diff --git a/.gitignore b/.gitignore index 55c1d9a504..b674ff367c 100644 --- a/.gitignore +++ b/.gitignore @@ -13,5 +13,4 @@ packages.config windows/keep-secure/index.md # User-specific files -.vs/ - +.vs/ \ No newline at end of file diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 4c473b04b3..5cd8b3ab93 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -27,8 +27,8 @@ ### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) #### [Windows Information Protection (WIP) overview](wip-enterprise-overview.md) #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) -#### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) -#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) +#### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) +#### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [VPN profile options](vpn-profile-options.md) ## [Windows security baselines](windows-security-baselines.md) @@ -704,8 +704,13 @@ ##### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) #### [Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) +#### [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) +##### [Configure an Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) +##### [Configure Splunk to consume Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +##### [Configure HP ArcSight to consume Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) #### [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md) #### [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md) +#### [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) ### [Windows Defender in Windows 10](windows-defender-in-windows-10.md) #### [Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md) #### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) diff --git a/windows/keep-secure/advanced-security-auditing-faq.md b/windows/keep-secure/advanced-security-auditing-faq.md index 3bfa640035..aba6ac5414 100644 --- a/windows/keep-secure/advanced-security-auditing-faq.md +++ b/windows/keep-secure/advanced-security-auditing-faq.md @@ -125,7 +125,7 @@ Often it is not enough to know simply that an object such as a file or folder wa ## How do I know when changes are made to access control settings, by whom, and what the changes were? -To track access control changes on computers running Windows Server 2016 Technical Preview, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs: +To track access control changes on computers running Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, you need to enable the following settings, which track changes to DACLs: - **Audit File System** subcategory: Enable for success, failure, or success and failure - **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure - A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor diff --git a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md index 46dddb36a1..74189887bb 100644 --- a/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/alerts-queue-windows-defender-advanced-threat-protection.md @@ -14,20 +14,22 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - As a security operations team member, you can manage Windows Defender ATP alerts as part of your routine activities. Alerts will appear in queues according to their current status. To see a list of alerts, click any of the queues under the **Alerts queue** option in the navigation pane. -> **Note**  By default, the queues are sorted from newest to oldest. +> [!NOTE] +> By default, the queues are sorted from newest to oldest. The following table and screenshot demonstrate the main areas of the **Alerts queue**. -![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/alertsq.png) +![Screenshot of the Dashboard showing the New Alerts list and navigation bar](images/alertsq2.png) Highlighted area|Area name|Description :---|:---|:--- @@ -59,7 +61,8 @@ There are three mechanisms to pivot the queue against: - **30 days** - **6 months** - > **Note**  You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon ![the sort order icon looks like two arrows on top of each other](images/sort-order-icon.png) + > [!NOTE] + > You can change the sort order (for example, from most recent to least recent) by clicking the sort order icon ![the sort order icon looks like two arrows on top of each other](images/sort-order-icon.png) ### Related topics - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md index b550a091c2..6cc5b28e2f 100644 --- a/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -11,22 +11,22 @@ author: mjcaparas --- # Assign user access to the Windows Defender ATP portal - **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Azure Active Directory - +- Office 365 - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). User can be assigned one of the following levels of permissions: +Windows Defender ATP users and access permissions are managed in Azure Active Directory (AAD). You can assign users with one of the following levels of permissions: - Full access (Read and Write) - Read only access **Full access**
-Users with full access can log in, view all system information as well as resolve alerts, submit files for deep analysis, and download the onboarding package. +Users with full access can log in, view all system information and resolve alerts, submit files for deep analysis, and download the onboarding package. Assigning full access rights requires adding the users to the “Security Administrator” or “Global Administrator” AAD built-in roles. **Read only access**
@@ -34,13 +34,21 @@ Users with read only access can log in, view all alerts, and related information They will not be able to change alert states, submit files for deep analysis or perform any state changing operations. Assigning read only access rights requires adding the users to the “Security Reader” AAD built-in role. - +Use the following steps to assign security roles: +- Preparations: + - Install Azure PowerShell. For more information see, [How to install and configure Azure PowerShell](https://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/).
+ + > [!NOTE] + > You need to run the PowerShell cmdlets in an elevated command-line. -Use the following cmdlets to perform the security role assignment: +- Connect to your Azure Active Directory. For more information see, [Connect-MsolService](https://msdn.microsoft.com/en-us/library/dn194123.aspx). +- For **read and write** access, assign users to the security administrator role by using the following command: +```text +Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com" +``` +- For **read only** access, assign users to the security reader role by using the following command: +```text +Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com” +``` -- Full access:
```Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress “reader@Contoso.onmicrosoft.com”``` -- Read only access:
```Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress "secadmin@Contoso.onmicrosoft.com"``` - -For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). \ No newline at end of file +For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/en-us/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 62c0c22e26..744b55e979 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -14,7 +14,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md ## RELEASE: Windows 10, version 1607 -The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: +The topics in this library have been updated for Windows 10, version 1607 (also known as the Anniversary Update). The following new topics have been added: - [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) - [Remote Credential Guard](remote-credential-guard.md) @@ -23,18 +23,22 @@ The topics in this library have been updated for Windows 10, version 1607 (also - [Enable the Block at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md) - [Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md) - [Run a Windows Defender scan from the command line](run-cmd-scan-windows-defender-for-windows-10.md) -- [Detect and block Potentially Unwanted Applications](enable-pua-windows-defender-for-windows-10.md) +- [Detect and block Potentially Unwanted Applications with Windows Defender](enable-pua-windows-defender-for-windows-10.md) +- [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md) +- [Configure endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +- [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) +- [Configure SIEM tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) +- [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) ## July 2016 |New or changed topic | Description | |----------------------|-------------| -|[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated various topics throughout this section for new name and new UI in Microsoft Intune and System Center Configuration Manager. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |New | |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | -|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |New | -|[Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |New | +|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | +|[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (multiple topics) | Updated | |[Device Guard deployment guide](device-guard-deployment-guide.md) (multiple topics) | Updated | @@ -43,7 +47,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also |New or changed topic | Description | |----------------------|-------------| -|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added an update about needing to reconfigure your Windows Information Protection app rules after delivery of the June service update. | +|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Added an update about needing to reconfigure your enterprise data protection app rules after delivery of the June service update. | | [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md) (multiple topics) | New | | [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) (mutiple topics) | New security monitoring reference topics | | [Windows security baselines](windows-security-baselines.md) | New | @@ -56,7 +60,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also | [Microsoft Passport errors during PIN creation](microsoft-passport-errors-during-pin-creation.md) | Added errors 0x80090029 and 0x80070057, and merged entries for error 0x801c03ed. | | [Microsoft Passport guide](microsoft-passport-guide.md) | Updated Roadmap section content | |[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated info based on changes to the features and functionality.| -| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 Technical Preview | +| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Updated for Windows 10 and Windows Server 2016 | |[Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (mutiple topics) | New | ## April 2016 @@ -70,7 +74,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also |New or changed topic | Description | |----------------------|-------------| -|[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 Technical Preview is required to manage AppLocker by using Group Policy.| +|[Requirements to use AppLocker](requirements-to-use-applocker.md) |Added that MDM can be used to manage any edition of Windows 10. Windows 10 Enterprise or Windows Server 2016 is required to manage AppLocker by using Group Policy.| |[Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Added pre-release content about how to set up and deploy Windows Information Protection (WIP) in an enterprise environment.| ## February 2016 diff --git a/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..5ee2fbe06a --- /dev/null +++ b/windows/keep-secure/configure-aad-windows-defender-advanced-threat-protection.md @@ -0,0 +1,87 @@ +--- +title: Configure an Azure Active Directory application for SIEM integration +description: Configure an Azure Active Directory application so that it can communicate with supported SIEM tools. +keywords: configure aad for siem integration, siem integration, application, oauth 2 +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Configure an Azure Active Directory application for SIEM integration + +**Applies to:** + +- Azure Active Directory +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +You need to add an application in your Azure Active Directory (AAD) tenant then authorize the Windows Defender ATP Alerts Export application to communicate with it so that your security information and events management (SIEM) tool can consume alerts from Windows Defender ATP portal. + +1. Login to the [Azure management portal](https://manage.windowsazure.com). + +2. Select **Active Directory**. + +3. Select your tenant. + +4. Click **Applications**, then select **Add** to create a new application. + +5. Click **Add an application my organization is developing**. + +6. Choose a client name for the application, for example, *Alert Export Client*. + +7. Select **WEB APPLICATION AND/OR WEB API** in the Type section. + +8. Assign a sign-on URL and app ID URI to the application, for example, `https://alertexportclient`. + +9. Confirm the request details and verify that you have successfully added the app. + +10. Select the application you've just created from the directory application list and click the **Configure** tab. + +11. Scroll down to the **keys** section and select a duration for the application key. + +12. Type the following URLs in the **Reply URL** field: + + - `https://DataAccess-PRD.trafficmanager.net:444/api/FetchAccessTokenFromAuthCode` + - `https://localhost:44300/WDATPconnector` + +13. Click **Save** and copy the key in a safe place. You'll need this key to authenticate the client application on Azure Active Directory. + +14. Open a web browser and connect to the following URL:
+```text +https://DataAccess-PRD.trafficmanager.net:444/api/FetchToken?clientId=f7c1acd8-0458-48a0-a662-dba6de049d1c&tenantId=&clientSecret=1234 +``` +An Azure login page appears. +> [!NOTE] +> - Replace *tenant ID* with your actual tenant ID. +> - Keep the client secret as is. This is a dummy value, but the parameter must appear. + +15. Sign in with the credentials of a user from your tenant. + +16. Click **Accept** to provide consent. Ignore the error. + +17. Click **Application configuration** under your tenant. + +18. Click **Permissions to other applications**, then select **Add application**. + +19. Click **All apps** from the **SHOW** field and submit. + +20. Click **WDATPAlertExport**, then select **+** to add the application. You should see it on the **SELECTED** panel. + +21. Submit your changes. + +22. On the **WDATPAlertExport** record, in the **Delegated Permissions** field, select **Access WDATPAlertExport**. + +23. Save the application changes. + +After configuring the application in AAD, you can continue to configure the SIEM tool that you want to use. + +## Related topics +- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md) +- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..bd262bbc8a --- /dev/null +++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -0,0 +1,93 @@ +--- +title: Configure HP ArcSight to consume Windows Defender ATP alerts +description: Configure HP ArcSight to receive and consume alerts from the Windows Defender ATP portal. +keywords: configure hp arcsight, security information and events management tools, arcsight +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Configure HP ArcSight to consume Windows Defender ATP alerts + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +You'll need to configure HP ArcSight so that it can consume Windows Defender ATP alerts. + +## Before you begin + +- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: + - OAuth 2 Token refresh URL + - OAuth 2 Client ID + - OAuth 2 Client secret +- Create your OAUth 2 Client properties file or get it from your Windows Defender ATP contact. For more information, see the ArcSight FlexConnector Developer's guide. + + > [!NOTE] + > **For the authorization URL**: Append the following to the value you got from the AAD app: ```?resource=https%3A%2F%2FWDATPAlertExport.Seville.onmicrosoft.com```
+ > **For the redirect_uri value use**: ```https://localhost:44300/wdatpconnector``` + > +- Get the *wdatp-connector.properties* file from your Windows Defender ATP contact. This file is used to parse the information from Windows Defender ATP to HP ArcSight consumable format. +- Install the HP ArcSight REST FlexConnector package on a server that has access to the Internet. +- Contact the Windows Defender ATP team to get your refresh token or follow the steps in the section "Run restutil to Obtain a Refresh Token for Connector Appliance/ArcSight Management Center" in the ArcSight FlexConnector Developer's guide. + +## Configure HP ArcSight +The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). + +1. Copy the *wdatp-connector.jsonparser.properties* file into the `\current\user\agent\flexagent` folder of the connector installation folder. + +2. Save the *wdatp-connector.properties* file into a folder of your choosing. + +3. Open an elevated command-line: + + a. Go to **Start** and type **cmd**. + + b. Right-click **Command prompt** and select **Run as administrator**. + +4. Enter the following command and press **Enter**: ```runagentsetup.bat```. The Connector Setup pop-up window appears. + +5. In the form fill in the following required fields with these values: + >[!NOTE] + >All other values in the form are optional and can be left blank. + + + + + + + + + + + + + + + + + + + + + + + + +
FieldValue
Configuration FileType in the name of the client property file. It must match the client property file.
Events URL`https://DataAccess-PRD.trafficmanager.net:444/api/alerts`
Authentication TypeOAuth 2
OAuth 2 Client Properties fileSelect *wdatp-connector.properties*.
Refresh TokenPaste the refresh token that your Windows Defender ATP contact provided, or run the `restutil` tool to get it.
+6. Select **Next**, then **Save**. + +7. Run the connector. You can choose to run in Service mode or Application mode. + +8. In the HP ArcSight console, create a **Windows Defender ATP** channel with intervals and properties suitable to your enterprise needs. Windows Defender ATP alerts will appear as discrete events, with “Microsoft” as the vendor and “Windows Defender ATP” as the device name. + +## Related topics +- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) +- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) +- [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index d8db5694c4..535be7d761 100644 --- a/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -14,14 +14,17 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Group Policy +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] +> [!NOTE] +> To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. -> **Note**  To use Group Policy (GP) updates to deploy the package, you must be on Windows Server 2008 R2 or later. - -### Onboard endpoints +## Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. @@ -45,10 +48,11 @@ author: mjcaparas 9. Click **OK** and close any open GPMC windows. ## Additional Windows Defender ATP configuration settings +For each endpoint, you can state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. You can use Group Policy (GP) to configure settings, such as settings for the sample sharing used in the deep analysis feature. -### Configure sample collection settings +### Configure sample collection settings 1. On your GP management machine, copy the following files from the configuration package: @@ -66,20 +70,24 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa 6. Choose to enable or disable sample sharing from your endpoints. +>[!NOTE] +> If you don't set a value, the default value is to enable sample collection. + ### Offboard endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. -> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +> [!NOTE] +> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. - + b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. - + 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. -3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click Edit. +3. Open the [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx) (GPMC), right-click the Group Policy Object (GPO) you want to configure and click **Edit**. 4. In the **Group Policy Management Editor**, go to **Computer configuration,** then **Preferences**, and then **Control panel settings**. @@ -93,15 +101,16 @@ For security reasons, the package used to offboard endpoints will expire 30 days 9. Click **OK** and close any open GPMC windows. -## Monitor endpoint configuration +## Monitor endpoint configuration With Group Policy there isn’t an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools. -## Monitor endpoints using the portal +## Monitor endpoints using the portal 1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/). 2. Click **Machines view**. 3. Verify that endpoints are appearing. -> **Note**  It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. +> [!NOTE] +> It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. ## Related topics diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 699d49c7ec..14be889faa 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -14,11 +14,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14379 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - You can use mobile device management (MDM) solutions to configure endpoints. Windows Defender ATP supports MDMs by providing OMA-URIs to create policies to manage endpoints. For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723297(v=vs.85).aspx). @@ -35,7 +36,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre b. Select **Mobile Device Management/Microsoft Intune**, click **Download package** and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATP.onboarding*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). @@ -53,13 +54,15 @@ Health Status for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThrea Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1
