mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-16 07:17:24 +00:00
Merging changes synced from https://github.com/MicrosoftDocs/windows-docs-pr (branch live)
This commit is contained in:
officedocspr
commit
ce8bc8c9bf
@ -45,10 +45,15 @@ HoloLens (1st gen) supports the following classes of Bluetooth devices:
|
||||
### HoloLens (1st gen): Pair the clicker
|
||||
|
||||
1. Use the bloom gesture to go to **Start**, and then select **Settings**.
|
||||
|
||||
1. Select **Devices**, and make sure that Bluetooth is on.
|
||||
|
||||
1. Use the tip of a pen to press and hold the clicker pairing button until the clicker status light blinks white. Make sure to hold down the button until the light starts blinking.
|
||||
|
||||
The pairing button is on the underside of the clicker, next to the finger loop.
|
||||
|
||||
|
||||
|
||||
1. On the pairing screen, select **Clicker** > **Pair**.
|
||||
|
||||
## HoloLens 2: Connect USB-C devices
|
||||
@ -77,3 +82,10 @@ To use Miracast, follow these steps:
|
||||
|
||||
1. On the list of devices that appears, select an available device.
|
||||
1. Complete the pairing to begin projecting.
|
||||
|
||||
## Disable Bluetooth
|
||||
|
||||
This procedure turns off the RF components of the Bluetooth radio and disables all Bluetooth functionality on Microsoft HoloLens.
|
||||
|
||||
1. Use the bloom gesture (HoloLens (1st gen)) or the start gesture (HoloLens 2) to go to **Start**, and then select **Settings** > **Devices**.
|
||||
1. Move the slider switch for **Bluetooth** to the **Off** position.
|
||||
|
||||
@ -29,6 +29,7 @@
|
||||
|
||||
### [Deploy Surface devices](deploy.md)
|
||||
### [Windows Autopilot and Surface devices](windows-autopilot-and-surface-devices.md)
|
||||
### [Windows Virtual Desktop on Surface](windows-virtual-desktop-surface.md)
|
||||
### [Deploying, managing, and servicing Surface Pro X](surface-pro-arm-app-management.md)
|
||||
### [Surface Pro X app compatibility](surface-pro-arm-app-performance.md)
|
||||
### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
|
||||
|
||||
@ -52,8 +52,8 @@ landingContent:
|
||||
url: microsoft-surface-deployment-accelerator.md
|
||||
- text: Autopilot and Surface devices
|
||||
url: windows-autopilot-and-surface-devices.md
|
||||
- text: Deploying, managing, and servicing Surface Pro X
|
||||
url: surface-pro-arm-app-management.md
|
||||
- text: Windows Virtual Desktop on Surface
|
||||
url: windows-virtual-desktop-surface.md
|
||||
|
||||
# Card
|
||||
- title: Manage Surface devices
|
||||
|
||||
158
devices/surface/windows-virtual-desktop-surface.md
Normal file
158
devices/surface/windows-virtual-desktop-surface.md
Normal file
@ -0,0 +1,158 @@
|
||||
---
|
||||
title: Windows Virtual Desktop on Surface
|
||||
description: This article explains how Surface devices deliver an ideal end node for Windows Virtual Desktop solutions, providing customers with flexible form factors, Windows 10 modern device security and manageability, and support for persistent, on-demand & just-in-time work scenarios.
|
||||
ms.prod: w10
|
||||
ms.mktglfcycl: manage
|
||||
ms.localizationpriority: medium
|
||||
ms.sitesec: library
|
||||
author: coveminer
|
||||
ms.author: greglin
|
||||
ms.topic: article
|
||||
ms.date: 5/20/2020
|
||||
ms.reviewer: rohenr
|
||||
manager: laurawi
|
||||
audience: itpro
|
||||
---
|
||||
|
||||
# Windows Virtual Desktop on Surface
|
||||
|
||||
## Introduction
|
||||
|
||||
Windows Virtual Desktop on Surface lets you run Virtual Desktop Infrastructure (VDI) on a Surface device blurring the lines between the local desktop experience and the virtual desktop where touch, pen, ink, and biometric authentication span both physical and virtual environments. Representing another milestone in the evolution of computing, Windows Virtual Desktop on Surface <a href="#1"><sup>1</sup></a> combines Microsoft 365 - virtualized in the Azure cloud - with the advanced security protections, enterprise-level manageability, and enhanced productivity tools of Windows 10 on Surface. This fusion of premium form factor and Virtual Desktop Infrastructure in Azure provides exceptional customer value across user experiences, portability, security, business continuity, and modern management.
|
||||
|
||||
### Windows Virtual Desktop
|
||||
|
||||
Windows Virtual Desktop (WVD) is a comprehensive desktop and app virtualization service running in the Azure cloud. It’s the only virtual desktop infrastructure that delivers simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, and support for Remote Desktop Services (RDS) environments. With WVD you can quickly deploy and scale Windows desktops and apps on Azure and get built-in security and compliance features.
|
||||
|
||||
### Windows Virtual Desktop partner integrations
|
||||
|
||||
For a list of approved partner providers and independent software vendors for Windows Virtual Desktop, see [Windows Virtual Desktop partner integrations](https://docs.microsoft.com/azure/virtual-desktop/partners). Some partners also provide Virtual Desktop as a Service (DaaS). DaaS frees you from having to maintain your own virtual machines (VMs) by providing a fully managed, turnkey desktop and virtualization service. The ability to deliver customized desktops to users anywhere in the world enables companies to quickly adjust to changing market conditions by spinning up cloud desktops on-demand - when and where they’re needed.
|
||||
|
||||
## Microsoft Surface Devices
|
||||
|
||||
Surface engineering has long set new standards for innovation by going beyond the keyboard and mouse to imagine more natural ways of interacting with devices, whether by touch, voice, ink, or Surface Dial. And with chip-to-cloud integration of Microsoft 365 and the security and manageability of Windows 10 Pro, Surface delivers connected hardware, software, apps, and services the way they were intended. Although it’s possible to run WVD from Windows devices dating back to Windows 7, Microsoft Surface devices provide unique advantages including support for:
|
||||
|
||||
- **Flexible form factors** - like 2-in-1 devices such as Surface Go 2, Surface Pro 7 and Surface Pro X with pen, touch and detachable keyboard.
