">Windows Defender Credential Guard</a>
- html: <a href="/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control">Windows Defender Application Control</a>
- html: <a href="/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview">Windows Defender Application Guard</a>
- html: <a href="/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview">Windows Defender SmartScreen</a>
- html: <a href="/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center">Windows Defender Security Center</a>
- title: Security Resources
items:
- type: list
style: unordered
items:
- html: <a href="https://www.microsoft.com/wdsi">Windows Defender Security Intelligence</a>
- html: <a href="https://cloudblogs.microsoft.com/microsoftsecure/">Microsoft Secure blog</a>
- html: <a href="https://portal.msrc.microsoft.com/">Security Update blog</a>
- html: <a href="https://technet.microsoft.com/security/dn440717.aspx(d=robot)">Microsoft Security Response Center (MSRC)</a>
- html: <a href="https://blogs.technet.microsoft.com/msrc/">MSRC Blog</a>
- html: <a href="https://www.microsoft.com/wdsi/threats/ransomware">Ransomware FAQ</a>
text: "
Prevent, detect, investigate, and respond to advanced threats. The following capabilities are available across multiple products that make up the Windows Defender ATP platform.
<br>&nbsp;<br>
<table border='0'><tr><td><b>Attack surface reduction</b></td><td><b>Next generation protection</b></td><td><b>Endpoint detection and response</b></td><td><b>Auto investigation and remediation</b></td><td><b>Security posture</b></td></tr>
<tr><td>[Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows)<br><br>[Application control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br>[Exploit protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br>[Network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br><br>[Device restrictions](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)<br><br>[Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)<br><br>[Network firewall](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security)<br><br>[Attack surface reduction controls](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)</td>
<td>[Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)<br><br>[Machine learning](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus)<br><br>[Automated sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus)</td>
<td>[Alerts queue](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection)<br><br>[Historical endpoint data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline)<br><br>[Realtime and historical threat hunting](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection)<br><br>[API and SIEM integration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection)<br><br>[Response orchestration](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection)<br><br>[Forensic collection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines)<br><br>[Threat intelligence](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)<br><br>[Advanced detonation and analysis service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis)</td>
<td>[Automated investigation and remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection)<br><br>[Threat remediation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#how-threats-are-remediated)<br><br>[Manage automated investigations](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#manage-automated-investigations)<br><br>[Analyze automated investigation](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection#analyze-automated-investigations)</td>
<td>[Asset inventory](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Operating system baseline compliance](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Recommended improvement actions](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Secure score](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection)<br><br>[Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection)<br><br>[Reporting and trends](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)</td>
</tr>
</table>"

1656
windows/security/threat-protection/TOC.md
View File

File diff suppressed because it is too large Load Diff

BIN
windows/security/threat-protection/images/wdatp-pillars2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 140 KiB

36
windows/security/threat-protection/index.md
View File

@ -10,19 +10,27 @@ ms.date: 02/05/2018
---
# Threat Protection
Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
![Windows Defender ATP components](images/wdatp-pillars2.png)
The following capabilities are available across multiple products that make up the Windows Defender ATP platform.
**Attack surface reduction**<br>
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
**Next generation protection**<br>
To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
**Endpoint protection and response**<br>
Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
**Auto investigation and remediation**<br>
In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
**Security posture**<br>
Windows Defender ATP provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network.
Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
| Section | Description |
|-|-|
|[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.|
|[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
|[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender Antivirus, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|Explains how Windows Defender Application Control restricts the applications that users are allowed to run and the code that runs in the System Core (kernel).|
|[Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)|Explains how to enable HVCI to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.|
|[Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
|[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|
|[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.|
|[Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-intrusion-detection.md) |Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. |
|[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) |Provides info about how to help protect your company from attacks which may originate from untrusted or attacker controlled font files. |

12
windows/security/threat-protection/windows-defender-atp/TOC.md
View File

@ -1,4 +1,4 @@
# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
# [Windows Defender Security Center](windows-defender-security-center-atp.md)
##Get started
### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
@ -21,7 +21,7 @@
### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md)
### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
## [Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)
## [Understand the portal](use-windows-defender-advanced-threat-protection.md)
### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
### [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
### [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
@ -165,7 +165,7 @@
### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
### [Check service health](service-status-windows-defender-advanced-threat-protection.md)
## [Configure Windows Defender ATP Settings](preferences-setup-windows-defender-advanced-threat-protection.md)
## [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md)
###General
#### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
@ -193,9 +193,9 @@
#### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md)
#### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md)
## [Configure Windows Defender ATP time zone settings](time-settings-windows-defender-advanced-threat-protection.md)
## [Configure Windows Defender Security Center zone settings](time-settings-windows-defender-advanced-threat-protection.md)
## [Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md)
## [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
## [Troubleshoot Windows Defender ATP service issues](troubleshoot-windows-defender-advanced-threat-protection.md)
### [Review events and errors on machines with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
## [Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md)

2
windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
View File

@ -71,7 +71,7 @@ When you complete the integration steps on both portals, you'll be able to see r
## Office 365 Threat Intelligence connection
This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Windows Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
>[!NOTE]
>You'll need to have the appropriate license to enable this feature.