Default value: 1 | Windows Defender ATP Sample sharing is enabled -> **Note**  The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. +> [!NOTE] +> The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. ### Offboard and monitor endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. -> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +> [!NOTE] +> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): @@ -82,7 +85,8 @@ Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | Health Status for offboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP -> **Note**  The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated. +> [!NOTE] +> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated. ## Related topics diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 3f7fac27dc..1d009b3943 100644 --- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -12,52 +12,81 @@ author: mjcaparas # Configure endpoints using System Center Configuration Manager - **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) - -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] +- System Center 2012 Configuration Manager or later versions ## Configure endpoints using System Center Configuration Manager (current branch) version 1606 -System Center Configuration Manager (current branch) version 1606, currently in technical preview, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see the [Support for Windows Defender Advanced Threat Protection service](https://technet.microsoft.com/en-us/library/mt706220.aspx#BKMK_ATP) section. - -> **Note**   If you intend to use this deployment tool, ensure that you are on Windows 10 Insider Preview Build 14379 or later. This deployment method is only available from that build or later. +System Center Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682). -## Configure endpoints using System Center Configuration Manager (current branch) version 1602 or earlier versions -You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in System Center Configuration Manager (current branch), version 1602 or earlier, including: System Center 2012 R2 Configuration Manager and System Center 2012 Configuration Manager. +## Configure endpoints using System Center Configuration Manager earlier versions +You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions: -### Onboard endpoints +- System Center 2012 Configuration Manager +- System Center 2012 R2 Configuration Manager +- System Center Configuration Manager (current branch), version 1511 +- System Center Configuration Manager (current branch), version 1602 + +### Onboard endpoints 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. - b. Select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file. + b. Select **System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. +2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. 4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic. a. Choose a predefined device collection to deploy the package to. - -### Offboard endpoints + +### Configure sample collection settings +For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. + +You can set a compliance rule for configuration item in System Center Configuration Manager to change the sample share setting on an endpoint. +This rule should be a *remediating* compliance rule configuration item that sets the value of a registry key on targeted machines to make sure they’re complaint. + +The configuration is set through the following registry key entry: + +```text +Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” +Name: "AllowSampleCollection" +Value: 0 or 1 +``` +Where:
+Key type is a D-WORD.
+Possible values are: +- 0 - doesn't allow sample sharing from this endpoint +- 1 - allows sharing of all file types from this endpoint + +The default value in case the registry key doesn’t exist is 1. + +For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx). + + +### Offboard endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. -> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +> [!NOTE] +> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. - - b. Under **Endpoint offboarding** section, select **System Center Configuration Manager (current branch) version 1602 or earlier**, click **Download package**, and save the .zip file. - + a. Click **Endpoint Management** on the **Navigation pane**. + + b. Under **Endpoint offboarding** section, select **System Center Configuration Manager System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. + 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682112.aspx#BKMK_Import) topic. @@ -65,7 +94,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682178.aspx) topic. a. Choose a predefined device collection to deploy the package to. - + ### Monitor endpoint configuration Monitoring with SCCM consists of two parts: @@ -83,12 +112,25 @@ Monitoring with SCCM consists of two parts: 4. Review the status indicators under **Completion Statistics** and **Content Status**. -If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for more information. +If there are failed deployments (endpoints with **Error**, **Requirements Not Met**, or **Failed statuses**), you may need to troubleshoot the endpoints. For more information see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). ![SCCM showing successful deployment with no errors](images/sccm-deployment.png) +**Check that the endpoints are compliant with the Windows Defender ATP service:**
+You can set a compliance rule for configuration item in System Center Configuration Manager to monitor your deployment. + +This rule should be a *non-remediating* compliance rule configuration item that monitors the value of a registry key on targeted machines. + +Monitor the following registry key entry: +``` +Path: “HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status” +Name: “OnboardingState” +Value: “1” +``` +For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/en-us/library/gg681958.aspx). + ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) - [Configure endpoints using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) -- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) -- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Configure endpoints using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md) +- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 9d4a39eccc..1e740f14b3 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -11,9 +11,18 @@ author: mjcaparas --- # Configure endpoints using a local script + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. - +## Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. @@ -21,11 +30,11 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You b. Select **Local Script**, click **Download package** and save the .zip file. -2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file called *WindowsDefenderATPOnboardingScript.cmd*. +2. Extract the contents of the configuration package to a location on the endpoint you want to onboard (for example, the Desktop). You should have a file named *WindowsDefenderATPOnboardingScript.cmd*. 3. Open an elevated command-line prompt on the endpoint and run the script: - a. Click **Start** and type **cmd**. + a. Go to **Start** and type **cmd**. b. Right-click **Command prompt** and select **Run as administrator**. @@ -35,24 +44,46 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You 5. Press the **Enter** key or click **OK**. -See the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) topic for details on how you can manually validate that the endpoint is compliant and correctly reports telemetry. +For for information on how you can manually validate that the endpoint is compliant and correctly reports telemetry see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). -## Offboard endpoints using a local script +## Configure sample collection settings +For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. + +You can manually configure the sample sharing setting on the endpoint by using *regedit* or creating and running a *.reg* file. + +The configuration is set through the following registry key entry: + +```text +Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” +Name: "AllowSampleCollection" +Value: 0 or 1 +``` +Where:
+Name type is a D-WORD.
+Possible values are: +- 0 - doesn't allow sample sharing from this endpoint +- 1 - allows sharing of all file types from this endpoint + +The default value in case the registry key doesn’t exist is 1. + + +## Offboard endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. -> **Note**  Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. +> [!NOTE] +> Onboarding and offboarding policies must not be deployed on the same endpoint at the same time, otherwise this will cause unpredictable collisions. 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): a. Click **Endpoint Management** on the **Navigation pane**. - + b. Under **Endpoint offboarding** section, select **Group Policy**, click **Download package** and save the .zip file. - + 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the endpoints. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. 3. Open an elevated command-line prompt on the endpoint and run the script: - a. Click **Start** and type **cmd**. + a. Go to **Start** and type **cmd**. b. Right-click **Command prompt** and select **Run as administrator**. @@ -62,6 +93,18 @@ For security reasons, the package used to offboard endpoints will expire 30 days 5. Press the **Enter** key or click **OK**. +## Monitor endpoint configuration +You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running. + +Monitoring can also be done directly on the portal, or by using the different deployment tools. + +### Monitor endpoints using the portal +1. Go to the Windows Defender ATP portal. + +2. Click **Machines view**. + +3. Verify that endpoints are appearing. + ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index 0028b5478b..bd69be41b4 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Configure Windows Defender ATP endpoints -description: Use Group Policy or SCCM to deploy the configuration package or do manual registry changes on endpoints so that they are onboarded to the service. -keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints, sccm, system center configuration manager +description: Configure endpoints so that they are onboarded to the service. +keywords: configure endpoints, endpoint management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -14,11 +14,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization. Windows Defender ATP supports the following deployment tools and methods: diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 27177d0829..e590c1cc8f 100644 --- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Configure Windows Defender ATP endpoint proxy and Internet connection settings description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service. -keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, web proxy auto detect, wpad, netsh, winhttp, proxy server +keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -15,168 +15,91 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service. The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service. The WinHTTP configuration setting is independent of the Windows Internet (WinINet) internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: -- Configure Web Proxy Auto Detect (WPAD) settings and configure Windows to automatically detect the proxy server +- Configure the proxy server manually using a static proxy -- Configure the proxy server manually using Netsh +## Configure the proxy server manually using a static proxy +Configure a static proxy to allow only Windows Defender ATP sensor to report telemetry and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet. -## Configure Web Proxy Auto Detect (WPAD) settings and proxy server +The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**. -Configure WPAD in the environment and configure Windows to automatically detect the proxy server through Policy or the local Windows settings. - -Enable the **Automatically detect settings** option in the Windows Proxy settings so that WinHTTP can use the WPAD feature to locate a proxy server. - -1. Click **Start** and select **Settings**. - -2. Click **Network & Internet**. - -3. Select **Proxy**. - -4. Verify that the **Automatically detect settings** option is set to On. - - ![Image showing the proxy settings configuration page](images/proxy-settings.png) - -5. If the **Use setup script** or **Manual proxy setup** options are enabled then you will need to [configure proxy settings manually by using Netsh](#configure-proxy-server-manually-using-netsh) method for WinHTTP to discover the appropriate proxy settings and connect. - -## Configure the proxy server manually using Netsh - -If **Use setup script** or **Manual proxy setup** settings are configured in the Windows Proxy setting, then endpoints will not be discovered by WinHTTP. -Use Netsh to configure the proxy settings to enable connectivity. - -You can configure the endpoint by using any of these methods: - -- Importing the configured proxy settings to WinHTTP -- Configuring the proxy settings manually to WinHTTP - -After configuring the endpoints, you'll need to verify that the correct proxy settings were applied. - -**Import the configured proxy settings to WinHTTP** - -1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start** and type **cmd**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command and press **Enter**: - - ```text - netsh winhttp import proxy source=ie - ``` - An output showing the applied WinHTTP proxy settings is displayed. - - - **Configure the proxy settings manually to WinHTTP** - - 1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start** and type **cmd**. - - b. Right-click **Command prompt** and select **Run as administrator**. - - 2. Enter the following command and press **Enter**: - - ```text - proxy [proxy-server=] ProxyServerName:PortNumber - ``` - Replace *ProxyServerName* with the fully qualified domain name of the proxy server. - - Replace *PortNumber* with the port number that you want to configure the proxy server with. - - An output showing the applied WinHTTP proxy settings is displayed. - - -**Verify that the correct proxy settings were applied** - -1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start** and type **cmd**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command and press **Enter**: +The registry key that this policy sets can be found at: +```HKLM\Software\Policies\Microsoft\Windows\DataCollection TelemetryProxyServer``` +The policy and the registry key takes the following string format: +```text +: ``` -netsh winhttp show proxy -``` +For example: 10.0.0.6:8080 -For more information on how to use Netsh see, [Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP)](https://technet.microsoft.com/en-us/library/cc731131(v=ws.10).aspx) +If the static proxy settings are configured after onboarding, then you must restart the PC to apply the proxy settings. ## Enable access to Windows Defender ATP service URLs in the proxy server If a proxy or firewall is blocking all traffic by default and allowing only specific domains through, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443: -- *.blob.core.windows.net -- crl.microsoft.com -- eu.vortex-win.data.microsoft.com -- sevillegwcus.microsoft.com -- sevillegweus.microsoft.com -- sevillegwneu.microsoft.com -- sevillegwweu.microsoft.com -- us.vortex-win.data.microsoft.com -- www.microsoft.com +Primary Domain Controller | .Microsoft.com DNS record +:---|:--- + Central US | winatp-gw-cus.microsoft.com
us.vortex-win.data.microsoft.com
crl.microsoft.com
*.blob.core.windows.net + East US (2)| winatp-gw-eus.microsoft.com
us.vortex-win.data.microsoft.com
crl.microsoft.com
*.blob.core.windows.net + West Europe | winatp-gw-weu.microsoft.com
eu.vortex-win.data.microsoft.com
crl.microsoft.com
*.blob.core.windows.net + North Europe | winatp-gw-neu.microsoft.com
eu.vortex-win.data.microsoft.com
crl.microsoft.com
*.blob.core.windows.net +
+ If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. -If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted to the above listed URLs. ## Verify client connectivity to Windows Defender ATP service URLs Verify the proxy configuration completed successfully, that WinHTTP can discover and communicate through the proxy server in your environment, and that the proxy server allows traffic to the Windows Defender ATP service URLs. -1. Download the connectivity verification tools to the PC where Windows Defender ATP sensor is running on: +1. Download the [connectivity verification tool](https://go.microsoft.com/fwlink/p/?linkid=823683) to the PC where Windows Defender ATP sensor is running on. - - [Download PsTools Suite](https://technet.microsoft.com/en-us/sysinternals/bb896649) - - [Download PortQry Command Line Port Scanner Version 2.0 utility](https://www.microsoft.com/en-us/download/details.aspx?id=17148) +2. Extract the contents of WDATPConnectivityAnalyzer on the endpoint. -2. Extract the contents of **PsTools** and **PortQry** to a directory on the computer hard drive. +3. Open an elevated command-line: -3. Open an elevated command-line: - - a. Click **Start** and type **cmd**. + a. Go to **Start** and type **cmd**. b. Right-click **Command prompt** and select **Run as administrator**. 4. Enter the following command and press **Enter**: ``` - HardDrivePath\PsExec.exe -s cmd.exe + HardDrivePath\WDATPConnectivityAnalyzer.cmd ``` - Replace *HardDrivePath* with the path where the PsTools Suite was extracted to: - ![Image showing the command line](images/psexec-cmd.png) - -5. Enter the following command and press **Enter**: - + Replace *HardDrivePath* with the path where the WDATPConnectivityAnalyzer tool was downloaded to, for example + ```text + C:\Work\tools\WDATPConnectivityAnalyzer\WDATPConnectivityAnalyzer.cmd ``` - HardDrivePath\portqry.exe -n us.vortex-win.data.microsoft.com -e 443 -p tcp - ``` - Replace *HardDrivePath* with the path where the PortQry utility was extracted to: - ![Image showing the command line](images/portqry.png) -6. Verify that the output shows that the name is **resolved** and connection status is **listening**. +5. Extract the *WDATPConnectivityAnalyzerResult.zip* file created by tool in the folder used in the *HardDrivePath*. -7. Repeat the same steps for the remaining URLs with the following arguments: +6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.