|
||||
- **Persistent, on-demand and just-in-time work scenarios** - with offline and on-device access for more productive experiences.
|
||||
- **Windows 10 modern device security and manageability** - providing the flexibility to be productive anywhere.
|
||||
|
||||
## Flexible form factors and premium user experience
|
||||
|
||||
The Microsoft Surface for Business family comprises a diverse portfolio of form factors including traditional laptops, all-in-one machines, and 2-in-1 devices. Surface devices deliver experiences people love with the choice and flexibility they need in order to work on their terms.
|
||||
|
||||
### The modern virtual desktop endpoint
|
||||
|
||||
Surface 2-in-1 devices, including [Surface Go 2](https://www.microsoft.com/p/surface-go-2) (10.5”), [Surface Pro 7](https://www.microsoft.com/surface/devices/surface-pro-7/) (12”) and [Surface Pro X](https://www.microsoft.com/p/surface-pro-x/) (13”), provide users with the ideal cloud desktop endpoint bringing together the optimal balance of portability, versatility, power, and all-day battery. From site engineers relying on Surface Go 2 in tablet mode to financial advisors attaching Surface Pro 7 to a dock and multiple monitors, 2-in-1 devices deliver the versatility that has come to define the modern workplace.
|
||||
|
||||
Unlike traditional, fixed VDI “terminals”, Surface devices allow users to work from anywhere and enable companies to remain viable and operational during unforeseen events -- from severe weather to public health emergencies. With support for persistent, on-demand and just-in-time scenarios, Surface devices effectively help companies sustain ongoing operations and mitigate risk from disruptive events. Features designed to enhance productivity on Surface 2-in-1 devices include:
|
||||
|
||||
- Vibrant, high resolution displays with 3:2 aspect ratio to get work done.
|
||||
- Natural inking and multi-touch for more immersive experiences.
|
||||
- With a wide variety of built-in and third-party accessibility features, Surface devices let you choose how to interact with your device, express ideas, and get work done.
|
||||
- Far-field mics and high-performance speakers for improved virtual meetings.
|
||||
- Biometric security including built-in, Windows Hello camera that comes standard on every Surface device.
|
||||
- Long battery life <a href="#2"><sup>2</sup></a> and fast charging.
|
||||
- LTE options <a href="#3"><sup>3</sup></a> on modern devices like Surface Pro X and Surface Go 2 for hassle-free and secure connectivity.
|
||||
- Support for a wide range of peripherals such as standard printers, 3D printers, cameras, credit card readers, barcode scanners, and many others. A large ecosystem of Designed for Surface partners provides licensed and certified Surface accessories.
|
||||
- Broad range of Device Redirection support.
|
||||
|
||||
### Device Redirection Support
|
||||
|
||||
The Surface-centric productivity experiences listed above become even more compelling in Windows Virtual Desktop environments by taking advantage of device redirection capabilities with Windows 10. Surface provides a broad range of device redirection support, especially when compared to OEM thin clients and fixed terminals, Android, iOS/macOS and Web-based access. The Windows Inbox (MSTSC) and Windows Desktop (MSRDC) clients provide the most device redirection capabilities including Input Redirection (keyboard, mouse, pen and touch), Port Redirection (serial and USB) and Other Redirections (cameras, clipboard, local drive/storage, location, microphones, printers, scanners, smart cards and speakers). For a detailed comparison of device redirection support refer to the [device redirection documentation](https://docs.microsoft.com/windows-server/remote/remote-desktop-services/clients/remote-desktop-app-compare#redirection-support).
|
||||
|
||||
### Familiar Desktop Experience
|
||||
|
||||
Not only does running the Windows Desktop Client on Surface devices provide users with a broad set of device redirection capabilities, it lets everyone launch apps in familiar ways — directly from the Start Menu or Search bar.
|
||||
|
||||
### Persistent, on-demand and just-in-time work scenarios
|
||||
|
||||
Windows Virtual Desktop on Surface helps customers meet increasingly complex business and security requirements across industries, employee roles, and work environments. These include:
|
||||
|
||||
- Multi-layered security of access to data and organizational resources.
|
||||
- Compliance with industry regulations.
|
||||
- Support for an increasingly elastic workforce.
|
||||
- Employee-specific needs across a variety of job functions.
|
||||
- Ability to support specialized, processor-intensive workloads.
|
||||
- Resilience for sustaining operations during disruptions.
|
||||
|
||||
### Table 1. Windows Virtual Desktop business conversations
|
||||
|
||||
| Security & regulation | Elastic workforce | Work Roles | Special workloads | Business continuity |
|
||||
| ---------------------------------------------------- | ---------------------------------------------------------------------------- | ----------------------------------------------------------------- | ---------------------------------------------------------------------------- | ---------------------------------------------------- |
|
||||
| - Financial Services<br>- Healthcare<br>- Government | - Merger & acquisition<br>- Short term employees<br>- Contractors & partners | - BYOD & mobile<br>- Customer support/service<br>- Branch workers | - Design & engineering<br>- Support for legacy apps<br>- Software dev & test | - On demand<br>- Just-in-Time (JIT)<br>- Work @ Home |
|
||||
|
||||
### Offline and on-device access for more productive experiences
|
||||
|
||||
Traditionally, VDI solutions only work when the endpoint is connected to the internet. But what happens when the internet or power is unavailable for any reason (due to mobility, being on a plane, or power outages, and so on)?
|
||||
|
||||
To support business continuity and keep employees productive, Surface devices can easily augment the virtual desktop experience with offline access to files, Microsoft 365 and third-party applications. Traditional apps like Microsoft Office, available across .x86, x64, Universal Windows Platform, ARM platforms, enable users to stay productive in “offline mode”. Files from the virtual desktop cloud environment can be synced locally on Surface using OneDrive for Business for offline access as well. You can have the confidence that all locally “cached” information is up-to-date and secure.
|
||||
|
||||
In addition to adding support for offline access to apps and files, Surface devices are designed to optimize collaborative experiences like Microsoft Teams “On-Device”. Although some VDI solutions support the use of Teams through a virtual session, users can benefit from the more optimized experience provided by a locally installed instance of Teams. Localizing communications and collaboration apps for multimedia channels like voice, video, live captioning allows organizations to take full advantage of Surface devices’ ability to provide optimized Microsoft 365 experiences. The emergence of Surface artificial intelligence (AI) or “AI-on-device” brings new capabilities to life, such as eye gaze technology that adjusts the appearance of your eyes so the audience sees you looking directly at the camera when communicating via video.