2
windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
View File

@ -134,7 +134,7 @@ These steps guide you on modifying and overwriting an existing query.
The result set has several capabilities to provide you with effective investigation, including:
- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in the Windows Defender ATP portal.
- Columns that return entity-related objects, such as Machine name, Machine ID, File name, SHA1, User, IP, and URL, are linked to their entity pages in Windows Defender Security Center.
- You can right-click on a cell in the result set and add a filter to your written query. The current filtering options are **include**, **exclude** or **advanced filter**, which provides additional filtering options on the cell value. These cell values are part of the row set.
![Image of Windows Defender ATP Advanced hunting result set](images/atp-advanced-hunting-results-filter.png)

4
windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
---
title: Windows Defender ATP alert API fields
description: Understand how the alert API fields map to the values in the Windows Defender ATP portal.
description: Understand how the alert API fields map to the values in Windows Defender Security Center
keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -28,7 +28,7 @@ ms.date: 10/16/2017
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center.
## Alert API fields and portal mapping

4
windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
---
title: Assign user access to the Windows Defender ATP portal
title: Assign user access to Windows Defender Security Center
description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal.
keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles
search.product: eADQiWindows 10XVcnh
@ -13,7 +13,7 @@ ms.localizationpriority: medium
ms.date: 04/24/2018
---
# Assign user access to the Windows Defender ATP portal
# Assign user access to Windows Defender Security Center
**Applies to:**
- Windows 10 Enterprise

2
windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md
View File

@ -30,7 +30,7 @@ There are several spaces you can explore to learn about specific information:
There are several ways you can access the Community Center:
- In the Windows Defender ATP portal navigation pane, select **Community center**. A new browser tab opens and takes you to the Windows Defender ATP Tech Community page.
- In the Windows Defender Security Center navigation pane, select **Community center**. A new browser tab opens and takes you to the Windows Defender ATP Tech Community page.
- Access the community through the [Windows Defender Advanced Threat Protection Tech Community](https://techcommunity.microsoft.com/t5/Windows-Defender-Advanced-Threat/ct-p/WindowsDefenderAdvanced) page

4
windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
View File

@ -88,13 +88,13 @@ You need to make sure that all your devices are enrolled in Intune. You can use
There are steps you'll need to take in the Windows Defender ATP portal, the Intune portal, and Azure AD portal.
There are steps you'll need to take in Windows Defender Security Center, the Intune portal, and Azure AD portal.
> [!NOTE]
> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
Take the following steps to enable conditional access:
- Step 1: Turn on the Microsoft Intune connection from the Windows Defender ATP portal
- Step 1: Turn on the Microsoft Intune connection from Windows Defender Security Center
- Step 2: Turn on the Windows Defender ATP integration in Intune
- Step 3: Create the compliance policy in Intune
- Step 4: Assign the policy

2
windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
---
title: Configure HP ArcSight to pull Windows Defender ATP alerts
description: Configure HP ArcSight to receive and pull alerts from the Windows Defender ATP portal.
description: Configure HP ArcSight to receive and pull alerts from Windows Defender Security Center
keywords: configure hp arcsight, security information and events management tools, arcsight
search.product: eADQiWindows 10XVcnh
ms.prod: w10

8
windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
View File

@ -34,7 +34,7 @@ ms.date: 04/24/2018
> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later.
## Onboard machines using Group Policy
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@ -64,7 +64,7 @@ ms.date: 04/24/2018
> After onboarding the machine, you can choose to run a detection test to verify that the machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md).
## Additional Windows Defender ATP configuration settings
For each machine, you can state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
For each machine, you can state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis.
You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature.
@ -120,7 +120,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@ -154,7 +154,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
With Group Policy there isnt an option to monitor deployment of policies on the machines. Monitoring can be done directly on the portal, or by using the different deployment tools.
## Monitor machines using the portal
1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/).
1. Go to [Windows Defender Security Center](https://securitycenter.windows.com/).
2. Click **Machines list**.
3. Verify that machines are appearing.

6
windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
View File

@ -54,7 +54,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
- **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service.
- **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis.
- **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently.
- **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from the Windows Defender ATP portal, and add it. Otherwise, skip this property.
- **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from Windows Defender Security Center, and add it. Otherwise, skip this property.
7. Select **OK**, and **Create** to save your changes, which creates the profile.
@ -62,7 +62,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
### Onboard and monitor machines using the classic Intune console
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@ -145,7 +145,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.

2
windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
View File

@ -24,7 +24,7 @@ ms.date: 04/24/2018
Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products sensor data.
Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products sensor data.
You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work.