+The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Windows Defender ATP services. For example: + ```text + Testing URL : https://xxx.microsoft.com/xxx + 1 - Default proxy: Succeeded (200) + 2 - Proxy auto discovery (WPAD): Succeeded (200) + 3 - Proxy disabled: Succeeded (200) + 4 - Named proxy: Doesn't exist + 5 - Command line proxy: Doesn't exist + ``` - - portqry.exe -n eu.vortex-win.data.microsoft.com -e 443 -p tcp - - portqry.exe -n sevillegwcus.microsoft.com -e 443 -p tcp - - portqry.exe -n sevillegweus.microsoft.com -e 443 -p tcp - - portqry.exe -n sevillegwweu.microsoft.com -e 443 -p tcp - - portqry.exe -n sevillegwneu.microsoft.com -e 443 -p tcp - - portqry.exe -n www.microsoft.com -e 80 -p tcp - - portqry.exe -n crl.microsoft.com -e 80 -p tcp +If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can communicate with the tested URL properly using this connectivity method.

-8. Verify that each URL shows that the name is **resolved** and the connection status is **listening**. - -If the any of the verification steps indicate a fail, then verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs. +However, if the connectivity check results indicate a failure, an HTTP error is displayed (see HTTP Status Codes). You can then use the URLs in the table shown in [Enable access to Windows Defender ATP service URLs in the proxy server](#enable-access-to-windows-defender-atp-service-urls-in-the-proxy server). The URLs you'll use will depend on the region selected during the onboarding procedure. ## Related topics - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..9811157abe --- /dev/null +++ b/windows/keep-secure/configure-siem-windows-defender-advanced-threat-protection.md @@ -0,0 +1,43 @@ +--- +title: Configure security information and events management tools +description: Configure supported security information and events management tools to receive and consume alerts. +keywords: configure siem, security information and events management tools, splunk, arcsight +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Configure security information and events management (SIEM) tools to consume alerts + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Windows Defender ATP supports security information and events management (SIEM) tools to consume alerts. Windows Defender ATP exposes alerts through an HTTPS endpoint hosted in Azure. The endpoint can be configured to get alerts from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for an AAD application that represents the specific SIEM connector installed in your environment. + +Windows Defender ATP currently supports the following SIEM tools: + +- Splunk +- HP ArcSight + +To use either of these supported SIEM tools you'll need to: + +- [Configure an Azure Active Directory application for SIEM integration in your tenant](configure-aad-windows-defender-advanced-threat-protection.md) +- Configure the supported SIEM tool: + - [Configure Splunk to consume alerts](configure-splunk-windows-defender-advanced-threat-protection.md) + - [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) + +## In this section + +Topic | Description +:---|:--- +[Configure an Azure Active Directory application](configure-aad-windows-defender-advanced-threat-protection.md)| Learn about configuring an Azure Active Directory application to integrate with supported security information and events management (SIEM) tools. + [Configure Splunk](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to consume Windows Defender ATP alerts. + [Configure ArcSight](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to consume Windows Defender ATP alerts. diff --git a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..20a3f61f1e --- /dev/null +++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md @@ -0,0 +1,110 @@ +--- +title: Configure Splunk to consume Windows Defender ATP alerts +description: Configure Splunk to receive and consume alerts from the Windows Defender ATP portal. +keywords: configure splunk, security information and events management tools, splunk +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Configure Splunk to consume Windows Defender ATP alerts + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +You'll need to configure Splunk so that it can consume Windows Defender ATP alerts. + +## Before you begin + +- Install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/) in Splunk +- Contact the Windows Defender ATP team to get your refresh token +- Get the following information from your Azure Active Directory (AAD) application by selecting the **View Endpoint** on the application configuration page: + - OAuth 2 Token refresh URL + - OAuth 2 Client ID + - OAuth 2 Client secret + +## Configure Splunk + +1. Login in to Splunk. + +2. Click **Search & Reporting**, then **Settings** > **Data inputs**. + +3. Click **REST** under **Local inputs**. +> [!NOTE] +> This input will only appear after you install the [REST API Modular Input app](https://splunkbase.splunk.com/app/1546/). + +4. Click **New**. + +5. Type the following values in the required fields, then click **Save**: +> [!NOTE] +>All other values in the form are optional and can be left blank. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldValue
Endpoint URLhttps://DataAccess-PRD.trafficmanager.net:444/api/alerts
HTTP MethodGET
Authentication Typeoauth2
OAuth 2 Token Refresh URL Value taken from AAD application
OAuth 2 Client IDValue taken from AAD application
OAuth 2 Client SecretValue taken from AAD application
Response typeJson
Response HandlerJSONArrayHandler
Polling IntervalNumber of seconds that Splunk will ping the Windows Defender ATP endpoint. Accepted values are in seconds.
Set sourcetypeFrom list
Source type\_json
+ +After completing these configuration steps, you can go to the Splunk dashboard and run queries. + +You can use the following query as an example in Splunk:
+```source="rest://windows atp alerts"|spath|table*``` + + +## Related topics +- [Configure security information and events management (SIEM) tools to consume alerts](configure-siem-windows-defender-advanced-threat-protection.md) +- [Configure Azure Active Directory application for SIEM integration](configure-aad-windows-defender-advanced-threat-protection.md) +- [Configure HP ArcSight to consume alerts](configure-arcsight-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index c8f96612a3..b0c15689da 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -12,7 +12,7 @@ author: brianlic-msft **Applies to** - Windows 10 -- Windows Server 2016 Technical Preview +- Windows Server 2016 Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. @@ -290,7 +290,7 @@ Some ways to store credentials are not protected by Credential Guard, including: - Software that manages credentials outside of Windows feature protection - Local accounts and Microsoft Accounts -- Credential Guard does not protect the Active Directory database running on Windows Server 2016 Technical Preview domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 Technical Preview servers running Remote Desktop Gateway. If you're using a Windows Server 2016 Technical Preview server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise. +- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would be running Windows 10 Enterprise. - Key loggers - Physical attacks - Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization. @@ -328,7 +328,7 @@ Enabling compound authentication also enables Kerberos armoring, which provides ### Deploying machine certificates -If the domain controllers in your organization are running Windows Server 2016 Technical Preview, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain. +If the domain controllers in your organization are running Windows Server 2016, devices running Windows 10 will automatically enroll a machine certificate when Credential Guard is enabled and the PC is joined to the domain. If the domain controllers are running Windows Server 2012 R2, the machine certificates must be provisioned manually on each device. You can do this by creating a certificate template on the domain controller or certificate authority and deploying the machine certificates to each device. The same security procedures used for issuing smart cards to users should be applied to machine certificates. diff --git a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md index 024ddab8e2..e68df885fb 100644 --- a/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/dashboard-windows-defender-advanced-threat-protection.md @@ -14,11 +14,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - The **Dashboard** displays a snapshot of: - The latest active alerts on your network @@ -40,18 +41,18 @@ You can view the overall number of active ATP alerts from the last 30 days in yo Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**). -See the [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topic for more information. +For more information see, [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). -The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. See the [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) topics for more information. +The **Latest ATP alerts** section includes the latest active alerts in your network. Each row includes an alert severity category and a short description of the alert. Click an alert to see its detailed view, or **Alerts queue** at the top of the list to go directly to the Alerts queue. For more information see, [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) and [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md). ## Machines at risk This tile shows you a list of machines with the highest number of active alerts. The total number of alerts for each machine is shown in a circle next to the machine name, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). ![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/machines-at-risk.png) -Click the name of the machine to see details about that machine. See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine) topic for more information. +Click the name of the machine to see details about that machine. For more information see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-a-machine). -You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. See the [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) topic for more information. +You can also click **Machines view** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). ## Status The **Status** tile informs you if the service is active and running and the unique number of machines (endpoints) reporting over the past 30 days. @@ -84,7 +85,8 @@ Threats are considered "active" if there is a very high probability that the mal Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine. -> **Note**  The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. +> [!NOTE] +> The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. ### Related topics - [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md index a5d2bec8ce..4a509cf46a 100644 --- a/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -14,13 +14,15 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP. -> **Note**  This document covers the information specific to the Windows Defender ATP service. Other data shared and stored by Windows Defender and Windows 10 is covered under the [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See the [Windows 10 privacy FAQ for more information](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq). +> [!NOTE] +> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://privacy.microsoft.com/en-us/privacystatement). See also [Windows 10 privacy FAQ](http://windows.microsoft.com/en-au/windows-10/windows-privacy-faq) for more information. ## What data does Windows Defender ATP collect? @@ -28,7 +30,7 @@ Microsoft will collect and store information from your configured endpoints in a Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version). -Microsoft stores this data in a Microsoft Azure security-specific data store, and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/). +Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://azure.microsoft.com/en-us/support/trust-center/). Microsoft uses this data to: - Proactively identify indicators of attack (IOAs) in your organization @@ -39,10 +41,10 @@ Microsoft does not mine your data for advertising or for any other purpose other ## Do I have the flexibility to select where to store my data? -Data for this new service is stored in Microsoft Azure datacenters in the United States and European Union based on the geolocation properties. Subject to the relevant preview program you may be able to specify your preferred geolocation when you onboard to the service. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations in which your data will reside. Microsoft will not transfer the data from the specified geolocation except in specific circumstances during the preview stage. +When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. ## Is my data isolated from other customer data? -Yes. The new cloud service provides appropriate segregation at a number of levels, such as isolation of files, configurations, and telemetry data. Aside from data access authentication, simply keeping different data appropriately segregated provides well-recognized protection. +Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. ## How does Microsoft prevent malicious insider activities and abuse of high privilege roles? @@ -58,18 +60,14 @@ Additionally, Microsoft conducts background verification checks of certain opera No. Customer data is isolated from other customers and is not shared. However, insights on the data resulting from Microsoft processing, and which don’t contain any customer specific data, might be shared with other customers. Each customer can only access data collected from its own organization and generic data that Microsoft provides. ## How long will Microsoft store my data? What is Microsoft’s data retention policy? -Your data privacy is one of Microsoft's key commitments for the cloud. For this service, at contract termination or expiration, your data will be erased from Microsoft’s systems to make it unrecoverable after 90 days (from contract termination or expiration). +**At service onboarding**
+You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs. + +**At contract termination or expiration**
+Your data will be kept for a period of at least 90 days, during which it will be available to you. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. + ## Can Microsoft help us maintain regulatory compliance? Microsoft provides customers with detailed information about Microsoft's security and compliance programs, including audit reports and compliance packages, to help customers assess Windows Defender ATP services against their own legal and regulatory requirements. Windows Defender ATP has a roadmap for obtaining national, regional and industry-specific certifications, starting with ISO 27001. The service is designed, implemented, and maintained according to the compliance and privacy principles of ISO 27001, as well as Microsoft’s compliance standards. By providing customers with compliant, independently-verified services, Microsoft makes it easier for customers to achieve compliance for the infrastructure and applications they run, including this new Microsoft cloud service. -## Is there a difference between how Microsoft handles data for the preview programs and for General Availability? -Subject to the preview program you are in, you could be asked to choose to store your data in a datacenter either in Europe or United States. Your data will not be copied or moved outside of the datacenter you choose, except in the following specific circumstance: - -1. You choose Europe as your datacenter, and -2. You [submit a file for deep analysis](investigate-files-windows-defender-advanced-threat-protection.md#submit-files-for-analysis). - -In this circumstance, the submitted file will be sent to the US deep analysis laboratory. The results of the analysis will be stored in the European datacenter, and the file and data will be deleted from the US deep analysis laboratory and datacenter. - -This is a temporary measure as we work to integrate our deep analysis capabilities into the European datacenter. If you have any concerns or questions about submitting files for deep analysis and you are using a European datacenter, or if you’d like to be updated as to when the European deep analysis lab is online, email [winatp@microsoft.com](mailto:winatp@microsoft.com). diff --git a/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..2ad4b75d16 --- /dev/null +++ b/windows/keep-secure/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -0,0 +1,32 @@ +--- +title: Windows Defender compatibility +description: Learn about how Windows Defender works with Windows Defender ATP. +keywords: windows defender compatibility, defender, windows defender atp +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: mjcaparas +--- + +# Windows Defender compatibility + +**Applies to:** + +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education +- Windows Defender +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +The Windows Defender Advanced Threat Protection agent depends on Windows Defender for some capabilities such as file scanning. + +If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender on that endpoint will enter into passive mode. + +Windows Defender will continue to receive updates, and the *mspeng.exe* process will be listed as a running a service, but it will not perform scans and will not replace the running third-party antimalware client. + +The Windows Defender interface will be disabled, and users on the endpoint will not be able to use Windows Defender to perform on-demand scans or configure most options. + +For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection). diff --git a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md index f019d14fdf..3dd165c68a 100644 --- a/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/event-error-codes-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Review events and errors on endpoints with Event Viewer description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service. -keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Advanced Threat Protection service, cannot start, broken, can't start +keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -15,16 +15,19 @@ author: iaanw **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Event Viewer +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/en-US/library/aa745633(v=bts.10).aspx) on individual endpoints. For example, if endpoints are not appearing in the **Machines view** list, you might need to look for event IDs on the endpoints. You can then use this table to determine further troubleshooting steps. -> **Note**  It can take several days for endpoints to begin reporting to the Windows Defender ATP service. +> [!NOTE] +> It can take several days for endpoints to begin reporting to the Windows Defender ATP service. **Open Event Viewer and find the Windows Defender ATP service event log:** @@ -35,7 +38,8 @@ For example, if endpoints are not appearing in the **Machines view** list, you m a. You can also access the log by expanding **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE** and click on **Operational**. - > **Note**  SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. + > [!NOTE] + > SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. 3. Events recorded by the service will appear in the log. See the following table for a list of events recorded by the service. @@ -49,39 +53,39 @@ For example, if endpoints are not appearing in the **Machines view** list, you m 1 -Windows Advanced Threat Protection service started (Version ```variable```). +Windows Defender Advanced Threat Protection service started (Version ```variable```). Occurs during system start up, shut down, and during onbboarding. Normal operating notification; no action required. 2 -Windows Advanced Threat Protection service shutdown. +Windows Defender Advanced Threat Protection service shutdown. Occurs when the endpoint is shut down or offboarded. Normal operating notification; no action required. 3 -Windows Advanced Threat Protection service failed to start. Failure code: ```variable``` +Windows Defender Advanced Threat Protection service failed to start. Failure code: ```variable```. Service did not start. Review other messages to determine possible cause and troubleshooting steps. 4 -Windows Advanced Threat Protection service contacted the server at ```variable```. -variable = URL of the Windows Defender ATP processing servers.
+Windows Defender Advanced Threat Protection service contacted the server at ```variable```. +Variable = URL of the Windows Defender ATP processing servers.
This URL will match that seen in the Firewall or network activity. Normal operating notification; no action required. 5 -Windows Advanced Threat Protection service failed to connect to the server at ```variable```. -variable = URL of the Windows Defender ATP processing servers.
+Windows Defender Advanced Threat Protection service failed to connect to the server at ```variable```. +Variable = URL of the Windows Defender ATP processing servers.
The service could not contact the external processing servers at that URL. Check the connection to the URL. See [Configure proxy and Internet connectivity](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#configure-proxy-and-Internet-connectivity). 6 -Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found. +Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. The endpoint did not onboard correctly and will not be reporting to the portal. Onboarding must be run before starting the service.
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
@@ -89,72 +93,66 @@ See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defen 7 -Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: ```variable``` -The endpoint did not onboard correctly and will not be reporting to the portal. +Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure: ```variable```. +Variable = detailed error description. The endpoint did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). 8 -Windows Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable``` -The endpoint did not onboard correctly and will not be reporting to the portal. -Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +Windows Defender Advanced Threat Protection service failed to clean its configuration. Failure code: ```variable```. +**During onboarding:** The service failed to clean its configuration during the onboarding. The onboarding process continues.