|
||||
|
||||
An alternative to locally installing traditional applications is to take advantage of the latest version of Microsoft Edge, which comes with support for Progressive Web Apps (PWA). PWAs are just websites that are progressively enhanced to function like native apps on supporting platforms. The qualities of a PWA combine the best of the web and native apps by additional features, such as push notifications, background data refresh, offline support, and more.
|
||||
|
||||
### Virtual GPUs
|
||||
|
||||
GPUs are ideal for AI compute and graphics-intensive workloads, helping customers to fuel innovation through scenarios like high-end remote visualization, deep learning, and predictive analytics. However, this isn’t ideal for professionals who need to work remotely or while on the go because varying degrees of internal GPU horsepower are tied to the physical devices, limiting mobility and flexibility.
|
||||
|
||||
To solve for this Azure offers the N-series family of Virtual Machines with NVIDIA GPU capabilities (vGPU). With vGPUs, IT can either share GPU performance across multiple virtual machines, or power demanding workloads by assigning multiple GPUs to a single virtual machine. For Surface this means that no matter what device you’re using, from the highly portable Surface Go 2 to the slim and stylish Surface Laptop 3, your device has access to powerful server-class graphics performance. Surface and vGPUs allow you to combine all the things you love about Surface, to include pen, touch, keyboard, trackpad and PixelSense displays, with graphics capability only available in high performance computing environments.
|
||||
|
||||
Azure N-series brings these capabilities to life on your Surface device allowing you to work in any way you want, wherever you go. [Learn more about Azure N-Series and GPU optimized virtual machine sizes.](https://docs.microsoft.com/azure/virtual-machines/sizes-gpu)
|
||||
|
||||
## Microsoft 365 and Surface
|
||||
|
||||
Even in a virtualized desktop environment, Microsoft 365 and Surface deliver the experiences employees love, the protection organizations demand, and flexibility for teams to work their way. According to Forrester Research: <a href="#4"><sup>4</sup></a>
|
||||
|
||||
- Microsoft 365-powered Surface devices give users up to 5 hours in weekly productivity gains with up to 9 hours saved per week for highly mobile workers, providing organizations with 112 percent ROI on Microsoft 365 with Surface
|
||||
- 75 percent agree Microsoft 365-powered Surface devices help improve employee satisfaction and retention
|
||||
- agree that Microsoft 365- powered Surface devices have helped improve employee satisfaction and retention.
|
||||
|
||||
### Security and management
|
||||
|
||||
From chip to cloud, Microsoft 365 and Surface helps organizations stay protected and up to date.
|
||||
With both Surface hardware and software designed, built, and tested by Microsoft, users can be confident they’re productive and protected by leading technologies from chip to cloud. With increased numbers of users working remotely, protecting corporate data and intellectual property becomes more paramount than ever. Windows Virtual Desktop on Surface is designed around a zero-trust security model in which every access request is strongly authenticated, authorized within policy constraints, and inspected for anomalies before granting access.
|
||||
|
||||
By maximizing efficiencies from cloud computing, modern management enables IT to better serve the needs of users, stakeholders and customers in an increasingly competitive business environment. For example, you can get Surface devices up-and-running with minimal interaction from your team. Setup is automatic and self-serviced. Updates are quick and painless for both your team and your users. You can manage devices regardless of their physical location.
|
||||
|
||||
Security and management features delivered with Windows Virtual Desktop on Surface include:
|
||||
|
||||
- **Windows Update.** Keeping Windows up to date helps you stay ahead of new security threats. Windows 10 has been engineered from the ground up to be more secure and utilize the latest hardware capabilities to improve security. With a purpose-built UEFI <a href="#5"><sup>5</sup></a> and Windows Update for Business that responds to evolving threats, end-to-end protection is secure and simplified.
|
||||
|
||||
- **Hardware encryption.** Device encryption lets you protect the data on your Surface so it can only be accessed by authorized individuals. All Surface for Business devices feature a discrete Trusted Platform Module (dTPM) that is hardware-protected against intrusion while software uses protected keys and measurements to verify software validity.
|
||||
- **Windows Defender.** Windows Defender Antivirus brings together machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices. The tool is built in and needs no extra agents to be deployed on-devices or in the VDI environment, simplifying management and optimizing device start up. Windows Defender is built in and needs no extra agents to be deployed on-device or in the VDI environment, simplifying management and optimizing device start up. The true out-of-the-box experience.
|
||||
- **Removable drives** - A subset of newer Surface devices feature removable SSD drives <a href="#6"><sup>6</sup></a> providing greater control over data retention.
|
||||
- **Modern authentication -** Microsoft 365 and Surface is a unified platform delivering every Windows security feature (subject to licensing and enablement). All Surface portfolio devices ship with a custom-built camera, designed for Windows Hello for Business providing biometric security that persists seamlessly from on-device to VDI-based experiences.
|
||||
- **Modern firmware management** -Using Device Firmware Configuration Interface (DFCI),<a href="#7"><sup>7</sup></a> IT administrators can remotely disable hardware elements at a firmware level such as mics, USB ports, SD card slots, cameras, and Bluetooth which removes power to the peripheral. Windows Defender Credential Guard uses virtualization-based security so that only privileged system software can access them.
|
||||
- **Backward and forward compatibility** - Windows 10 devices provide backward and forward compatibility across hardware, software and services. Microsoft has a strong history of maintaining legacy support of hardware, peripherals, software and services while incorporating the latest technologies. Businesses can plan IT investments to have a long useful life.
|
||||
- **Bridge for legacy Windows 7 workloads** - For solution scenarios dependent on legacy Windows OS environments, enterprises can use VDI instances of Windows 7 running in Azure. This enables support on modern devices like Surface without the risk of relying on older Windows 7 machines that no longer receive the latest security updates. In addition to these “future proofing” benefits, migration of any legacy workloads becomes greatly simplified when modern Windows 10 hardware is already deployed.
|
||||
- **Zero-Touch Deployment** - Autopilot is the recommended modern management deployment option for Surface devices. Windows Autopilot on Surface is a cloud-based deployment technology in Windows 10. You can use Windows Autopilot on Surface to remotely deploy and configure devices in a zero-touch process right out of the box. Windows Autopilot-registered devices are identified over the Internet at first startup through a unique device signature that's called a hardware hash. They're automatically enrolled and configured by using modern management solutions such as Azure Active Directory (Azure AD) and mobile device management.