6
windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
View File

@ -47,7 +47,7 @@ You can use existing System Center Configuration Manager functionality to create
### Onboard machines using System Center Configuration Manager
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@ -70,7 +70,7 @@ You can use existing System Center Configuration Manager functionality to create
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP machine](run-detection-test-windows-defender-advanced-threat-protection.md).
### Configure sample collection settings
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis.
You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on a machine.
This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure theyre complaint.
@ -125,7 +125,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.

8
windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
View File

@ -34,7 +34,7 @@ You can also manually onboard individual machines to Windows Defender ATP. You m
> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Onboard Window 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
## Onboard machines
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@ -66,7 +66,7 @@ For information on how you can manually validate that the machine is compliant a
> After onboarding the machine, you can choose to run a detection test to verify that an machine is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).
## Configure sample collection settings
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.
For each machine, you can set a configuration value to state whether samples can be collected from the machine when a request is made through Windows Defender Security Center to submit a file for deep analysis.
You can manually configure the sample sharing setting on the machine by using *regedit* or creating and running a *.reg* file.
@ -92,7 +92,7 @@ For security reasons, the package used to Offboard machines will expire 30 days
> [!NOTE]
> Onboarding and offboarding policies must not be deployed on the same machine at the same time, otherwise this will cause unpredictable collisions.
1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Get the offboarding package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Offboarding**.
@ -126,7 +126,7 @@ You can follow the different verification steps in the [Troubleshoot onboarding
Monitoring can also be done directly on the portal, or by using the different deployment tools.
### Monitor machines using the portal
1. Go to the Windows Defender ATP portal.
1. Go to Windows Defender Security Center.
2. Click **Machines list**.

6
windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
View File

@ -38,7 +38,7 @@ You can onboard VDI machines using a single entry or multiple entries for each m
>[!WARNING]
> For environments where there are low resource configurations, the VDI boot proceedure might slow the Windows Defender ATP sensor onboarding.
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/):
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/):
a. In the navigation pane, select **Settings** > **Onboarding**.
@ -78,8 +78,8 @@ You can onboard VDI machines using a single entry or multiple entries for each m
d. Logon to machine with another user.
e. **For single entry for each machine**: Check only one entry in the Windows Defender ATP portal.<br>
**For multiple entries for each machine**: Check multiple entries in the Windows Defender ATP portal.
e. **For single entry for each machine**: Check only one entry in Windows Defender Security Center.<br>
**For multiple entries for each machine**: Check multiple entries in Windows Defender Security Center.
7. Click **Machines list** on the Navigation pane.

4
windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 04/24/2018
ms.date: 07/12/2018
---
# Onboard Windows 10 machines
@ -27,7 +27,7 @@ ms.date: 04/24/2018
Machines in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the machines in your organization.
Windows Defender ATP supports the following deployment tools and methods:
The following deployment tools and methods are supported:
- Group Policy
- System Center Configuration Manager

6
windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -91,9 +91,9 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
Service location | Microsoft.com DNS record
:---|:---
Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` <br>```events.data.microsoft.com```
US | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data.microsoft.com```<br>```winatp-gw-cus.microsoft.com``` <br>```winatp-gw-eus.microsoft.com```
Europe | ```eu.vortex-win.data.microsoft.com```<br>```eu-v20.events.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br>```winatp-gw-weu.microsoft.com```
UK | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com```<br>```winatp-gw-uks.microsoft.com```<br>```winatp-gw-ukw.microsoft.com```
European Union | ```eu.vortex-win.data.microsoft.com```<br>```eu-v20.events.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br>```winatp-gw-weu.microsoft.com```
United Kingdom | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com```<br>```winatp-gw-uks.microsoft.com```<br>```winatp-gw-ukw.microsoft.com```
United States | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data.microsoft.com```<br>```winatp-gw-cus.microsoft.com``` <br>```winatp-gw-eus.microsoft.com```
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.

2
windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
View File

@ -27,7 +27,7 @@ ms.date: 05/08/2018
Windows Defender ATP extends support to also include the Windows Server operating system, providing advanced attack detection and investigation capabilities, seamlessly through the Windows Defender Security Center console.
Windows Defender ATP supports the onboarding of the following servers:
The service supports the onboarding of the following servers:
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server, version 1803

2
windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
View File

@ -57,6 +57,6 @@ Topic | Description
[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Settings** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
[Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to Windows Defender Security Center.
[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature.