**During offboarding:** The service failed to clean its configuration during the offboarding. The offboarding process finished but the service keeps running. + +**Onboarding:** No action required.

**Offboarding:** Reboot the system.
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). 9 -Windows Advanced Threat Protection service failed to change its start type. Failure code: ```variable``` -The endpoint did not onboard correctly and will not be reporting to the portal. +Windows Defender Advanced Threat Protection service failed to change its start type. Failure code: ```variable```. +**During onboarding:** The endpoint did not onboard correctly and will not be reporting to the portal.

**During offboarding:** Failed to change the service start type. The offboarding process continues. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). 10 -Windows Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable``` +Windows Defender Advanced Threat Protection service failed to persist the onboarding information. Failure code: ```variable```. The endpoint did not onboard correctly and will not be reporting to the portal. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). 11 -Windows Advanced Threat Protection service completed. +Onboarding or re-onboarding of Windows Defender Advanced Threat Protection service completed. The endpoint onboarded correctly. Normal operating notification; no action required.
It may take several hours for the endpoint to appear in the portal. 12 -Windows Advanced Threat Protection failed to apply the default configuration. -Service was unable to apply configuration from the processing servers. -This is a server error and should resolve after a short period. +Windows Defender Advanced Threat Protection failed to apply the default configuration. +Service was unable to apply the default configuration. +This error should resolve after a short period of time. 13 -Service machine ID calculated: ```variable``` +Windows Defender Advanced Threat Protection machine ID calculated: ```variable```. Normal operating process. Normal operating notification; no action required. -14 -Service cannot calculate machine ID. Failure code: ```variable``` -Internal error. -Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - - 15 -Windows Advanced Threat Protection cannot start command channel with URL: ```variable``` -variable = URL of the Windows Defender ATP processing servers.
+Windows Defender Advanced Threat Protection cannot start command channel with URL: ```variable```. +Variable = URL of the Windows Defender ATP processing servers.
The service could not contact the external processing servers at that URL. Check the connection to the URL. See [Configure proxy and Internet connectivity](#configure-proxy-and-Internet-connectivity). 17 -Windows Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable``` +Windows Defender Advanced Threat Protection service failed to change the Connected User Experiences and Telemetry service location. Failure code: ```variable```. An error occurred with the Windows telemetry service. -[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled)
+[Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). 18 @@ -171,44 +169,45 @@ If this error persists after a system restart, ensure all Windows updates have f 20 -Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable``` +Cannot wait for OOBE (Windows Welcome) to complete. Failure code: ```variable```. Internal error. If this error persists after a system restart, ensure all Windows updates have full installed. 25 -Windows Advanced Threat Protection service failed to reset health status in the registry, causing the onboarding process to fail. Failure code: ```variable``` -The endpoint did not onboard correctly and will not be reporting to the portal. +Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: ```variable```. +The endpoint did not onboard correctly. +It will report to the portal, however the service may not appear as registered in SCCM or the registry. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). 26 -Windows Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable``` +Windows Defender Advanced Threat Protection service failed to set the onboarding status in the registry. Failure code: ```variable```. The endpoint did not onboard correctly.
It will report to the portal, however the service may not appear as registered in SCCM or the registry. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). 27 -Windows Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable``` +Windows Defender Advanced Threat Protection service failed to enable SENSE aware mode in Windows Defender. Onboarding process failed. Failure code: ```variable```. Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
+See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md).
Ensure real-time antimalware protection is running properly. 28 -Windows Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable``` +Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration failed. Failure code: ```variable```. An error occurred with the Windows telemetry service. [Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). 30 -Windows Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable``` +Windows Defender Advanced Threat Protection service failed to disable SENSE aware mode in Windows Defender. Failure code: ```variable```. Normally, Windows Defender will enter a special passive state if another real-time antimalware product is running properly on the endpoint, and the endpoint is reporting to Windows Defender ATP. Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
@@ -216,24 +215,115 @@ Ensure real-time antimalware protection is running properly. 31 -Windows Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable``` -An error occurred with the Windows telemetry service. +Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service unregistration failed. Failure code: ```variable```. +An error occurred with the Windows telemetry service during onboarding. The offboarding process continues. [Check for errors with the Windows telemetry service](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled). +32 +Windows Defender Advanced Threat Protection service failed to request to stop itself after offboarding process. Failure code: %1 +An error occurred during offboarding. +Reboot the machine. + + 33 -Windows Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable``` +Windows Defender Advanced Threat Protection service failed to persist SENSE GUID. Failure code: ```variable```. A unique identifier is used to represent each endpoint that is reporting to the portal.
If the identifier does not persist, the same machine might appear twice in the portal. Check registry permissions on the endpoint to ensure the service can update the registry. 34 -Windows Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable``` +Windows Defender Advanced Threat Protection service failed to add itself as a dependency on the Connected User Experiences and Telemetry service, causing onboarding process to fail. Failure code: ```variable```. An error occurred with the Windows telemetry service. [Ensure the telemetry service is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-the-telemetry-and-diagnostics-service-is-enabled).
Check that the onboarding settings and scripts were deployed properly. Try to redeploy the configuration packages.
-See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) +See [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). + + +35 +Windows Defender Advanced Threat Protection service failed to remove itself as a dependency on the Connected User Experiences and Telemetry service. Failure code: ```variable```. +An error occurred with the Windows telemetry service during offboarding. The offboarding process continues. + +Check for errors with the Windows telemetry service. + + +36 +Windows Defender Advanced Threat Protection Connected User Experiences and Telemetry service registration succeeded. Completion code: ```variable```. +Registering Windows Defender Advanced Threat Protection with the Connected User Experiences and Telemetry service completed successfully. +Normal operating notification; no action required. + + +37 +Windows Defender Advanced Threat Protection A module is about to exceed its quota. Module: %1, Quota: {%2} {%3}, Percentage of quota utilization: %4. +The machine has almost used its allocated quota of the current 24-hour window. It’s about to be throttled. +Normal operating notification; no action required. + + +38 +Network connection is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4. +The machine is using a metered/paid network and will be contacting the server less frequently. +Normal operating notification; no action required. + + +39 +Network connection is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Metered connection: %2, internet available: %3, free network available: %4. +The machine is not using a metered/paid connection and will contact the server as usual. +Normal operating notification; no action required. + + +40 +Battery state is identified as low. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2. +The machine has low battery level and will contact the server less frequently. +Normal operating notification; no action required. + + +41 +Battery state is identified as normal. Windows Defender Advanced Threat Protection will contact the server every %1 minutes. Battery state: %2. +The machine doesn’t have low battery level and will contact the server as usual. +Normal operating notification; no action required. + + +42 +Windows Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception message: %4 +Internal error. The service failed to start. +If this error persists, contact Support. + + +43 +Windows Defender Advanced Threat Protection WDATP component failed to perform action. Component: %1, Action: %2, Exception Type: %3, Exception Error: %4, Exception message: %5 +Internal error. The service failed to start. +If this error persists, contact Support. + + +44 +Offboarding of Windows Defender Advanced Threat Protection service completed. +The service was offboarded. +Normal operating notification; no action required. + + +45 +Failed to register and to start the event trace session [%1]. Error code: %2 +An error occurred on service startup while creating ETW session. This caused service start-up failure. +If this error persists, contact Support. + + +46 +Failed to register and start the event trace session [%1] due to lack of resources. Error code: %2. This is most likely because there are too many active event trace sessions. The service will retry in 1 minute. +An error occurred on service startup while creating ETW session due to lack of resources. The service started and is running, but will not report any sensor event until the ETW session is started. +Normal operating notification; no action required. The service will try to start the session every minute. + + +47 +Successfully registered and started the event trace session - recovered after previous failed attempts. +This event follows the previous event after successfully starting of the ETW session. +Normal operating notification; no action required. + + +48 +Failed to add a provider [%1] to event trace session [%2]. Error code: %3. This means that events from this provider will not be reported. +Failed to add a provider to ETW session. As a result, the provider events aren’t reported. +Check the error code. If the error persists contact Support. diff --git a/windows/keep-secure/images/alert-details.png b/windows/keep-secure/images/alert-details.png index 7d23ae0374..e2f5a387b0 100644 Binary files a/windows/keep-secure/images/alert-details.png and b/windows/keep-secure/images/alert-details.png differ diff --git a/windows/keep-secure/images/alertsq2.png b/windows/keep-secure/images/alertsq2.png index a11b5ba76b..8e823cd9c7 100644 Binary files a/windows/keep-secure/images/alertsq2.png and b/windows/keep-secure/images/alertsq2.png differ diff --git a/windows/keep-secure/images/machines-view.png b/windows/keep-secure/images/machines-view.png index 3baf15a05f..f1d00f4035 100644 Binary files a/windows/keep-secure/images/machines-view.png and b/windows/keep-secure/images/machines-view.png differ diff --git a/windows/keep-secure/images/onboardingstate.png b/windows/keep-secure/images/onboardingstate.png index 0606e2b2c6..ab49c49e17 100644 Binary files a/windows/keep-secure/images/onboardingstate.png and b/windows/keep-secure/images/onboardingstate.png differ diff --git a/windows/keep-secure/images/portal-image.png b/windows/keep-secure/images/portal-image.png index be59f06fa5..c038da30de 100644 Binary files a/windows/keep-secure/images/portal-image.png and b/windows/keep-secure/images/portal-image.png differ diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md index 813a67705d..2dc4c2628a 100644 --- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md +++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md @@ -340,6 +340,7 @@ You’ll need this software to set Windows Hello for Business policies in your e
  • Azure AD subscription
  • [Azure AD Connect](http://go.microsoft.com/fwlink/p/?LinkId=616792)
  • AD CS with NDES
    • +<<<<<<< HEAD
  • Configuration Manager for domain-joined certificate enrollment, or InTune for non-domain-joined devices, or a non-Microsoft MDM service that supports Passport for Work
    • diff --git a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md index d724b1862d..8bd01c944f 100644 --- a/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -14,11 +14,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - Alerts in Windows Defender ATP indicate possible security breaches on endpoints in your organization. There are three alert severity levels, described in the following table. @@ -43,17 +44,39 @@ Details displayed about the alert include: - When the alert was last observed - Alert description - Recommended actions -- The potential scope of breach +- The incident graph - The indicators that triggered the alert -![A detailed view of an alert when clicked](images/alert-details.png) - Alerts attributed to an adversary or actor display a colored tile with the actor name. Click on the actor's name to see a threat intelligence profile of the actor, including a brief overview of the actor, their interests or targets, tools, tactics, and processes (TTPs) as well as areas where it's active worldwide. You will also see a set of recommended actions to take. Some actor profiles include a link to download a more comprehensive threat intelligence report. +![A detailed view of an alert when clicked](images/alert-details.png) + +## Incident graph +The incident graph provides a visual representation of where an alert was seen, events that triggered the alert, and which other machines are affected by the event. It provides an illustrated alert footprint on the original machine and expands to show the footprint of each alert event on other machines. + +You can click the circles on the incident graph to expand the nodes and view the associated events or files related to the alert. + +## Alert spotlight +The alert spotlight feature helps ease investigations by highlighting alerts related to a specific machine and events. You can highlight an alert and its related events in the machine timeline to increase your focus during an investigation. + +You can click on the machine link from the alert view to see the alerts related to the machine. + + + > [!NOTE] + > This shortcut is not available from the Incident graph machine links. + +Alerts related to the machine are displayed under the **Alerts related to this machine** section. +Clicking on an alert row takes you the to the date in which the alert was flagged on **Machine timeline**. This eliminates the need to manually filter and drag the machine timeline marker to when the alert was seen on that machine. + +You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine. Right-click on any alert from either section and select **Mark related events**. This highlights alerts and events that are related and helps differentiate between the other alerts listed in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviours**, or **Verbose**. + +You can also remove the highlight by right-clicking a highlighted alert and selecting **Unmark related events**. + + ### Related topics - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) - [View and organize the Windows Defender Advanced Threat Protection Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md index fd75059fff..d138e36e1f 100644 --- a/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-domain-windows-defender-advanced-threat-protection.md @@ -13,11 +13,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. You can see information from the following sections in the URL view: diff --git a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md index 5dfb3959f9..6c1309102d 100644 --- a/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-files-windows-defender-advanced-threat-protection.md @@ -13,11 +13,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. You can get information from the following sections in the file view: @@ -62,11 +63,13 @@ Use the deep analysis feature to investigate the details of any file, usually du In the file's page, **Submit for deep analysis** is enabled when the file is available in the Windows Defender ATP backend sample collection or if it was observed on a Windows 10 machine that supports submitting to deep analysis. -> **Note**  Only files from Windows 10 can be automatically collected. +> [!NOTE] +> Only files from Windows 10 can be automatically collected. You can also manually submit a sample through the [Malware Protection Center Portal](https://www.microsoft.com/en-us/security/portal/submission/submit.aspx) if the file was not observed on a Windows 10 machine, and wait for **Submit for deep analysis** button to become available. -> **Note**  Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP. +> [!NOTE] +> Due to backend processing flows in the Malware Protection Center Portal, there could be up to 10 minutes of latency between file submission and availability of the deep analysis feature in Windows Defender ATP. When the sample is collected, Windows Defender ATP runs the file in is a secure environment and creates a detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communication to IPs, and registry modifications. @@ -84,7 +87,8 @@ When the sample is collected, Windows Defender ATP runs the file in is a secure A progress bar is displayed and provides information on the different stages of the analysis. You can then view the report when the analysis is done. -> **Note**  Depending on machine availability, sample collection time can vary. There is a 3-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file. +> [!NOTE] +> Depending on machine availability, sample collection time can vary. There is a 1-hour timeout for sample collection. The collection will fail and the operation will abort if there is no online Windows 10 machine reporting at that time. You can re-submit files for deep analysis to get fresh data on the file. ## View deep analysis report @@ -121,10 +125,11 @@ HKLM\SOFTWARE\Policies\Microsoft\Sense\AllowSampleCollection Value = 0 - block sample collection Value = 1 - allow sample collection ``` -5. Change the organizational unit through the Group Policy. See [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md). +5. Change the organizational unit through the Group Policy. For more information, see [Configure with Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md). 6. If these steps do not resolve the issue, contact [winatp@microsoft.com](mailto:winatp@microsoft.com). -> **Note**  If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. +> [!NOTE] +> If the value *AllowSampleCollection* is not available, the client will allow sample collection by default. ### Related topics - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md index e1427b0400..dd72b28bc9 100644 --- a/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-ip-windows-defender-advanced-threat-protection.md @@ -13,12 +13,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - - Examine possible communication between your machines and external internet protocol (IP) addresses. Identifying all machines in the organization that communicated with a suspected or known malicious IP address, such as Command and Control (C2) servers, helps determine the potential scope of breach, associated files, and infected machines. @@ -43,7 +43,8 @@ The **Communication with IP in organization** section provides a chronological v Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of machines in the organization that communicated with this IP Address (during selectable time period), and the machines in the organization that were observed communicating with this IP address. -> **Note**  Search results will only be returned for IP addresses observed in communication with machines in the organization. +> [!NOTE] +> Search results will only be returned for IP addresses observed in communication with machines in the organization. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all machines in the organization observed communicating with the IP address, the file associated with the communication and the last date observed. diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md index 0a7f63c71b..7eae125102 100644 --- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md @@ -14,11 +14,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting telemetry in your network. Use the Machines view in these two main scenarios: @@ -37,7 +38,8 @@ The Machines view contains the following columns: - **Active Alerts** - the number of alerts reported by the machine by severity - **Active malware detections** - the number of active malware detections reported by the machine -> **Note**  The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. +> [!NOTE] +> The **Active alerts** and **Active malware detections** filter column will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. Click any column header to sort the view in ascending or descending order. @@ -55,7 +57,8 @@ You can filter the view by the following time periods: - 30 days - 6 months -> **Note**  When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period. +> [!NOTE] +> When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period. The threat category filter lets you filter the view by the following categories: @@ -65,7 +68,7 @@ The threat category filter lets you filter the view by the following categories: - Threat - Low severity -See the [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections) topic for a description of each category. +For more information on the description of each category see, [Investigate machines with active alerts](dashboard-windows-defender-advanced-threat-protection.md#investigate-machines-with-active-malware-detections). You can also download a full list of all the machines in your organization, in CSV format. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to download the entire list as a CSV file. @@ -100,6 +103,8 @@ You'll see an aggregated view of alerts, a short description of the alert, detai This feature also enables you to selectively drill down into a behavior or event that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period. +You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alerts-spotlight) feature to see the correlation between alerts and events on a specific machine. + ![The timeline shows an interactive history of the alerts seen on a machine](images/timeline.png) Use the search bar to look for specific alerts or files associated with the machine. diff --git a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md index 718b2e22ce..e4e5a94751 100644 --- a/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/manage-alerts-windows-defender-advanced-threat-protection.md @@ -14,14 +14,15 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - Windows Defender ATP notifies you of detected, possible attacks or breaches through alerts. A summary of new alerts is displayed in the **Dashboard**, and you can access all alerts in the **Alerts queue** menu. -See the [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts) topic for more details on how to investigate alerts. +For more information on how to investigate alerts see, [Investigate Windows Defender ATP alerts](investigate-alerts-windows-defender-advanced-threat-protection.md#investigate-windows-defender-advanced-threat-protection-alerts). Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the top of the alert to access the Manage Alert menu and manage alerts. @@ -86,7 +87,8 @@ The context of the rule lets you tailor the queue to ensure that only alerts you 1. Click the **Manage Alert** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) on the heading of an existing alert. 2. Choose the context for suppressing the alert. -> **Note**  You cannot create a custom or blank suppression rule. You must start from an existing alert. +> [!NOTE] +> You cannot create a custom or blank suppression rule. You must start from an existing alert. **See the list of suppression rules:** @@ -95,7 +97,8 @@ The context of the rule lets you tailor the queue to ensure that only alerts you ![Click the settings icon and then Suppression rules to create and modify rules](images/suppression-rules.png) -> **Note**  You can also click **See rules** in the confirmation window that appears when you suppress an alert. +> [!NOTE] +> You can also click **See rules** in the confirmation window that appears when you suppress an alert. The list of suppression rules shows all the rules that users in your organization have created. Each rule shows: diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md index 1bc9344b78..85249ee5d8 100644 --- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -14,33 +14,102 @@ author: iaanw **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - There are some minimum requirements for onboarding your network and endpoints. ## Minimum requirements ### Network and data storage and configuration requirements - - - - -When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in either a European or United States datacenter. +When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter. > **Notes**   - You cannot change your data storage location after the first-time setup. - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. ### Endpoint hardware and software requirements -Endpoints on your network must be running Windows 10 Insider Preview Build 14332 or later. The hardware requirements for Windows Defender ATP on endpoints is the same as those for Windows 10 Insider Preview Build 14332 or later. +The Windows Defender ATP agent only supports the following editions of Windows 10: -> **Note**  Endpoints that are running Windows Server and mobile versions of Windows are not supported. +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education -Internet connectivity on endpoints is also required. See [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) for additional proxy configuration settings. +Endpoints on your network must be running one of these editions. + +The hardware requirements for Windows Defender ATP on endpoints is the same as those for the supported editions. + +> [!NOTE] +> Endpoints that are running Windows Server and mobile versions of Windows are not supported. + +#### Internet connectivity +Internet connectivity on endpoints is required. + +SENSE can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data. + +> [!NOTE] +> SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. + +For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section. +### Telemetry and diagnostics settings +You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization. +By default, this service is enabled, but it's good practice to check to ensure that you'll get telemetry from them. +**Use the command line to check the Windows 10 telemetry and diagnostics service startup type**: + +1. Open an elevated command-line prompt on the endpoint: + + a. Go to **Start** and type **cmd**. + + b. Right-click **Command prompt** and select **Run as administrator**. + +2. Enter the following command, and press **Enter**: + + ```text + sc qc diagtrack + ``` + +If the service is enabled, then the result should look like the following screenshot: + +![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) + +If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the service to automatically start. + + + +**Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:** + +1. Open an elevated command-line prompt on the endpoint: + + a. Go to **Start** and type **cmd**. + + b. Right-click **Command prompt** and select **Run as administrator**. + +2. Enter the following command, and press **Enter**: + + ```text + sc config diagtrack start=auto + ``` + +3. A success message is displayed. Verify the change by entering the following command, and press **Enter**: + + ```text + sc qc diagtrack + ``` + +## Windows Defender signature updates are configured +The Windows Defender ATP agent depends on Windows Defender’s ability to scan files and provide information about them. If Windows Defender is not the active antimalware in your organization, you may need to configure the signature updates. For more information see [Configure Windows Defender in Windows 10](windows-defender-in-windows-10.md). + +When Windows Defender is not the active antimalware in your organization and you use the Windows Defender ATP service, Windows Defender goes on passive mode. For more information, see the **Compatibility** section in the [Windows Defender in Windows 10 topic](windows-defender-in-windows-10.md# compatibility-with-windows-defender-advanced-threat-protection). + +## Windows Defender Early Launch Antimalware (ELAM) driver is enabled +If you're running Windows Defender as the primary antimalware product on your endpoints, the Windows Defender ATP agent will successfully onboard. + +If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information on how to validate and enable the Windows Defender ELAM driver see, [Ensure the Windows Defender ELAM driver is enabled](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-the-windows-defender-elam-driver-is-enabled). diff --git a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md index 942dfa02ee..1c962bc1ec 100644 --- a/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/onboard-configure-windows-defender-advanced-threat-protection.md @@ -14,13 +14,15 @@ author: iaanw **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - You need to onboard to Windows Defender ATP before you can use the service. + ## In this section Topic | Description :---|:--- diff --git a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md index 6363ce613d..177d0998d6 100644 --- a/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/portal-overview-windows-defender-advanced-threat-protection.md @@ -14,12 +14,12 @@ author: DulceMV **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - - Enterprise security teams can use the Windows Defender ATP portal to monitor and assist in responding to alerts of potential advanced persistent threat (APT) activity or data breaches. You can use the [Windows Defender ATP portal](https://securitycenter.windows.com/) to: @@ -37,19 +37,20 @@ When you open the portal, you’ll see the main areas of the application: ![Windows Defender Advanced Threat Protection portal](images/portal-image.png) -> **Note**  Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. +> [!NOTE] +> Malware related detections will only appear if your endpoints are using [Windows Defender](https://technet.microsoft.com/en-us/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. You can navigate through the portal using the menu options available in all sections. Refer to the following table for a description of each section. Area | Description :---|:--- (1) Settings | Provides access to configuration settings such as time zone, alert suppression rules, and license information. -(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Endpoint Management**. +(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Preferences setup**, and **Enpoint Management**. **Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization. **Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts. **Machines view**| Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. -**Preferences setup**| Shows the settings you selected and lets you update your industry preferences and retention policy period. -**Endpoint Management**| Allows you to download the onboarding configuration package. +**Preferences setup**| Shows the settings you selected and lets you update your industry preferences and retention policy period. +**Enpoint Management**| Allows you to download the onboarding configuration package. (3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view. (4) Search | Search for machines, files, external IP Addresses, or domains across endpoints. The drop-down combo box allows you to select the entity type. diff --git a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md index 72a30d320b..81f36a3d4e 100644 --- a/windows/keep-secure/prepare-people-to-use-microsoft-passport.md +++ b/windows/keep-secure/prepare-people-to-use-microsoft-passport.md @@ -83,10 +83,15 @@ If your enterprise enables phone sign-in, users can pair a phone running Windows **Sign in to PC using the phone** +<<<<<<< HEAD 1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to. > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account. ![select a device](images/phone-signin-device-select.png) +======= +1. Open the **Microsoft Authenticator** app and tap the name of the PC to sign in to. + > **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account. +>>>>>>> parent of 9891b67... from master   2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account. diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index 61313be105..d74bdf6189 100644 --- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -216,7 +216,7 @@ The following Windows 10 services are protected with virtualization-based secur - **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory - **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. -- **Other isolated services**: for example, on Windows Server Technical Preview 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers. +- **Other isolated services**: for example, on Windows Server 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers. >**Note:**  Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended.   @@ -747,7 +747,7 @@ For more information about conditional access, see [Azure Conditional Access Pre For on-premises applications there are two options to enable conditional access control based on a device's compliance state: - For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](http://go.microsoft.com/fwlink/p/?LinkId=691618) blog post. -- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server Technical Preview 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications. +- Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications. ![figure 13](images/hva-fig12-conditionalaccess12.png) diff --git a/windows/keep-secure/requirements-to-use-applocker.md b/windows/keep-secure/requirements-to-use-applocker.md index 6389eb2755..2f9e009bd2 100644 --- a/windows/keep-secure/requirements-to-use-applocker.md +++ b/windows/keep-secure/requirements-to-use-applocker.md @@ -32,7 +32,7 @@ The following table show the on which operating systems AppLocker features are s | Version | Can be configured | Can be enforced | Available rules | Notes | | - | - | - | - | - | -| Windows 10| Yes| Yes| Packaged apps
    Executable
    Windows Installer
    Script
    DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016 Technical Preview. | +| Windows 10| Yes| Yes| Packaged apps
    Executable
    Windows Installer
    Script
    DLL| You can use the [AppLocker CSP](http://msdn.microsoft.com/library/windows/hardware/dn920019.aspx) to configure AppLocker policies on any edition of Windows 10. You can only manage AppLocker with Group Policy on devices running Windows 10 Enterprise and Windows Server 2016. | | Windows Server 2012 R2| Yes| Yes| Packaged apps
    Executable
    Windows Installer
    Script
    DLL| | | Windows 8.1| Yes| Yes| Packaged apps
    Executable
    Windows Installer
    Script
    DLL| Only the Enterprise edition supports AppLocker| | Windows RT 8.1| No| No| N/A|| diff --git a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md index 81d0358abb..e45619b0a3 100644 --- a/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/settings-windows-defender-advanced-threat-protection.md @@ -14,11 +14,12 @@ author: DulceMV **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone, suppression rules, and view license information. ## Time zone settings @@ -52,7 +53,7 @@ To set the time zone: 3. The time zone indicator changes to **Timezone:Local**. Click it again to change back to **Timezone:UTC**. ## Suppression rules -The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. See [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts). +The suppression rules control what alerts are suppressed. You can suppress alerts so that certain activities are not flagged as suspicious. For more information see, [Suppress alerts](manage-alerts-windows-defender-advanced-threat-protection.md#suppress-alerts). ## License Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP. diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md index 81b6385faf..049685cef2 100644 --- a/windows/keep-secure/tpm-recommendations.md +++ b/windows/keep-secure/tpm-recommendations.md @@ -14,7 +14,7 @@ author: brianlic-msft **Applies to** - Windows 10 - Windows 10 Mobile -- Windows Server 2016 Technical Preview +- Windows Server 2016 - Windows 10 IoT Core (IoT Core) This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10. @@ -104,7 +104,7 @@ For end consumers, TPM is behind the scenes but still very relevant for Hello, P - TPM is optional on IoT Core. -### Windows Server 2016 Technical Preview +### Windows Server 2016 - TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required. diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 6cbed263b3..c48f54a918 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -7,58 +7,48 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: iaanw +author: mjcaparas --- # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] +You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. +This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints. -You might need to troubleshoot the Windows Defender Advanced Threat Protection onboarding process if you encounter issues. -This page provides detailed steps for troubleshooting endpoints that aren't reporting correctly, and common error codes encountered during onboarding. +If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem. -## Endpoints are not reporting to the service correctly +## Troubleshoot onboarding when deploying with Group Policy +Deployment with Group Policy is done by running the onboarding script on the endpoints. The Group Policy console does not indicate if the deployment has succeeded or not. -If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after 20 minutes, it might indicate an endpoint onboarding or connectivity problem. +If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). -Go through the following verification topics to address this issue: +If the script completes successfully, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. -- [Ensure the endpoint is onboarded successfully](#Ensure-that-the-endpoint-is-onboarded-successfully) -- [Ensure the Windows Defender ATP service is enabled](#Ensure-that-the-Windows-Defender-ATP-service-is-enabled) -- [Ensure the telemetry and diagnostics service is enabled](#Ensure-that-telemetry-and-diagnostics-service-is-enabled) -- [Ensure the endpoint has an Internet connection](#Ensure-that-the-Windows-Defender-ATP-endpoint-has-internet-connection) +## Troubleshoot onboarding issues when deploying with System Center Configuration Manager +When onboarding endpoints using the following versions of System Center Configuration Manager: +- System Center 2012 Configuration Manager +- System Center 2012 R2 Configuration Manager +- System Center Configuration Manager (current branch) version 1511 +- System Center Configuration Manager (current branch) version 1602 -### Ensure the endpoint is onboarded successfully -If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service was successfully onboarded onto the endpoint. +Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the endpoints. You can track the deployment in the Configuration Manager Console. -**Check the onboarding state in Registry**: +If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). -1. Click **Start**, type **Run**, and press **Enter**. +If the onboarding completed successfully but the endpoints are not showing up in the **Machines view** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. -2. From the **Run** dialog box, type **regedit** and press **Enter**. - -4. In the **Registry Editor** navigate to the Status key under: - - ```text -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Advanced Threat Protection -``` - -5. Check the **OnboardingState** value is set to **1**. - - ![Image of OnboardingState status in Registry Editor](images/onboardingstate.png) - -If the **OnboardingState** value is not set to **1**, you can use Event Viewer to review errors on the endpoint. - -If you configured your endpoints with a deployment tool that required a script, you can check the event viewer for the onboarding script results. -
    -**Check the result of the script**: +## Troubleshoot onboarding when deploying with a script on the endpoint +**Check the result of the script on the endpoint**: 1. Click **Start**, type **Event Viewer**, and press **Enter**. 2. Go to **Windows Logs** > **Application**. @@ -66,25 +56,82 @@ If you configured your endpoints with a deployment tool that required a script, 3. Look for an event from **WDATPOnboarding** event source. If the script fails and the event is an error, you can check the event ID in the following table to help you troubleshoot the issue. -> **Note**  The following event IDs are specific to the onboarding script only. +> [!NOTE] +> The following event IDs are specific to the onboarding script only. Event ID | Error Type | Resolution steps :---|:---|:--- -5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection``` -10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```. Verify that the script was ran as an administrator. -15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). +5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. +10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
    ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
    Verify that the script was ran as an administrator. +15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). +15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```. The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). -40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
    ```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
    The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +40 | SENSE service onboarding status is not set to **1** | The SENSE service has failed to onboard properly. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). +65 | Insufficient privileges| Run the script again with administrator privileges. + +## Troubleshoot onboarding issues using Microsoft Intune +You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. + +Use the following tables to understand the possible causes of issues while onboarding: + +- Microsoft Intune error codes and OMA-URIs table +- Known issues with non-compliance table +- Mobile Device Management (MDM) event logs table + +If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint Management** section of the portal, and run it in an elevated command prompt. + +**Microsoft Intune error codes and OMA-URIs**: + +Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps +:---|:---|:---|:---|:--- +0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
    Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