|
||||
|
||||
### Surface devices: Minimizing environmental impacts
|
||||
|
||||
Surface performs life cycle assessments to calculate the environmental impact of devices across key stages of product life cycle enabling Microsoft to minimize these impacts. Each Surface product has an ECO profile that includes details on greenhouse gas emissions, primary energy consumption and material composition data, packaging, recycling, and related criteria. To download profiles for each Surface device, see [ECO Profiles](https://www.microsoft.com/download/details.aspx?id=55974) on the Microsoft Download Center.
|
||||
|
||||
## Summary
|
||||
|
||||
Windows Virtual Desktop on Surface provides organizations with greater flexibility and resilience in meeting the diverse needs of users, stakeholders, and customers. Running Windows Virtual Desktop solutions on Surface devices provides unique advantages over continued reliance on legacy devices. Flexible form factors like Surface Go 2 and Surface Pro 7 connected to the cloud (or offline), enable users to be productive from anywhere, at any time. Whether employees work in persistent, on-demand, or just-in-time scenarios, Windows Virtual Desktop on Surface affords businesses with the versatility to sustain productivity throughout disruptions from public health emergencies or other unforeseen events. Using the built in, multi-layered security and modern manageability of Windows 10, companies can take advantage of an expanding ecosystem of cloud-based services to rapidly deploy and scale Windows desktops and apps. Simply put, Windows Virtual Desktop on Surface delivers critically needed technology to organizations and businesses of all sizes.
|
||||
|
||||
## Learn more
|
||||
|
||||
For more information, see the following resources:
|
||||
|
||||
- [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)
|
||||
- [Surface for Business](https://www.microsoft.com/surface/business)
|
||||
- [Modernize your workforce with Microsoft Surface](https://boards.microsoft.com/public/prism/103849?token=754435c36d)
|
||||
- [A guide to Surface Technical Content and Solutions](https://boards.microsoft.com/public/prism/104362/category/90968?token=09e688ec4a)
|
||||
- [Microsoft zero-trust security](https://www.microsoft.com/security/business/zero-trust)
|
||||
|
||||
|
||||
----------
|
||||
|
||||
<a id="1">1.</a> Windows Virtual Desktop on Surface refers to running Azure Virtual Desktop Infrastructure on a Surface device and is described here as an architectural solution, not a separately available product.<br>
|
||||
<a id="2">2.</a> Battery life varies significantly with settings, usage and other factors.<br>
|
||||
<a id="3">3.</a> Service availability and performance subject to service provider’s network. Contact your service provider for details, compatibility, pricing, SIM card, and activation. See all specs and frequencies at surface.com.<br>
|
||||
<a id="4">4.</a> Forrester Consulting, “A Forrester Total Economic Impact™ Study: Maximizing Your ROI from Microsoft 365 Enterprise with Microsoft Surface,” commissioned by Microsoft, 2018.<br>
|
||||
<a id="5">5.</a> Surface Go and Surface Go 2 use a third-party UEFI and do not support DFCI. DFCI is currently available for Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. Find out more about managing Surface UEFI settings.<br>
|
||||
<a id="6">6.</a> Removable SSD is available on Surface Laptop 3 and Surface Pro X. Note that hard drive is not user removable. Hard drive is only removable a by skilled technician following Microsoft instructions.<br>
|
||||
<a id="7">7.</a> DFCI is currently available for Surface Book 3, Surface Laptop 3, Surface Pro 7, and Surface Pro X. [Find out more](https://docs.microsoft.com/surface/manage-surface-uefi-settings) about managing Surface UEFI settings.
|
||||
|
||||
@ -710,6 +710,7 @@ Policy, Policy/Channels, Policy/Channels/ChannelName, Policy/Channels/ChannelNam
|
||||
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li>
|
||||
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li>
|
||||
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li>
|
||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</li>
|
||||
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li>
|
||||
<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li>
|
||||
<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li>
|
||||
|
||||
@ -2390,6 +2390,9 @@ The following diagram shows the Policy configuration service provider in tree fo
|
||||
<dd>
|
||||
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam" id="localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam">LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</a>
|
||||
</dd>
|
||||
<dd>
|
||||
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm" id="localpoliciessecurityoptions-networksecurity-allowlocalsystemtousecomputeridentityforntlm">LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM</a>
|
||||
</dd>
|
||||
<dd>
|
||||
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
|
||||
</dd>
|
||||
|
||||
@ -34,7 +34,7 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the
|
||||
|
||||
|**Software** |**Minimum version** |
|
||||
|---------|---------|
|
||||
|Client operating system | Desktop: <br> - Windows 10, version 2004 (recommended) <br> <br> - Windows 10, version 103 (legacy version of Cortana) <br> <br> Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see **How is my data processed by Cortana** below. |
|
||||
|Client operating system | Desktop: <br> - Windows 10, version 2004 (recommended) <br> <br> - Windows 10, version 1703 (legacy version of Cortana) <br> <br> Mobile: Windows 10 mobile, version 1703 (legacy version of Cortana) <br> <br> For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see **How is my data processed by Cortana** below. |
|
||||
|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn’t required. |
|
||||
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word (“Cortana”) for hands-free activation or voice commands to easily ask for help. |
|
||||
|
||||
@ -71,7 +71,7 @@ First, the user must enable the wake word from within Cortana settings. Once it
|
||||
|
||||
The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening.
|
||||
|
||||
:::image type="content" source="../../../images/screenshot2.png" alt-text="Microphone icon in the system tray indicating an assistant app is listening":::
|
||||
:::image type="content" source="images/screenshot2.png" alt-text="Microphone icon in the system tray indicating an assistant app is listening":::
|
||||
|
||||
At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded.
|
||||
|
||||
|
||||
@ -23,25 +23,27 @@ ms.custom: asr
|
||||
|
||||
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
**Is attack surface reduction (ASR) part of Windows?**
|
||||
## Is attack surface reduction (ASR) part of Windows?
|
||||
|
||||
ASR was originally a feature of the suite of exploit guard features introduced as a major update to Windows Defender Antivirus, in Windows 10 version 1709. Windows Defender Antivirus is the native antimalware component of Windows. However, please note that the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Windows Defender Antivirus exclusions.