2
windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
---
title: Configure Splunk to pull Windows Defender ATP alerts
description: Configure Splunk to receive and pull alerts from the Windows Defender ATP portal.
description: Configure Splunk to receive and pull alerts from Windows Defender Security Center.
keywords: configure splunk, security information and events management tools, splunk
search.product: eADQiWindows 10XVcnh
ms.prod: w10

2
windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
View File

@ -135,7 +135,7 @@ Content-Type: application/json;
}
```
The following values correspond to the alert sections surfaced on the Windows Defender ATP portal:
The following values correspond to the alert sections surfaced on Windows Defender Security Center:
![Image of alert from the portal](images/atp-custom-ti-mapping.png)
Highlighted section | JSON key name

2
windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
View File

@ -27,7 +27,7 @@ ms.date: 04/24/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablecustomti-abovefoldlink)
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through the Windows Defender ATP portal.
Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application through Windows Defender Security Center.
1. In the navigation pane, select **Settings** > **Threat intel**.

4
windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
View File

@ -27,7 +27,7 @@ ms.date: 04/24/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink)
Enable security information and event management (SIEM) integration so you can pull alerts from the Windows Defender ATP portal using your SIEM solution or by connecting directly to the alerts REST API.
Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API.
1. In the navigation pane, select **Settings** > **SIEM**.
@ -55,7 +55,7 @@ Enable security information and event management (SIEM) integration so you can p
> [!NOTE]
> You'll need to generate a new Refresh token every 90 days.
You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.
You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Windows Defender Security Center.

2
windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md
View File

@ -139,7 +139,7 @@ This step will guide you in simulating an event in connection to a malicious IP
## Step 4: Explore the custom alert in the portal
This step will guide you in exploring the custom alert in the portal.
1. Open the [Windows Defender ATP portal](http://securitycenter.windows.com/) on a browser.
1. Open [Windows Defender Security Center](http://securitycenter.windows.com/) on a browser.
2. Log in with your Windows Defender ATP credentials.

2
windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md
View File

@ -37,7 +37,7 @@ An inactive machine is not necessarily flagged due to an issue. The following ac
If the machine has not been in use for more than 7 days for any reason, it will remain in an Inactive status in the portal.
**Machine was reinstalled or renamed**</br>
A reinstalled or renamed machine will generate a new machine entity in Windows Defender ATP portal. The previous machine entity will remain with an Inactive status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
A reinstalled or renamed machine will generate a new machine entity in Windows Defender Security Center. The previous machine entity will remain with an Inactive status in the portal. If you reinstalled a machine and deployed the Windows Defender ATP package, search for the new machine name to verify that the machine is reporting normally.
**Machine was offboarded**</br>
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive.

BIN
windows/security/threat-protection/windows-defender-atp/images/WDATP-components.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 81 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/components.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 63 KiB

After

Width:  |  Height:  |  Size: 64 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 149 KiB

BIN
windows/security/threat-protection/windows-defender-atp/images/wdatp-pillars2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 140 KiB

10
windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
View File

@ -50,9 +50,9 @@ To gain access into which licenses are provisioned to your company, and to check
![Image of O365 admin portal](images\atp-O365-admin-portal-customer.png)
## Access the Windows Defender ATP portal for the first time
## Access Windows Defender Security Center for the first time
When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Windows Defender ATP created.
When accessing [Windows Defender Security Center](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Windows Defender ATP created.
1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product.
@ -64,7 +64,7 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.
![Image of Welcome screen for portal set up](images\atp-portal-welcome-screen.png)
You will need to set up your preferences for the Windows Defender ATP portal.
You will need to set up your preferences for Windows Defender Security Center.
3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
@ -108,11 +108,11 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.
8. You will receive a warning notifying you that you won't be able to change some of your preferences once you click **Continue**.
> [!NOTE]
> Some of these options can be changed at a later time in the Windows Defender ATP portal.
> Some of these options can be changed at a later time in Windows Defender Security Center.
![Image of final preference set up](images\atp-final-preference-setup.png)
9. A dedicated cloud instance of the Windows Defender ATP portal is being created at this time. This step will take an average of 5 minutes to complete.
9. A dedicated cloud instance of Windows Defender Security Center portal is being created at this time. This step will take an average of 5 minutes to complete.
![Image of Windows Defender ATP cloud instance](images\atp-windows-cloud-instance-creation.png)

2
windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
View File

@ -57,7 +57,7 @@ Whenever a change or comment is made to an alert, it is recorded in the **Commen
Added comments instantly appear on the pane.
## Suppress alerts
There might be scenarios where you need to suppress alerts from appearing in the Windows Defender ATP portal. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
There might be scenarios where you need to suppress alerts from appearing in Windows Defender Security Center. Windows Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.

112
windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 06/15/2018
ms.localizationpriority: high
ms.date: 07/01/2018
---
# Minimum requirements for Windows Defender ATP
@ -23,17 +23,11 @@ ms.date: 06/15/2018
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
There are some minimum requirements for onboarding machines to the service.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink)
## Minimum requirements
You must be on Windows 10, version 1607 at a minimum.
For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
### Licensing requirements
## Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
@ -42,105 +36,7 @@ Windows Defender Advanced Threat Protection requires one of the following Micros