    **Troubleshooting steps:**
    Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.

    Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx). + | | | Onboarding
    Offboarding
    SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

    **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.

    If it doesn't exist, open an elevated command and add the key. + | | | SenseIsRunning
    OnboardingState
    OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

    **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).

    Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx). + | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

    Currently is supported platforms: Enterprise, Education, and Professional.
    Server is not supported. + 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

    Currently is supported platforms: Enterprise, Education, and Professional.
    -**Use Event Viewer to identify and adress onboarding errors**: +**Known issues with non-compliance** + +The following table provides information on issues with non-compliance and how you can address the issues. + +Case | Symptoms | Possible cause and troubleshooting steps +:---|:---|:--- +1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.

    **Troubleshooting steps:** Wait for OOBE to complete. +2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start.

    **Troubleshooting steps:** The issue should automatically be fixed within 24 hours. +3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time. + +
    +**Mobile Device Management (MDM) event logs** + +View the MDM event logs to troubleshoot issues that might arise during onboarding: + +Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider + +Channel name: Admin + +ID | Severity | Event description | Troubleshooting steps +:---|:---|:---|:--- +1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ELAM driver needs to be enabled see, [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) for instructions. + +## Troubleshoot onboarding issues on the endpoint +If the deployment tools used does not indicate an error in the onboarding process, but endpoints are still not appearing in the machines view an hour, go through the following verification topics to check if an error occurred with the Windows Defender ATP agent: +- [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) +- [Ensure the telemetry and diagnostics service is enabled](#ensure-that-telemetry-and-diagnostics-service-is-enabled) +- [Ensure the service is set to start](#ensure-the-service-is-set-to-start) +- [Ensure the endpoint has an Internet connection](#ensure-that-the-Windows-Defender-ATP-endpoint-has-internet-connection) +- [Ensure the Windows Defender ELAM driver is enabled](#ensure-the-windows-defender-elam-driver-is-enabled) + + +### View agent onboarding errors in the endpoint event log 1. Click **Start**, type **Event Viewer**, and press **Enter**. 2. In the **Event Viewer (Local)** pane, expand **Applications and Services Logs** > **Microsoft** > **Windows** > **SENSE**. - > **Note**  SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. + > [!NOTE] + > SENSE is the internal name used to refer to the behavioral sensor that powers Windows Defender ATP. 3. Select **Operational** to load the log. @@ -98,101 +145,16 @@ Event ID | Error Type | Resolution steps Event ID | Message | Resolution steps :---|:---|:--- -5 | Windows Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). -6 | Windows Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual). -7 | Windows Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again. -15 | Windows Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). +5 | Windows Defender Advanced Threat Protection service failed to connect to the server at _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). +6 | Windows Defender Advanced Threat Protection service is not onboarded and no onboarding parameters were found. Failure code: _variable_ | [Run the onboarding script again](configure-endpoints-windows-defender-advanced-threat-protection.md#manual). +7 | Windows Defender Advanced Threat Protection service failed to read the onboarding parameters. Failure code: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection), then run the entire onboarding process again. +15 | Windows Defender Advanced Threat Protection cannot start command channel with URL: _variable_ | [Ensure the endpoint has Internet access](#ensure-the-endpoint-has-an-internet-connection). 25 | Windows Defender Advanced Threat Protection service failed to reset health status in the registry. Failure code: _variable_ | Contact support. - - -### Ensure the Windows Defender ATP service is enabled -If the endpoints aren't reporting correctly, you might need to check that the Windows Defender ATP service is set to automatically start and is running on the endpoint. - -You can use the SC command line program for checking and managing the startup type and running state of the service. - -**Check the Windows Defender ATP service startup type from the command line:** - -1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start**, type **cmd**, and press **Enter**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc qc sense - ``` - -If the the service is running, then the result should look like the following screenshot: - - ![Result of the sq query sense command](images/sc-query-sense-autostart.png) - -If the service ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start. - -**Change the Windows Defender ATP service startup type from the command line:** - -1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start**, type **cmd**, and press **Enter**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc config sense start=auto - ``` - -3. A success message is displayed. Verify the change by entering the following command and press **Enter**: - - ```text - sc qc sense - ``` - -**Check the Windows Defender ATP service is running from the command line:** - -1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start**, type **cmd**, and press **Enter**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc query sense - ``` - -If the service is running, the result should look like the following screenshot: - -![Result of the sc query sense command](images/sc-query-sense-running.png) - -If the service **STATE** is not set to **RUNNING**, then you'll need to start it. - -**Start the Windows Defender ATP service from the command line:** - -1. Open an elevated command-line prompt on the endpoint: - - a. Click **Start**, type **cmd**, and press **Enter**. - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc start sense - ``` - -3. A success message is displayed. Verify the change by entering the following command and press **Enter**: - - ```text - sc qc sense - ``` +
    +There are additional components on the endpoint that the Windows Defender ATP agent depends on to function properly. If there are no onboarding related errors in the Windows Defender ATP agent event log, proceed with the following steps to ensure that the additional components are configured correctly. ### Ensure the telemetry and diagnostics service is enabled -If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service may have been disabled by other programs or user configuration changes. - +If the endpoints aren't reporting correctly, you might need to check that the Windows 10 telemetry and diagnostics service is set to automatically start and is running on the endpoint. The service might have been disabled by other programs or user configuration changes. First, you should check that the service is set to start automatically when Windows starts, then you should check that the service is currently running (and start it if it isn't). @@ -212,12 +174,11 @@ First, you should check that the service is set to start automatically when Wind sc qc diagtrack ``` -If the service is enabled, then the result should look like the following screenshot: + If the service is enabled, then the result should look like the following screenshot: -![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) - -If the ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set the service to automatically start. + ![Result of the sc query command for diagtrack](images/windefatp-sc-qc-diagtrack.png) + If the `START_TYPE` is not set to `AUTO_START`, then you'll need to set the service to automatically start. **Use the command line to set the Windows 10 telemetry and diagnostics service to automatically start:** @@ -240,109 +201,13 @@ If the ```START_TYPE``` is not set to ```AUTO_START```, then you'll need to set sc qc diagtrack ``` -**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service startup type**: +4. Start the service. -1. Open the services console: - - a. Click **Start** and type **services**. - - b. Press **Enter** to open the console. - -2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**. - -3. Check the **Startup type** column - the service should be set as **Automatic**. - -If the startup type is not set to **Automatic**, you'll need to change it so the service starts when the endpoint does. - - -**Use the Windows Services console to set the Windows 10 telemetry and diagnostics service to automatically start:** - -1. Open the services console: - - a. Click **Start** and type **services**. - - b. Press **Enter** to open the console. - -2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**. - -3. Right-click on the entry and click **Properties**. - -4. On the **General** tab, change the **Startup type:** to **Automatic**, as shown in the following image. Click OK. - - ![Select Automatic to change the startup type in the Properties dialog box for the service](images/windefatp-utc-console-autostart.png) - -### Ensure the service is running - -**Use the command line to check the Windows 10 telemetry and diagnostics service is running**: - -1. Open an elevated command-line prompt on the endpoint: - - a. **Click **Start** and type **cmd**.** - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc query diagtrack - ``` - -If the service is running, the result should look like the following screenshot: - -![Result of the sc query command for sc query diagtrack](images/windefatp-sc-query-diagtrack.png) - -If the service **STATE** is not set to **RUNNING**, then you'll need to start it. - - -**Use the command line to start the Windows 10 telemetry and diagnostics service:** - -1. Open an elevated command-line prompt on the endpoint: - - a. **Click **Start** and type **cmd**.** - - b. Right-click **Command prompt** and select **Run as administrator**. - -2. Enter the following command, and press **Enter**: - - ```text - sc start diagtrack - ``` - -3. A success message is displayed. Verify the change by entering the following command, and press **Enter**: - - ```text - sc query diagtrack - ``` - -**Use the Windows Services console to check the Windows 10 telemetry and diagnostics service is running**: - -1. Open the services console: - - a. Click **Start** and type **services**. - - b. Press **Enter** to open the console. - -2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**. - -3. Check the **Status** column - the service should be marked as **Running**. - -If the service is not running, you'll need to start it. - - -**Use the Windows Services console to start the Windows 10 telemetry and diagnostics service:** - -1. Open the services console: - - a. Click **Start** and type **services**. - - b. Press **Enter** to open the console. - -2. Scroll through the list of services until you find **Connected User Experiences and Telemetry**. - -3. Right-click on the entry and click **Start**, as shown in the following image. - -![Select Start to start the service](images/windef-utc-console-start.png) + a. In the command prompt, type the following command and press **Enter**: + ```text + sc start diagtrack + ``` ### Ensure the endpoint has an Internet connection @@ -352,90 +217,103 @@ WinHTTP is independent of the Internet browsing proxy settings and other user co To ensure that sensor has service connectivity, follow the steps described in the [Verify client connectivity to Windows Defender ATP service URLs](configure-proxy-internet-windows-defender-advanced-threat-protection.md#verify-client-connectivity-to-windows-defender-atp-service-urls) topic. -If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic. +If the verification fails and your environment is using a proxy to connect to the Internet, then follow the steps described in [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) topic. -## Troubleshoot onboarding issues using Microsoft Intune -You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue. +### Ensure the Windows Defender ELAM driver is enabled +If your endpoints are running a third-party antimalware client, the Windows Defender ATP agent needs the Windows Defender Early Launch Antimalware (ELAM) driver to be enabled. -Use the following tables to understand the possible causes of issues while onboarding: +**Check the ELAM driver status:** -- Microsoft Intune error codes and OMA-URIs table -- Known issues with non-compliance table -- Mobile Device Management (MDM) event logs table +1. Open a command-line prompt on the endpoint: -If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint Management** section of the portal, and run it in an elevated command prompt. + a. Click **Start**, type **cmd**, and select **Command prompt**. -**Microsoft Intune error codes and OMA-URIs**: +2. Enter the following command, and press Enter: + ``` + sc qc WdBoot + ``` + If the ELAM driver is enabled, the output will be: -Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps -:---|:---|:---|:---|:--- -0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
    Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