|
||||
ASR was originally a feature of the suite of exploit guard features introduced as a major update to Microsoft Defender Antivirus, in Windows 10 version 1709. Microsoft Defender Antivirus is the native antimalware component of Windows. However, the full ASR feature-set is only available with a Windows enterprise license. Also note that ASR rule exclusions are managed separately from Microsoft Defender Antivirus exclusions.
|
||||
|
||||
**Do I need to have an enterprise license to run ASR rules?**
|
||||
## Do I need to have an enterprise license to run ASR rules?
|
||||
|
||||
The full set of ASR rules and features are only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license, if you have Microsoft 365 Business, set Windows Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full feature-set of ASR will not be available.
|
||||
The full set of ASR rules and features is only supported if you have an enterprise license for Windows 10. A limited number of rules may work without an enterprise license. If you have Microsoft 365 Business, set Microsoft Defender Antivirus as your primary security solution, and enable the rules through PowerShell. However, ASR usage without an enterprise license is not officially supported and the full capabilities of ASR will not be available.
|
||||
|
||||
**Is ASR supported if I have an E3 license?**
|
||||
To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
|
||||
|
||||
Yes. ASR is supported for Windows Enterprise E3 and above. See [Use attack surface reduction rules in Windows 10 Enterprise E3](attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) for more details.
|
||||
## Is ASR supported if I have an E3 license?
|
||||
|
||||
**Which features are supported with an E5 license?**
|
||||
Yes. ASR is supported for Windows Enterprise E3 and above.
|
||||
|
||||
## Which features are supported with an E5 license?
|
||||
|
||||
All of the rules supported with E3 are also supported with E5.
|
||||
|
||||
E5 also added greater integration with Microsoft Defender ATP. With E5, you can [use Microsoft Defender ATP to monitor and review analytics](https://docs.microsoft.com/microsoft-365/security/mtp/monitor-devices?view=o365-worldwide#monitor-and-manage-asr-rule-deployment-and-detections) on alerts in real-time, fine-tune rule exclusions, configure ASR rules, and view lists of event reports.
|
||||
|
||||
**What are the the currently supported ASR rules??**
|
||||
## What are the currently supported ASR rules?
|
||||
|
||||
ASR currently supports all of the rules below:
|
||||
|
||||
@ -52,8 +54,8 @@ ASR currently supports all of the rules below:
|
||||
* [Block JavaScript or VBScript from launching downloaded executable content](attack-surface-reduction.md##block-javascript-or-vbscript-from-launching-downloaded-executable-content)
|
||||
* [Block execution of potentially obfuscated scripts](attack-surface-reduction.md#block-execution-of-potentially-obfuscated-scripts)
|
||||
* [Block Win32 API calls from Office macro](attack-surface-reduction.md#block-win32-api-calls-from-office-macros)
|
||||
* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware)<!-- Note: Because the following link contains characters the validator is not expecting, it throws a warning that the bookmark does not exist. This is a false positive; the link correctly targets the heading, Block credential stealing from the Windows local security authority subsystem (lsass.exe), when selected -->
|
||||
* [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem)
|
||||
* [Use advanced protection against ransomware](attack-surface-reduction.md#use-advanced-protection-against-ransomware)
|
||||
* [Block credential stealing from the Windows local security authority subsystem](attack-surface-reduction.md#block-credential-stealing-from-the-windows-local-security-authority-subsystem) (lsass.exe)
|
||||
* [Block process creations originating from PSExec and WMI commands](attack-surface-reduction.md#block-process-creations-originating-from-psexec-and-wmi-commands)
|
||||
* [Block untrusted and unsigned processes that run from USB](attack-surface-reduction.md#block-untrusted-and-unsigned-processes-that-run-from-usb)
|
||||
* [Block executable files from running unless they meet a prevalence, age, or trusted list criteria](attack-surface-reduction.md#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion)
|
||||
@ -61,39 +63,41 @@ ASR currently supports all of the rules below:
|
||||
* [Block Adobe Reader from creating child processes](attack-surface-reduction.md#block-adobe-reader-from-creating-child-processes)
|
||||
* [Block persistence through WMI event subscription](attack-surface-reduction.md#block-persistence-through-wmi-event-subscription)
|
||||
|
||||
**What are some good recommendations for getting started with ASR?**
|
||||
## What are some good recommendations for getting started with ASR?
|
||||
|
||||
It is generally best to first test how ASR rules will impact your organization before enabling them, by running them in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR.
|
||||
Test how ASR rules will impact your organization before enabling them by running ASR rules in audit mode for a brief period of time. While you are running the rules in audit mode, you can identify any line-of-business applications that might get blocked erroneously, and exclude them from ASR.
|
||||
|
||||
Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly-broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool.
|
||||
Larger organizations should consider rolling out ASR rules in "rings," by auditing and enabling rules in increasingly broader subsets of devices. You can arrange your organization's devices into rings by using Intune or a Group Policy management tool.
|
||||
|
||||
**How long should I test an ASR rule in audit mode before enabling it?**
|
||||
## How long should I test an ASR rule in audit mode before enabling it?
|
||||
|
||||
You should keep the rule in audit mode for about 30 days. This amount of time gives you a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
|
||||
Keep the rule in audit mode for about 30 days to get a good baseline for how the rule will operate once it goes live throughout your organization. During the audit period, you can identify any line-of-business applications that might get blocked by the rule, and configure the rule to exclude them.
|
||||
|
||||
**I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR?**
|
||||
## I'm making the switch from a third-party security solution to Microsoft Defender ATP. Is there an "easy" way to export rules from another security solution to ASR?
|
||||
|
||||
Rather than attempting to import sets of rules from another security solution, it is, in most cases, easier and safer to start with the baseline recommendations suggested for your organization by Microsoft Defender ATP, then use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs. The default configuration for most ASR rules, combined with Defender's real-time protection, will protect against a large number of exploits and vulnerabilities.
|
||||
In most cases, it's easier and better to start with the baseline recommendations suggested by [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/) (Microsoft Defender ATP) than to attempt to import rules from another security solution. Then, use tools such as audit mode, monitoring, and analytics to configure your new solution to suit your unique needs.
|
||||
|
||||
The default configuration for most ASR rules, combined with Microsoft Defender ATP's real-time protection, will protect against a large number of exploits and vulnerabilities.