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
### Browser requirements
Internet Explorer and Microsoft Edge are supported. Any HTML5 compliant browsers are also supported.
### Network and data storage and configuration requirements
When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
> [!NOTE]
> - You cannot change your data storage location after the first-time setup.
> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
### Hardware and software requirements
The Windows Defender ATP agent only supports the following editions of Windows 10:
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
Machines on your network must be running one of these editions.
The hardware requirements for Windows Defender ATP on machines is the same as those for the supported editions.
> [!NOTE]
> Machines that are running mobile versions of Windows are not supported.
#### Internet connectivity
Internet connectivity on machines is required either directly or through proxy.
The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data.
For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
<span id="telemetry-and-diagnostics-settings" />
### Diagnostic data settings
You must ensure that the diagnostic data service is enabled on all the machines in your organization.
By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
**Use the command line to check the Windows 10 diagnostic data service startup type**:
1. Open an elevated command-line prompt on the machine:
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc qc diagtrack
```
If the service is enabled, then the result should look like the following screenshot:
![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc config diagtrack start=auto
```
3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
```text
sc qc diagtrack
```
## Windows Defender Antivirus signature updates are configured
The Windows Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them.
You must configure the signature updates on the Windows Defender ATP machines whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).
When Windows Defender Antivirus is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender Antivirus goes on passive mode. If your organization has disabled Windows Defender Antivirus through group policy or other methods, machines that are onboarded to Windows Defender ATP must be excluded from this group policy.
Depending on the server version you're onboarding, you might need to configure a Group Policy setting to run on passive mode. For more information, see [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md).
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Windows Defender ATP agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-minreq-belowfoldlink1)
## Related topic
- [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
- [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)

93
windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 06/19/2018
ms.localizationpriority: high
ms.date: 07/01/2018
---
# Onboard machines to the Windows Defender ATP service
@ -18,14 +18,14 @@ ms.date: 06/19/2018
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
You need to onboard machines to Windows Defender ATP before you can use the service.
For more information, see [Onboard your Windows 10 machines to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
[!include[Prerelease information](prerelease.md)]
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
## Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
@ -60,11 +60,77 @@ The hardware requirements for Windows Defender ATP on machines is the same as th
### Other supported operating systems
- macOSX
- Linux
>[!NOTE]
>You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work.
- macOS X
- Linux
### Network and data storage and configuration requirements
When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter.
> [!NOTE]
> - You cannot change your data storage location after the first-time setup.
> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data.
<span id="telemetry-and-diagnostics-settings" />
### Diagnostic data settings
You must ensure that the diagnostic data service is enabled on all the machines in your organization.
By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them.
**Use the command line to check the Windows 10 diagnostic data service startup type**:
1. Open an elevated command-line prompt on the machine:
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc qc diagtrack
```
If the service is enabled, then the result should look like the following screenshot:
![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png)
If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start.
**Use the command line to set the Windows 10 diagnostic data service to automatically start:**
1. Open an elevated command-line prompt on the endpoint:
a. Go to **Start** and type **cmd**.
b. Right-click **Command prompt** and select **Run as administrator**.
2. Enter the following command, and press **Enter**:
```text
sc config diagtrack start=auto
```
3. A success message is displayed. Verify the change by entering the following command, and press **Enter**:
```text
sc qc diagtrack
```
#### Internet connectivity
Internet connectivity on machines is required either directly or through proxy.
The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data.
For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) .
Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10.
## Windows Defender Antivirus configuration requirement
@ -79,14 +145,19 @@ If you are onboarding servers and Windows Defender Antivirus is not the active a
For more information, see [Windows Defender Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
## Windows Defender Antivirus Early Launch Antimalware (ELAM) driver is enabled
If you're running Windows Defender Antivirus as the primary antimalware product on your machines, the Windows Defender ATP agent will successfully onboard.
If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender Antivirus ELAM driver is enabled. For more information, see [Ensure that Windows Defender Antivirus is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
## In this section
Topic | Description
:---|:---
[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise.
[Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)| Onboard Windows 7 and Windows 8.1 machines to Windows Defender ATP.
[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP.
[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in the Windows Defender ATP portal and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
[Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md) | You'll need to onboard machines for it to report to the Windows Defender ATP service. Learn about the tools and methods you can use to configure machines in your enterprise.
[Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md) | Onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP
[Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md) | Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products' sensor data.
[Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md) | Run a script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.
[Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings.
[Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding.