    **Troubleshooting steps:**
    Check the event IDs in the [Ensure the endpoint is onboarded successfully](#ensure-the-endpoint-is-onboarded-successfully) section.

    Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx). - | | | Onboarding
    Offboarding
    SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

    **Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.

    If it doesn't exist, open an elevated command and add the key. - | | | SenseIsRunning
    OnboardingState
    OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

    **Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).

    Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/en-us/library/windows/hardware/mt632120%28v=vs.85%29.aspx). - | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

    Currently is supported platforms: Enterprise, Education, and Professional.
    Server is not supported. - 0x87D101A9 | -2016345687 |Syncml(425): The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

    Currently is supported platforms: Enterprise, Education, and Professional. + ``` + [SC] QueryServiceConfig SUCCESS -
    -**Known issues with non-compliance** + SERVICE_NAME: WdBoot + TYPE : 1 KERNEL_DRIVER + START_TYPE : 0 BOOT_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : \SystemRoot\system32\drivers\WdBoot.sys + LOAD_ORDER_GROUP : Early-Launch + TAG : 0 + DISPLAY_NAME : Windows Defender Boot Driver + DEPENDENCIES : + SERVICE_START_NAME : + ``` + If the ELAM driver is disabled the output will be: + ``` + [SC] QueryServiceConfig SUCCESS -The following table provides information on issues with non-compliance and how you can address the issues. + SERVICE_NAME: WdBoot + TYPE : 1 KERNEL_DRIVER + START_TYPE : 0 DEMAND_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : \SystemRoot\system32\drivers\WdBoot.sys + LOAD_ORDER_GROUP : _Early-Launch + TAG : 0 + DISPLAY_NAME : Windows Defender Boot Driver + DEPENDENCIES : + SERVICE_START_NAME : + ``` -Case | Symptoms | Possible cause and troubleshooting steps -:---|:---|:--- -1 | Machine is compliant by SenseIsRunning OMA-URI. But is non-compliant by OrgId, Onboarding and OnboardingState OMA-URIs. | **Possible cause:** Check that user passed OOBE after Windows installation or upgrade. During OOBE onboarding couldn't be completed but SENSE is running already.

    **Troubleshooting steps:** Wait for OOBE to complete. -2 | Machine is compliant by OrgId, Onboarding, and OnboardingState OMA-URIs, but is non-compliant by SenseIsRunning OMA-URI. | **Possible cause:** Sense service's startup type is set as "Delayed Start". Sometimes this causes the Microsoft Intune server to report the machine as non-compliant by SenseIsRunning when DM session occurs on system start.

    **Troubleshooting steps:** The issue should automatically be fixed within 24 hours. -3 | Machine is non-compliant | **Troubleshooting steps:** Ensure that Onboarding and Offboarding policies are not deployed on the same machine at same time. +#### Enable the ELAM driver -
    -**Mobile Device Management (MDM) event logs** +1. Open an elevated PowerShell console on the endpoint: -View the MDM event logs to troubleshoot issues that might arise during onboarding: + a. Click **Start**, type **powershell**. -Log name: Microsoft\Windows\DeviceManagement-EnterpriseDiagnostics-Provider + b. Right-click **Command prompt** and select **Run as administrator**. -Channel name: Admin +2. Run the following PowerShell cmdlet: -ID | Severity | Event description | Description -:---|:---|:---|:--- -1801 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Get Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3) | Windows Defender ATP has failed to get specific node's value.
    TokenName: Contains node name that caused the error.
    Result: Error details. -1802 | Information | Windows Defender Advanced Threat Protection CSP: Get Node's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3) | Windows Defender ATP has completed to get specific node's value.
    TokenName: Contains node name

    Result: Error details or succeeded. -1819 | Error | Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ATP has completed to get specific node's value.

    TokenName: Contains node name that caused the error

    Result: Error details. -1820 | Information | Windows Defender Advanced Threat Protection CSP: Set Nod's Value complete. NodeId: (%1), TokenName: (%2), Result: (%3). | Windows Defender ATP has completed to get specific node's value.