|
||||
|
||||
From within Microsoft Defender ATP, you can update your defenses with custom indicators, to allow and block certain software behaviors. ASR also allows for some customization of rules, in the form of file and folder exclusions. As a general rule, it is best to audit a rule for a period of time, and configure exclusions for any line-of-business applications that might get blocked.
|
||||
|
||||
**Does ASR support file or folder exclusions that include system variables and wildcards in the path?**
|
||||
## Does ASR support file or folder exclusions that include system variables and wildcards in the path?
|
||||
|
||||
Yes. See [Excluding files and folders from ASR rules](enable-attack-surface-reduction.md#exclude-files-and-folders-from-asr-rules) for more details on excluding files or folders from ASR rules, and [Configure and validate exclusions based on file extension and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for more on using system variables and wildcards in excluded file paths.
|
||||
|
||||
**Do ASR rules cover all applications by default?**
|
||||
## Do ASR rules cover all applications by default?
|
||||
|
||||
It depends on the rule. Most ASR rules cover the behavior of Microsoft Office products and services, such as Word, Excel, PowerPoint, and OneNote, or Outlook. Certain ASR rules, such as *Block execution of potentially obfuscated scripts*, are more general in scope.
|
||||
|
||||
**Does ASR support third-party security solutions?**
|
||||
## Does ASR support third-party security solutions?
|
||||
|
||||
ASR uses Microsoft Defender Antivirus to block applications. It is not possible to configure ASR to use another security solution for blocking at this time.
|
||||
|
||||
**I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?**
|
||||
## I have an E5 license and enabled some ASR rules in conjunction with Microsoft Defender ATP. Is it possible for an ASR event to not show up at all in Microsoft Defender ATP's event timeline?
|
||||
|
||||
Whenever a notification is triggered locally by an ASR rule, a report on the event is also sent to the Microsoft Defender ATP portal. If you're having trouble finding the event, you can filter the events timeline using the search box. You can also view ASR events by visiting **Go to attack surface management**, from the **Configuration management** icon in the Security Center taskbar. The attack surface management page includes a tab for report detections, which includes a full list of ASR rule events reported to Microsoft Defender ATP.
|
||||
|
||||
**I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.**
|
||||
## I applied a rule using GPO. Now when I try to check the indexing options for the rule in Microsoft Outlook, I get a message stating, 'Access denied'.
|
||||
|
||||
Try opening the indexing options directly from Windows 10.
|
||||
|
||||
@ -101,23 +105,23 @@ Try opening the indexing options directly from Windows 10.
|
||||
|
||||
1. Enter **Indexing options** into the search box.
|
||||
|
||||
**Are the criteria used by the rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*, configurable by an admin?**
|
||||
## Are the criteria used by the rule, "Block executable files from running unless they meet a prevalence, age, or trusted list criterion," configurable by an admin?
|
||||
|
||||
No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up-to-date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered.
|
||||
No. The criteria used by this rule are maintained by Microsoft cloud protection, to keep the trusted list constantly up to date with data gathered from around the world. Local admins do not have write access to alter this data. If you are looking to configure this rule to tailor it for your enterprise, you can add certain applications to the exclusions list to prevent the rule from being triggered.
|
||||
|
||||
**I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?**
|
||||
## I enabled the ASR rule, *Block executable files from running unless they meet a prevalence, age, or trusted list criterion*. After some time, I updated a piece of software, and the rule is now blocking it, even though it didn't before. Did something go wrong?
|
||||
|
||||
This rule relies upon each application having a known reputation, as measured by prevalence, age, or inclusion on a list of trusted apps. The rule's decision to block or allow an application is ultimately determined by Microsoft cloud protection's assessment of these criteria.
|
||||
|
||||
Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be re-assessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with very new versions of applications, you may opt instead to run this rule in audit mode.
|
||||
Usually, cloud protection can determine that a new version of an application is similar enough to previous versions that it does not need to be reassessed at length. However, it might take some time for the app to build reputation after switching versions, particularly after a major update. In the meantime, you can add the application to the exclusions list, to prevent this rule from blocking important applications. If you are frequently updating and working with new versions of applications, you may opt instead to run this rule in audit mode.
|
||||
|
||||
**I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?**
|
||||
## I recently enabled the ASR rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, and I am getting a large number of notifications. What is going on?
|
||||
|
||||
A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often target lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies.
|
||||
A notification generated by this rule does not necessarily indicate malicious activity; however, this rule is still useful for blocking malicious activity, since malware often targets lsass.exe to gain illicit access to accounts. The lsass.exe process stores user credentials in memory after a user has logged in. Windows uses these credentials to validate users and apply local security policies.
|
||||
|
||||
Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive amount of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
|
||||
Because many legitimate processes throughout a typical day will be calling on lsass.exe for credentials, this rule can be especially noisy. If a known legitimate application causes this rule to generate an excessive number of notifications, you can add it to the exclusion list. Most other ASR rules will generate a relatively smaller number of notifications, in comparison to this one, since calling on lsass.exe is typical of many applications' normal functioning.
|
||||
|
||||
**Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?**
|
||||
## Is it a good idea to enable the rule, *Block credential stealing from the Windows local security authority subsystem (lsass.exe)*, alongside LSA protection?
|
||||
|
||||
Enabling this rule will not provide additional protection if you have [LSA protection](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#BKMK_HowToConfigure) enabled as well. Both the rule and LSA protection work in much the same way, so having both running at the same time would be redundant. However, sometimes you may not be able to enable LSA protection. In those cases, you can enable this rule to provide equivalent protection against malware that target lsass.exe.
|
||||
|
||||
|
||||
@ -23,9 +23,6 @@ ms.custom: asr
|
||||
|
||||
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
> [!IMPORTANT]
|
||||
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
|
||||
|
||||
Your attack surface is the total number of places where an attacker could compromise your organization's devices or networks. Reducing your attack surface means offering attackers fewer ways to perform attacks.