10
windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Windows Defender Advanced Threat Protection portal overview
description: Use the Windows Defender ATP portal to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
keywords: Windows Defender ATP portal, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks
description: Use Windows Defender Security Center to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches.
keywords: Windows Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -27,14 +27,14 @@ ms.date: 04/24/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-portaloverview-abovefoldlink)
Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
Enterprise security teams can use Windows Defender Security Center to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches.
You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to:
You can use [Windows Defender Security Center](https://securitycenter.windows.com/) to:
- View, sort, and triage alerts from your endpoints
- Search for more information on observed indicators such as files and IP Addresses
- Change Windows Defender ATP settings, including time zone and review licensing information.
## Windows Defender ATP portal
## Windows Defender Security Center
When you open the portal, youll see the main areas of the application:
![Windows Defender Advanced Threat Protection portal](images/dashboard.png)

2
windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
View File

@ -35,7 +35,7 @@ You can easily get started by:
- Creating a dashboard on the Power BI service
- Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization
You can access these options from the Windows Defender ATP portal. Both the Power BI service and Power BI Desktop are supported.
You can access these options from Windows Defender Security Center. Both the Power BI service and Power BI Desktop are supported.
## Create a Windows Defender ATP dashboard on Power BI service
Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.

4
windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
---
title: Configure Windows Defender ATP settings
title: Configure Windows Defender Security Center settings
description: Use the settings page to configure general settings, permissions, apis, and rules.
keywords: settings, general settings, permissions, apis, rules
search.product: eADQiWindows 10XVcnh
@ -12,7 +12,7 @@ author: mjcaparas
ms.localizationpriority: medium
ms.date: 04/24/2018
---
# Configure Windows Defender ATP settings
# Configure Windows Defender Security Center settings
**Applies to:**

2
windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
---
title: Pull Windows Defender ATP alerts using REST API
description: Pull alerts from the Windows Defender ATP portal REST API.
description: Pull alerts from Windows Defender ATP REST API.
keywords: alerts, pull alerts, rest api, request, response
search.product: eADQiWindows 10XVcnh
ms.prod: w10

6
windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
---
title: Use role-based access control to grant fine-grained access to the Windows Defender ATP portal
title: Use role-based access control to grant fine-grained access to Windows Defender Security Center
description: Create roles and groups within your security operations to grant access to the portal.
keywords: rbac, role, based, access, control, groups, control, tier, aad
search.product: eADQiWindows 10XVcnh
@ -57,12 +57,12 @@ Before using RBAC, it's important that you understand the roles that can grant p
> [!WARNING]
> Before enabling the feature, it's important that you have a Global Administrator role or Security Administrator role in Azure AD and that you have your Azure AD groups ready to reduce the risk of being locked out of the portal.
When you first log in to the Windows Defender ATP portal, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD.
When you first log in to Windows Defender Security Center, you're granted either full access or read only access. Full access rights are granted to users with Security Administrator or Global Administrator roles in Azure AD. Read only access is granted to users with a Security Reader role in Azure AD.
Someone with a Windows Defender ATP Global administrator role has unrestricted access to all machines, regardless of their machine group association and the Azure AD user groups assignments
> [!WARNING]
> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in the Windows Defender ATP portal, therefore, having the right groups ready in Azure AD is important.
> Initially, only those with Azure AD Global Administrator or Security Administrator rights will be able to create and assign roles in Windows Defender Security Center, therefore, having the right groups ready in Azure AD is important.
>
> **Turning on role-based access control will cause users with read-only permissions (for example, users assigned to Azure AD Security reader role) to lose access until they are assigned to a role.**
>

6
windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md
View File

@ -1,7 +1,7 @@
---
title: Windows Defender Advanced Threat Protection time zone settings
title: Windows Defender Security Center time zone settings
description: Use the menu to configure the time zone and view license information.
keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license
keywords: settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
@ -13,7 +13,7 @@ ms.localizationpriority: medium
ms.date: 02/13/2018
---
# Windows Defender Advanced Threat Protection time zone settings
# Windows Defender Security Center time zone settings
**Applies to:**

6
windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
View File

@ -29,11 +29,11 @@ ms.date: 11/28/2017
This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service.
If you receive an error message, the Windows Defender ATP portal will provide a detailed explanation on what the issue is and relevant links will be supplied.
If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied.
## No subscriptions found
If while accessing the Windows Defender ATP portal you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license.
If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license.
Potential reasons:
- The Windows E5 and Office E5 licenses are separate licenses.
@ -48,7 +48,7 @@ For both cases you should contact Microsoft support at [General Windows Defender
## Your subscription has expired
If while accessing the Windows Defender ATP portal you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date.
If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date.
You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license.

13
windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
---
title: Troubleshoot Windows Defender Advanced Threat Protection
title: Troubleshoot Windows Defender Advanced Threat Protection service issues
description: Find solutions and work arounds to known issues such as server errors when trying to access the service.
keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer
search.product: eADQiWindows 10XVcnh
@ -10,17 +10,12 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 10/23/2017
ms.date: 07/12/2017
---
# Troubleshoot Windows Defender Advanced Threat Protection
# Troubleshoot service issues
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -32,7 +27,7 @@ If you encounter a server error when trying to access the service, youll need
Configure your browser to allow cookies.
### Elements or data missing on the portal
If some UI elements or data is missing on the Windows Defender ATP portal its possible that proxy settings are blocking it.
If some UI elements or data is missing on Windows Defender Security Center its possible that proxy settings are blocking it.
Make sure that `*.securitycenter.windows.com` is included the proxy whitelist.