|
||||
|
||||
Attack surface reduction rules target software behaviors that are often abused by attackers, such as:
|
||||
@ -44,9 +41,11 @@ For more information about configuring attack surface reduction rules, see [Enab
|
||||
|
||||
## Attack surface reduction features across Windows versions
|
||||
|
||||
You can set attack surface reduction rules for computers running the following versions of Windows:
|
||||
- [Windows 10, version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
|
||||
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) (Semi-Annual Channel) or later
|
||||
You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
|
||||
- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
|
||||
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
|
||||
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
|
||||
To use the entire feature-set of attack surface reduction rules, you need a [Windows 10 Enterprise license](https://www.microsoft.com/licensing/product-licensing/windows10). With a [Windows E5 license](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses), you get advanced management capabilities including monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). These advanced capabilities aren't available with an E3 license, but you can still use Event Viewer to review attack surface reduction rule events.
|
||||
|
||||
|
||||
@ -24,26 +24,80 @@ ms.collection:
|
||||
|
||||
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
## Behavioral blocking and containment overview
|
||||
## Overview
|
||||
|
||||
Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats with machine learning, pre- and post-breach. In almost real time, when a suspicious behavior or artifact is detected and determined to be malicious, the threat is blocked. Pre-execution models learn about that threat, and prevent it from running on other endpoints.
|
||||
Today’s threat landscape is overrun by [fileless malware](https://docs.microsoft.com/windows/security/threat-protection/intelligence/fileless-threats) and that lives off the land, highly polymorphic threats that mutate faster than traditional solutions can keep up with, and human-operated attacks that adapt to what adversaries find on compromised machines. Traditional security solutions are not sufficient to stop such attacks; you need artificial intelligence (AI) and machine learning (ML) backed capabilities, such as behavioral blocking and containment, included in [Microsoft Defender ATP](https://docs.microsoft.com/windows/security).
|
||||
|
||||
## Behavioral blocking and containment capabilities
|
||||
Behavioral blocking and containment capabilities can help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. Next-generation protection, EDR, and Microsoft Defender ATP components and features work together in behavioral blocking and containment capabilities.
|
||||
|
||||
Behavioral blocking and containment capabilities include the following:
|
||||
:::image type="content" source="images/mdatp-next-gen-EDR-behavblockcontain.png" alt-text="Behavioral blocking and containment":::
|
||||
|
||||
- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
|
||||
Behavioral blocking and containment capabilities work with multiple components and features of Microsoft Defender ATP to stop attacks immediately and prevent attacks from progressing.
|
||||
|
||||
- **Client behavioral blocking**. Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
|
||||
- [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) (which includes Microsoft Defender Antivirus) can detect threats by analyzing behaviors, and stop threats that have started running.
|
||||
|
||||
- **Feedback-loop blocking** (also referred to as rapid protection). Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
|
||||
- [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) receives security signals across your network, devices, and kernel behavior. As threats are detected, alerts are created. Multiple alerts of the same type are aggregated into incidents, which makes it easier for your security operations team to investigate and respond.
|
||||
|
||||
- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
|
||||
- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) has a wide range of optics across identities, email, data, and apps, in addition to the network, endpoint, and kernel behavior signals received through EDR. A component of [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection), Microsoft Defender ATP processes and correlates these signals, raises detection alerts, and connects related alerts in incidents.
|
||||
|
||||
As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development.
|
||||
With these capabilities, more threats can be prevented or blocked, even if they start running. Whenever suspicious behavior is detected, the threat is contained, alerts are created, and threats are stopped in their tracks.
|
||||
|
||||
The following image shows an example of an alert that was triggered by behavioral blocking and containment capabilities:
|
||||
|
||||
:::image type="content" source="images/blocked-behav-alert.png" alt-text="Example of an alert through behavioral blocking and containment":::
|
||||
|
||||
## Components of behavioral blocking and containment
|
||||
|
||||
- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)** Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center [https://securitycenter.windows.com](https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.)
|
||||
|
||||
- **Client behavioral blocking** Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.)
|
||||
|
||||
- **Feedback-loop blocking** (also referred to as rapid protection) Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.)
|
||||
|
||||
- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)** Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.)
|
||||
|
||||
Expect more to come in the area of behavioral blocking and containment, as Microsoft continues to improve threat protection features and capabilities. To see what's planned and rolling out now, visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap).
|
||||
|
||||
## Examples of behavioral blocking and containment in action
|
||||
|
||||
### Example 1: Credential theft attack against 100 organizations
|
||||
|
||||
As described in [In hot pursuit of elusive threats: AI-driven behavior-based blocking stops attacks in their tracks](https://www.microsoft.com/security/blog/2019/10/08/in-hot-pursuit-of-elusive-threats-ai-driven-behavior-based-blocking-stops-attacks-in-their-tracks), a credential theft attack against 100 organizations around the world was stopped by behavioral blocking and containment capabilities. Spear-phishing email messages that contained a lure document were sent to the targeted organizations. If a recipient opened the attachment, a related remote document was able to execute code on the user’s device and load Lokibot malware, which stole credentials, exfiltrated stolen data, and waited for further instructions from a command-and-control server.
|
||||
|
||||
Behavior-based machine learning models in Microsoft Defender ATP caught and stopped the attacker’s techniques at two points in the attack chain:
|
||||
- The first protection layer detected the exploit behavior. Machine learning classifiers in the cloud correctly identified the threat as and immediately instructed the client device to block the attack.
|
||||
- The second protection layer, which helped stop cases where the attack got past the first layer, detected process hollowing, stopped that process, and removed the corresponding files (such as Lokibot).
|
||||
|
||||
While the attack was detected and stopped, alerts, such as an "initial access alert," were triggered and appeared in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)):
|
||||
|
||||
:::image type="content" source="images/behavblockcontain-initialaccessalert.png" alt-text="Initial access alert in the Microsoft Defender Security Center":::
|
||||
|
||||
This example shows how behavior-based machine learning models in the cloud add new layers of protection against attacks, even after they have started running.
|
||||
|
||||
### Example 2: NTML relay - Juicy Potato malware variant
|
||||
|
||||
As described in the recent blog post, [Behavioral blocking and containment: Transforming optics into protection](https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection), in January 2020, Microsoft Defender ATP detected a privilege escalation activity on a device in an organization. An alert called “Possible privilege escalation using NTLM relay” was triggered.
|
||||
|
||||
:::image type="content" source="images/NTLMalertjuicypotato.png" alt-text="NTLM alert for Juicy Potato malware":::
|
||||
|
||||
The threat turned out to be malware; it was a new, not-seen-before variant of a notorious hacking tool called Juicy Potato, which is used by attackers to get privilege escalation on a device.