2
windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
View File

@ -36,7 +36,7 @@ You can use the code examples to guide you in creating calls to the custom threa
Topic | Description
:---|:---
[Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) | Understand the concepts around threat intelligence so that you can effectively create custom intelligence for your organization.
[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through the Windows Defender ATP portal so that you can create custom threat intelligence (TI) using REST API.
[Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Set up the custom threat intelligence application through Windows Defender Security Center so that you can create custom threat intelligence (TI) using REST API.
[Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization.
[PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API.
[Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API.

4
windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
---
title: Use the Windows Defender Advanced Threat Protection portal
description: Learn about the features on Windows Defender ATP portal, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
description: Learn about the features on Windows Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks.
keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -27,7 +27,7 @@ ms.date: 03/12/2018
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
You can use the Windows Defender ATP portal to carry out an end-to-end security breach investigation through the dashboards.
You can use Windows Defender Security Center to carry out an end-to-end security breach investigation through the dashboards.
Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network.

87
windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
View File

@ -1,6 +1,6 @@
---
title: Windows Defender Advanced Threat Protection
description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats.
title: Windows Defender Advanced Threat Protection
description: Windows Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats.
keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence
search.product: eADQiWindows 10XVcnh
ms.prod: w10
@ -9,18 +9,13 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
ms.date: 04/24/2018
ms.localizationpriority: high
ms.date: 07/12/2018
---
# Windows Defender Advanced Threat Protection
**Applies to:**
- Windows 10 Enterprise
- Windows 10 Education
- Windows 10 Pro
- Windows 10 Pro Education
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@ -29,78 +24,22 @@ ms.date: 04/24/2018
>
>For more info about Windows 10 Enterprise Edition features and functionality, see [Windows 10 Enterprise edition](https://www.microsoft.com/WindowsForBusiness/buy).
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see [Windows Defender ATP for Windows 10 Creators Update](https://technet.microsoft.com/en-au/windows/mt782787).
To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Windows Defender Security Center.
Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors
collect and process behavioral signals from the operating system
(for example, process, registry, file, and network communications)
and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP.
- **Cloud security analytics**: Leveraging big-data, machine-learning, and
unique Microsoft optics across the Windows ecosystem (such as the
[Microsoft Malicious Software Removal Tool](https://www.microsoft.com/en-au/download/malicious-software-removal-tool-details.aspx),
enterprise cloud products (such as Office 365), and online assets
(such as Bing and SmartScreen URL reputation), behavioral signals
are translated into insights, detections, and recommended responses
to advanced threats.
- **Threat intelligence**: Generated by Microsoft hunters, security teams,
and augmented by threat intelligence provided by partners, threat
intelligence enables Windows Defender ATP to identify attacker
tools, techniques, and procedures, and generate alerts when these
are observed in collected sensor data.
![Windows Defender ATP service component](images/components.png)
Machine investigation capabilities in this service let you drill down
into security alerts and understand the scope and nature of a potential
breach. You can submit files for deep analysis and receive the results
without leaving the [Windows Defender ATP portal](https://securitycenter.windows.com). The automated investigation and remediation capability reduces the volume of alerts by leveraging various inspection algorithms to resolve breaches.
Windows Defender ATP works with existing Windows security technologies
on machines, such as Windows Defender Antivirus, AppLocker, and Windows Defender Device Guard. It
can also work side-by-side with third-party security solutions and
antimalware products.
Windows Defender ATP leverages Microsoft technology and expertise to
detect sophisticated cyber-attacks, providing:
- Behavior-based, cloud-powered, advanced attack detection
Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on machines.
- Rich timeline for forensic investigation and mitigation
Easily investigate the scope of breach or suspected behaviours on any machine through a rich machine timeline. File, URLs, and network connection inventory across the network. Gain additional insight using deep collection and analysis (“detonation”) for any file or URLs.
- Built in unique threat intelligence knowledge base
Unparalleled threat optics provides actor details and intent context for every threat intel-based detection combining first and third-party intelligence sources.
- Automated investigation and remediation
Significantly reduces alert volume by leveraging inspection algorithms used by analysts to examine alerts and take remediation action.
The Windows Defender ATP platform is where all the capabilities that are available across multiple products come together to give security operations teams the ability to effectively manage their organization's network.
## In this section
Topic | Description
:---|:---
Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal.
[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
[Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal.
Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats.
API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from the Windows Defender ATP portal.
Reporting | Create and build Power BI reports using Windows Defender ATP data.
Check service health and sensor state | Verify that the service is running and check the sensor state on machines.
[Configure Windows Defender settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features.
[Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Windows Defender ATP Community Center to learn, collaborate, and share experiences about the product.
[Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.
[Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md) | Understand how Windows Defender Antivirus integrates with Windows Defender ATP.
[Windows Defender Security Center](windows-defender-security-center-atp.md) | Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Windows Defender Antivirus is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers.
[Windows Defender Exploit Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard) | Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
[Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) | Windows Defender Application Control (WDAC) can help mitigate security threats by restricting the applications that users are allowed to run and the code that runs in the System Core (kernel).
[Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) | Windows Defender Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet.
## Related topic

38
windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md Normal file
View File

@ -0,0 +1,38 @@
---
title: Windows Defender Security Center
description: Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection.
keywords: windows, defender, security, center, defender, advanced, threat, protection
search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 07/01/2018
---
# Windows Defender Security Center
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. It gives enterprise security operations teams a single pane of glass experience to help secure networks.
## In this section
Topic | Description
:---|:---
Get started | Learn about the minimum requirements, validate licensing and complete setup, know about preview features, understand data storage and privacy, and how to assign user access to the portal.
[Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) | Learn about onboarding client, server, and non-Windows machines. Learn how to run a detection test, configure proxy and Internet connectivity settings, and how to troubleshoot potential onboarding issues.
[Understand the portal](use-windows-defender-advanced-threat-protection.md) | Understand the Security operations, Secure Score, and Threat analytics dashboards as well as how to navigate the portal.
Investigate and remediate threats | Investigate alerts, machines, and take response actions to remediate threats.
API and SIEM support | Use the supported APIs to pull and create custom alerts, or automate workflows. Use the supported SIEM tools to pull alerts from Windows Defender Security Center.
Reporting | Create and build Power BI reports using Windows Defender ATP data.
Check service health and sensor state | Verify that the service is running and check the sensor state on machines.
[Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure general settings, turn on the preview experience, notifications, and enable other features.
[Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md) | Access the Windows Defender ATP Community Center to learn, collaborate, and share experiences about the product.
[Troubleshoot service issues](troubleshoot-windows-defender-advanced-threat-protection.md) | This section addresses issues that might arise as you use the Windows Defender Advanced Threat service.

BIN
windows/security/wdatp/images/WDATP-components.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 81 KiB

BIN
windows/security/wdatp/images/wdatp-pillars.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 149 KiB

BIN
windows/security/wdatp/images/wdatp-pillars2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 140 KiB

48
windows/security/wdatp/index.md Normal file
View File

@ -0,0 +1,48 @@
---
title: Windows Defender Advanced Threat Protection
description: Windows Defender Advanced Threat Protection is an enterprise security service that helps detect and respond to possible cybersecurity threats related to advanced persistent threats.
keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.date: 06/04/2018
---
# Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection (Windows Defender ATP)is a unified platform for preventative protection, post-breach detection, automated investigation and response, employing intelligent protection to protect endpoints from cyber threats.
![Windows Defender ATP components](images/wdatp-pillars2.png)
**Attack surface reduction**<br>
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
**Next generation protection**<br>
To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
**Endpoint detection and response**<br>
Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
**Auto investigation and remediation**<br>
In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
**Security posture**<br>
Windows Defender ATP also provides a security posture capability to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security state of your network.
**Management and APIs**<br>
Windows Defender ATP provides integrated configuration management in the cloud. The service also supports third-party mobile device management (MDM) tools, cross-platform support, and APIs that allow customers to create custom threat intelligence and automate workflows.
Understand how capabilities align within the Windows Defender ATP suite offering:
Attack surface reduction | Next generation protection | Endpoint detection and response | Auto investigation and remediation | Security posture
:---|:---|:---|:---|:---
[Hardware based isolation](https://docs.microsoft.com/en-us/windows/security/hardware-protection/)<br><br> [Application control](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)<br><br> [Exploit protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard)<br><br> [Network protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard)<br><br> [Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) | [Machine learning](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) <br><br> [Antivirus](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) <br><br> [Threat intelligence](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)<br><br> [Sandbox service](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection#deep-analysis) | [Response containment](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection) <br><br> [Realtime and historical threat hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) <br><br> [Threat intelligence and custom detections](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) | [Forensic collection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection#collect-investigation-package-from-machines) <br><br> [Response orchestration](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection) <br><br> [Historical endpoint data](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#machine-timeline) <br><br> [Artificial intelligence response playbooks](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) | [Asset inventory](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection) <br> [Operating system baseline compliance](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection) <br><br> [Recommended improvement actions](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection#improvement-opportunities)<br> <br> [Secure score](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection) <br><br> [Threat analytics](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection) <br><br> [Reporting and trends](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection)
These capabilities are available across multiple products that make up the Windows Defender ATP platform. For more information on how to leverage all the Windows Defender ATP capabilities, see [Threat protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/index).