|
||||
|
||||
Minutes after the alert was triggered, the file was analyzed, and confirmed to be malicious. Its process was stopped and blocked, as shown in the following image:
|
||||
|
||||
:::image type="content" source="images/Artifactblockedjuicypotato.png" alt-text="Artifact blocked":::
|
||||
|
||||
A few minutes after the artifact was blocked, multiple instances of the same file were blocked on the same device, preventing additional attackers or other malware from deploying on the device.
|
||||
|
||||
This example shows that with behavioral blocking and containment capabilities, threats are detected, contained, and blocked automatically.
|
||||
|
||||
## Next steps
|
||||
|
||||
- [Learn more about recent global threat activity](https://www.microsoft.com/wdsi/threats)
|
||||
|
||||
- [Learn more about Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response)
|
||||
|
||||
- [Configure your attack surface reduction rules](attack-surface-reduction.md)
|
||||
|
||||
- [Enable EDR in block mode](edr-in-block-mode.md)
|
||||
|
||||
- [Get an overview of Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
|
||||
@ -15,7 +15,6 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: conceptual
|
||||
ms.date: 07/01/2018
|
||||
---
|
||||
|
||||
# Configure attack surface reduction
|
||||
@ -27,11 +26,7 @@ You can configure attack surface reduction with a number of tools, including:
|
||||
* Group Policy
|
||||
* PowerShell cmdlets
|
||||
|
||||
The topics in this section describe how to configure attack surface reduction. Each topic includes instructions for the applicable configuration tool (or tools).
|
||||
|
||||
## In this section
|
||||
|
||||
Topic | Description
|
||||
Article | Description
|
||||
-|-
|
||||
[Enable hardware-based isolation for Microsoft Edge](../windows-defender-application-guard/install-wd-app-guard.md) | How to prepare for and install Application Guard, including hardware and software requirements
|
||||
[Enable application control](../windows-defender-application-control/windows-defender-application-control.md)|How to control applications run by users and protect kernel mode processes
|
||||
|
||||
@ -12,7 +12,7 @@ ms.localizationpriority: medium
|
||||
audience: ITPro
|
||||
author: levinec
|
||||
ms.author: ellevin
|
||||
ms.date: 05/13/2019
|
||||
ms.date: 05/20/2020
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
---
|
||||
@ -26,11 +26,16 @@ manager: dansimp
|
||||
> [!IMPORTANT]
|
||||
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
|
||||
|
||||
Attack surface reduction rules help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture.
|
||||
[Attack surface reduction rules](enable-attack-surface-reduction.md) help prevent software behaviors that are often abused to compromise your device or network. For example, an attacker might try to run an unsigned script off of a USB drive, or have a macro in an Office document make calls directly to the Win32 API. Attack surface reduction rules can constrain these kinds of risky behaviors and improve your organization's defensive posture.
|
||||
|
||||
Learn how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
|
||||
|
||||
Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019. You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
|
||||
You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
|
||||
- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
|
||||
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
|
||||
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
|
||||
|
||||
## Exclude files and folders
|
||||
|
||||
@ -72,7 +77,7 @@ See the [attack surface reduction](attack-surface-reduction.md) topic for detail
|
||||
|
||||
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
|
||||
3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
|
||||
3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
|
||||
|
||||
4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
|
||||
|
||||
|
||||
@ -12,22 +12,29 @@ ms.localizationpriority: medium
|
||||
audience: ITPro
|
||||
author: levinec
|
||||
ms.author: ellevin
|
||||
ms.date: 05/05/2020
|
||||
ms.date: 05/20/2020
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
---
|
||||
|
||||
# Enable attack surface reduction rules
|
||||
|
||||
[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuse to compromise devices and networks. You can set attack surface reduction rules for computers running Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
|
||||
[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuses to compromise devices and networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
|
||||
- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
|
||||
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
|
||||
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
|
||||
Each ASR rule contains three settings:
|
||||
Each ASR rule contains one of three settings:
|
||||
|
||||
* Not configured: Disable the ASR rule
|
||||
* Block: Enable the ASR rule
|
||||
* Audit: Evaluate how the ASR rule would impact your organization if enabled
|
||||
|
||||
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
|
||||
To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
|
||||
|
||||
> [!TIP]
|
||||
> To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
|
||||
|
||||
You can enable attack surface reduction rules by using any of these methods:
|
||||
|
||||
|
||||
@ -12,7 +12,7 @@ ms.localizationpriority: medium
|
||||
audience: ITPro
|
||||
author: levinec
|
||||
ms.author: ellevin
|
||||
ms.date: 04/02/2019
|
||||
ms.date: 05/20/2020
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
---
|
||||
@ -23,7 +23,11 @@ manager: dansimp
|
||||
|
||||
* [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||
|
||||
Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. Attack surface reduction rules are supported on Windows 10, versions 1709 and 1803 or later, Windows Server, version 1803 (Semi-Annual Channel) or later, and Windows Server 2019.
|
||||
Attack surface reduction rules help prevent actions that are typically used by malware to compromise devices or networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
|
||||
- Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
|
||||
- Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
|
||||
- Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
|
||||
- [Windows Server 2019](https://docs.microsoft.com/windows-server/get-started-19/whats-new-19)
|
||||
|
||||
Learn how to evaluate attack surface reduction rules, by enabling audit mode to test the feature directly in your organization.
|
||||
|
||||
|
||||
@ -25,6 +25,8 @@ Conducting a comprehensive security product evaluation can be a complex process
|
||||
|
||||
The Microsoft Defender ATP evaluation lab is designed to eliminate the complexities of machine and environment configuration so that you can focus on evaluating the capabilities of the platform, running simulations, and seeing the prevention, detection, and remediation features in action.
|
||||
|
||||
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4qLUM]
|
||||
|
||||
With the simplified set-up experience, you can focus on running your own test scenarios and the pre-made simulations to see how Microsoft Defender ATP performs.
|
||||
|
||||
You'll have full access to the powerful capabilities of the platform such as automated investigations, advanced hunting, and threat analytics, allowing you to test the comprehensive protection stack that Microsoft Defender ATP offers.
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 47 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 43 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 29 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 49 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 100 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 24 KiB |
@ -27,8 +27,8 @@ ms.topic: conceptual
|
||||
|
||||
Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization.
|
||||
|
||||
<p></p>
|
||||
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4woug]
|
||||
|
||||
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4woug]
|
||||
|
||||
|
||||
Article | Description
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user