    TokenName: Contains node name

    Result: Error details or succeeded. + ```text + 'Set-ExecutionPolicy -ExecutionPolicy Bypass’ + ``` +3. Run the following PowerShell script: + + ```text + Add-Type @' + using System; + using System.IO; + using System.Runtime.InteropServices; + using Microsoft.Win32.SafeHandles; + using System.ComponentModel; + + public static class Elam{ + [DllImport("Kernel32", CharSet=CharSet.Auto, SetLastError=true)] + public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle); + + public static void InstallWdBoot(string path) + { + Console.Out.WriteLine("About to call create file on {0}", path); + var stream = File.Open(path, FileMode.Open, FileAccess.Read, FileShare.Read); + var handle = stream.SafeFileHandle; + + Console.Out.WriteLine("About to call InstallELAMCertificateInfo on handle {0}", handle.DangerousGetHandle()); + if (!InstallELAMCertificateInfo(handle)) + { + Console.Out.WriteLine("Call failed."); + throw new Win32Exception(Marshal.GetLastWin32Error()); + } + Console.Out.WriteLine("Call successful."); + } + } + '@ + + $driverPath = $env:SystemRoot + "\System32\Drivers\WdBoot.sys" + [Elam]::InstallWdBoot($driverPath) + ``` - ## Related topics - [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md) - [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) - diff --git a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md index 8340e9dcc0..5ed6bf4bc5 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-windows-defender-advanced-threat-protection.md @@ -13,11 +13,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - This section addresses issues that might arise as you use the Windows Defender Advanced Threat service. ### Server error - Access is denied due to invalid credentials @@ -39,9 +40,11 @@ U.S. region: - sevillefeedback-prd.trafficmanager.net - sevillesettings-prd.trafficmanager.net - threatintel-cus-prd.cloudapp.net -- threatintel-eus-prd.cloudapp.net - - +- threatintel-eus-prd.cloudapp.net +- winatpauthorization.windows.com +- winatpfeedback.windows.com +- winatpmanagement.windows.com +- winatponboarding.windows.com EU region: @@ -52,7 +55,10 @@ EU region: - sevillesettings-prd.trafficmanager.net - threatintel-neu-prd.cloudapp.net - threatintel-weu-prd.cloudapp.net - +- winatpauthorization.windows.com +- winatpfeedback.windows.com +- winatpmanagement.windows.com +- winatponboarding.windows.com ### Windows Defender ATP service shows event or error logs in the Event Viewer diff --git a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md index 717abdaec8..cadbd4c872 100644 --- a/windows/keep-secure/use-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/use-windows-defender-advanced-threat-protection.md @@ -14,11 +14,12 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - A typical security breach investigation requires a member of a security operations team to: 1. View an alert on the **Dashboard** or **Alerts queue** @@ -41,6 +42,6 @@ Topic | Description [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization. [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats. [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. -[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external internet protocol (IP) addresses. +[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses. [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert. diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md index bae239bf1c..16a3332352 100644 --- a/windows/keep-secure/windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md @@ -14,12 +14,13 @@ author: mjcaparas **Applies to:** -- Windows 10 Insider Preview Build 14332 or later +- Windows 10 Enterprise +- Windows 10 Enterprise for Education +- Windows 10 Pro +- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. +Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: @@ -63,7 +64,7 @@ detect sophisticated cyber-attacks, providing: - Behavior-based, cloud-powered, advanced attack detection - Finds the attacks that made it past all other defenses (post breach detection),provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints. + Finds the attacks that made it past all other defenses (post breach detection), provides actionable, correlated alerts for known and unknown adversaries trying to hide their activities on endpoints. - Rich timeline for forensic investigation and mitigation @@ -78,10 +79,12 @@ detect sophisticated cyber-attacks, providing: Topic | Description :---|:--- [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | This overview topic for IT professionals provides information on the minimum requirements to use Windows Defender ATP such as network and data storage configuration, and endpoint hardware and software requirements, and deployment channels. -[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints. [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)| Learn about how Windows Defender ATP collects and handles information and where data is stored. +[Assign user access to the Windows Defender ATP portal](assign-portal-access-windows-defender-advanced-threat-protection.md)| Before users can access the portal, they'll need to be granted specific roles in Azure Active Directory. +[Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints. [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the main features of the service and how it leverages Microsoft technology to protect enterprise endpoints from sophisticated cyber attacks. [Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise. [Windows Defender Advanced Threat Protection settings](settings-windows-defender-advanced-threat-protection.md) | Learn about setting the time zone and configuring the suppression rules to configure the service to your requirements. [Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP. [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required. +[Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP. \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-in-windows-10.md b/windows/keep-secure/windows-defender-in-windows-10.md index 07242d64f4..d962b39947 100644 --- a/windows/keep-secure/windows-defender-in-windows-10.md +++ b/windows/keep-secure/windows-defender-in-windows-10.md @@ -1,76 +1,76 @@ ---- -title: Windows Defender in Windows 10 (Windows 10) -description: This topic provides an overview of Windows Defender, including a list of system requirements and new features. -ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2 -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -author: jasesso ---- - -# Windows Defender in Windows 10 - -**Applies to** -- Windows 10 - -Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. -This topic provides an overview of Windows Defender, including a list of system requirements and new features. - -For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx). - -Take advantage of Windows Defender by configuring settings and definitions using the following tools: -- Microsoft Active Directory *Group Policy* for settings -- Windows Server Update Services (WSUS) for definitions - -Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md). -> **Note:**  System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including: -- Settings management -- Definition update management -- Alerts and alert management -- Reports and report management - -When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed. - - -### Compatibility with Windows Defender Advanced Threat Protection - -Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. - -See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service. - -If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. - -In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware. - -You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. - -If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode. - - -  -### Minimum system requirements - -Windows Defender has the same hardware requirements as Windows 10. For more information, see: -- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx) -- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx) - -### New and changed functionality - -- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise. -- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed. -- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices. - -For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website. - -## In this section - -Topic | Description -:---|:--- -[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans. -[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services. -[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media. -[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10. -[Enable the Black at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud. -[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal. -[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions. +--- +title: Windows Defender in Windows 10 (Windows 10) +description: This topic provides an overview of Windows Defender, including a list of system requirements and new features. +ms.assetid: 6A9EB85E-1F3A-40AC-9A47-F44C4A2B55E2 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: jasesso +--- + +# Windows Defender in Windows 10 + +**Applies to** +- Windows 10 + +Windows Defender in Windows 10 is a built-in antimalware solution that provides security and antimalware management for desktops, portable computers, and servers. +This topic provides an overview of Windows Defender, including a list of system requirements and new features. + +For more important information about running Windows Defender on a server platform, see [Windows Defender Overview for Windows Server Technical Preview](https://technet.microsoft.com/library/dn765478.aspx). + +Take advantage of Windows Defender by configuring settings and definitions using the following tools: +- Microsoft Active Directory *Group Policy* for settings +- Windows Server Update Services (WSUS) for definitions + +Windows Defender provides the most protection when cloud-based protection is enabled. Learn how to enable cloud-based protection in [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md). +> **Note:**  System Center 2012 R2 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, and Microsoft Intune can provide centralized management of Windows Defender, including: +- Settings management +- Definition update management +- Alerts and alert management +- Reports and report management + +When you enable endpoint protection for your clients, it will install an additional management layer on Windows Defender to manage the in-box Windows Defender agent. While the client user interface will still appear as Windows Defender, the management layer for Endpoint Protection will be listed in the **Add/Remove Programs** control panel, though it will appear as if the full product is installed. + + +### Compatibility with Windows Defender Advanced Threat Protection + +Windows Defender Advanced Threat Protection (ATP) is an additional service that helps enterprises to detect, investigate, and respond to advanced persistent threats on their network. + +See the [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) topics for more information about the service. + +If you are enrolled in Windows Defender ATP, and you are not using Windows Defender as your real-time protection service on your endpoints, Windows Defender will automatically enter into a passive mode. + +In passive mode, Windows Defender will continue to run (using the *msmpeng.exe* process), and will continue to be updated, however there will be no Windows Defender user interface, scheduled scans won’t run, and Windows Defender will not provide real-time protection from malware. + +You can [configure updates for Windows Defender](configure-windows-defender-in-windows-10.md), however you can't move Windows Defender into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware. + +If you uninstall the other product, and choose to use Windows Defender to provide protection to your endpoints, Windows Defender will automatically return to its normal active mode. + + +  +### Minimum system requirements + +Windows Defender has the same hardware requirements as Windows 10. For more information, see: +- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086.aspx) +- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049.aspx) + +### New and changed functionality + +- **Improved detection for unwanted applications and emerging threats using cloud-based protection.** Use the Microsoft Active Protection Service to improve protection against unwanted applications and advanced persistent threats in your enterprise. +- **Windows 10 integration.** All Windows Defender in Windows 10 endpoints will show the Windows Defender user interface, even when the endpoint is managed. +- **Operating system, enterprise-level management, and bring your own device (BYOD) integration.** Windows 10 introduces a mobile device management (MDM) interface for devices running Windows 10. Administrators can use MDM-capable products, such as Intune, to manage Windows Defender on Windows 10 devices. + +For more information about what's new in Windows Defender in Windows 10, see [Windows Defender in Windows 10: System integration](https://www.microsoft.com/security/portal/enterprise/threatreports_august_2015.aspx) on the Microsoft Active Protection Service website. + +## In this section + +Topic | Description +:---|:--- +[Update and manage Windows Defender in Windows 10](get-started-with-windows-defender-for-windows-10.md)|Use Active Directory or Windows Server Update Services to manage and deploy updates to endpoints on your network. Configure and run special scans, including archive and email scans. +[Configure updates for Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)|Configure definition updates and cloud-based protection with Active Directory and Windows Server Update Services. +[Windows Defender Offline in Windows 10](windows-defender-offline.md)|Manually run an offline scan directly from winthin Windows without having to download and create bootable media. +[Use PowerShell cmdlets for Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md)|Run scans and configure Windows Defender options with Windows PowerShell cmdlets in Windows 10. +[Enable the Black at First Sight feature in Windows 10](windows-defender-block-at-first-sight.md)|Use the Block at First Sight feature to leverage the Windows Defender cloud. +[Configure enhanced notifications for Windows Defender in Windows 10](windows-defender-enhanced-notifications.md)|Enable or disable enhanced notifications on endpoints running Windows Defender for greater details about threat detections and removal. +[Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)|Review event IDs in Windows Defender for Windows 10 and take the appropriate actions. diff --git a/windows/keep-secure/windows-defender-offline.md b/windows/keep-secure/windows-defender-offline.md index d861493653..bdd1e45d8b 100644 --- a/windows/keep-secure/windows-defender-offline.md +++ b/windows/keep-secure/windows-defender-offline.md @@ -1,181 +1,181 @@ ---- -title: Windows Defender Offline in Windows 10 -description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network. -keywords: scan, defender, offline -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -author: iaanw ---- - -# Windows Defender Offline in Windows 10 - -**Applies to:** - -- Windows 10, version 1607 - -Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). - -In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media. - -## Pre-requisites and requirements - -Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10. - -For more information about Windows 10 requirements, see the following topics: - -- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) - -- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx) - -> [!NOTE] -> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units. - -To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges. - -## Windows Defender Offline updates - -Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). - -> [!NOTE] -> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). - -For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic. - -## Usage scenarios - -In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints. - -The prompt can occur via a notification, similar to the following: - -![Windows notification showing the requirement to run Windows Defender Offline](images/defender/notification.png) - -The user will also be notified within the Windows Defender client: - -![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png) - -In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. - -![System Center Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png) - -## Manage notifications - - -You can suppress Windows Defender Offline notifications with Group Policy. - -> [!NOTE] -> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required. - -**Use Group Policy to suppress Windows Defender notifications:** - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender > Client Interface**. - -1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client. - -## Configure Windows Defender Offline settings - -You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications. - -For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) - -- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx) - -For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic. - -## Run a scan - -Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings. - -> [!NOTE] -> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. - -You can set up a Windows Defender Offline scan with the following: - -- Windows Update and Security settings - -- Windows Defender - -- Windows Management Instrumentation - -- Windows PowerShell - -- Group Policy - -> [!NOTE] -> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally. - -**Run Windows Defender Offline from Windows Settings:** - -1. Open the **Start** menu and click or type **Settings**. - -1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section. - -1. Click **Scan offline**. - - ![Windows Defender Offline setting](images/defender/settings-wdo.png) - -1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart. - -**Run Windows Defender Offline from Windows Defender:** - -1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. - -1. On the **Home** tab click **Download and Run**. - - ![Windows Defender home tab showing the Download and run button](images/defender/download-wdo.png) - -1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart. - - -**Use Windows Management Instrumentation to configure and run Windows Defender Offline:** - -Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan. - -The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. - -```WMI -wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start -``` - -For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics: - -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) - -- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx) - -**Run Windows Defender Offline using PowerShell:** - -Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan. - -For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic. - -## Review scan results - -Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan. - -1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. - -1. Go to the **History** tab. - -1. Select **All detected items**. - -1. Click **View details**. - -Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**: - -![Windows Defender detection source showing as Offline](images/defender/detection-source.png) - -## Related topics - +--- +title: Windows Defender Offline in Windows 10 +description: You can use Windows Defender Offline straight from the Windows Defender client. You can also manage how it is deployed in your network. +keywords: scan, defender, offline +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +author: iaanw +--- + +# Windows Defender Offline in Windows 10 + +**Applies to:** + +- Windows 10, version 1607 + +Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). + +In Windows 10, Windows Defender Offline can be run with one click directly from the Windows Defender client. In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media. + +## Pre-requisites and requirements + +Windows Defender Offline in Windows 10 has the same hardware requirements as Windows 10. + +For more information about Windows 10 requirements, see the following topics: + +- [Minimum hardware requirements](https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx) + +- [Hardware component guidelines](https://msdn.microsoft.com/library/windows/hardware/dn915049(v=vs.85).aspx) + +> [!NOTE] +> Windows Defender Offline is not supported on machines with ARM processors, or on Windows Server Stock Keeping Units. + +To run Windows Defender Offline from the endpoint, the user must be logged in with administrator privileges. + +## Windows Defender Offline updates + +Windows Defender Offline uses the most up-to-date signature definitions available on the endpoint; it's updated whenever Windows Defender is updated with new signature definitions. Depending on your setup, this is usually though Microsoft Update or through the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). + +> [!NOTE] +> Before running an offline scan, you should attempt to update the definitions on the endpoint. You can either force an update via Group Policy or however you normally deploy updates to endpoints, or you can manually download and install the latest updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx). + +For information on setting up Windows Defender updates, see the [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md) topic. + +## Usage scenarios + +In Windows 10, version 1607, you can manually force an offline scan. Alternatively, if Windows Defender determines that Windows Defender Offline needs to run, it will prompt the user on the endpoint. The need to perform an offline scan will also be revealed in System Center Configuration Manager, if you're using it to manage your endpoints. + +The prompt can occur via a notification, similar to the following: + +![Windows notification showing the requirement to run Windows Defender Offline](images/defender/notification.png) + +The user will also be notified within the Windows Defender client: + +![Windows Defender showing the requirement to run Windows Defender Offline](images/defender/client.png) + +In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. Windows Defender Offline scans are indicated under **Malware remediation status** as **Offline scan required**. + +![System Center Configuration Manager indicating a Windows Defender Offline scan is required](images/defender/sccm-wdo.png) + +## Manage notifications + + +You can suppress Windows Defender Offline notifications with Group Policy. + +> [!NOTE] +> Changing these settings will affect *all* notifications from Windows Defender. Disabling notifications will mean the endpoint user will not see any messages about any threats detected, removed, or if additional steps are required. + +**Use Group Policy to suppress Windows Defender notifications:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender > Client Interface**. + +1. Double-click the **Suppress all notifications** setting and set the option to **Enabled**. Click **OK**. This will disable all notifications shown by the Windows Defender client. + +## Configure Windows Defender Offline settings + +You can use Windows Management Instrumentation to enable and disable certain features in Windows Defender Offline. For example, you can use `Set-MpPreference` to change the `UILockdown` setting to disable and enable notifications. + +For more information about using Windows Management Instrumentation to configure Windows Defender Offline, including configuration parameters and options, see the following topics: + +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) + +- [Windows Defender MSFT_MpPreference class](https://msdn.microsoft.com/en-us/library/windows/desktop/dn455323(v=vs.85).aspx) + +For more information about notifications in Windows Defender, see the [Configure enhanced notifications in Windows Defender](windows-defender-enhanced-notifications.md)] topic. + +## Run a scan + +Windows Defender Offline uses up-to-date threat definitions to scan the endpoint for malware that might be hidden. In Windows 10, version 1607, you can manually force an offline scan using Windows Update and Security settings. + +> [!NOTE] +> Before you use Windows Defender Offline, make sure you save any files and shut down running programs. The Windows Defender Offline scan takes about 15 minutes to run. It will restart the endpoint when the scan is complete. + +You can set up a Windows Defender Offline scan with the following: + +- Windows Update and Security settings + +- Windows Defender + +- Windows Management Instrumentation + +- Windows PowerShell + +- Group Policy + +> [!NOTE] +> The scan is performed outside of the usual Windows operating environment. The user interface will appear different to a normal scan performed by Windows Defender. After the scan is completed, the endpoint will be restarted and Windows will load normally. + +**Run Windows Defender Offline from Windows Settings:** + +1. Open the **Start** menu and click or type **Settings**. + +1. Click **Update & Security** and then **Windows Defender**. Scroll to the bottom of the settings page until you see the **Windows Defender Offline** section. + +1. Click **Scan offline**. + + ![Windows Defender Offline setting](images/defender/settings-wdo.png) + +1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart. + +**Run Windows Defender Offline from Windows Defender:** + +1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. + +1. On the **Home** tab click **Download and Run**. + + ![Windows Defender home tab showing the Download and run button](images/defender/download-wdo.png) + +1. Follow the prompts to continue with the scan. You might be warned that you'll be signed out of Windows and that the endpoint will restart. + + +**Use Windows Management Instrumentation to configure and run Windows Defender Offline:** + +Use the `MSFT_MpWDOScan` class (part of the Windows Defender Windows Management Instrumentation provider) to run a Windows Defender Offline scan. + +The following Windows Management Instrumentation script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. + +```WMI +wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start +``` + +For more information about using Windows Management Instrumentation to run a scan in Windows Defender, including configuration parameters and options, see the following topics: + +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/windows/desktop/dn439477(v=vs.85).aspx) + +- [MSFT_MpWDOScan class article](https://msdn.microsoft.com/library/windows/desktop/mt622458(v=vs.85).aspx) + +**Run Windows Defender Offline using PowerShell:** + +Use the PowerShell parameter `Start-MpWDOScan` to run a Windows Defender Offline scan. + +For more information on available cmdlets and optios, see the [Use PowerShell cmdlets to configure and run Windows Defender](use-powershell-cmdlets-windows-defender-for-windows-10.md) topic. + +## Review scan results + +Windows Defender Offline scan results will be listed in the main Windows Defender user interface after performing the scan. + +1. Open the **Start** menu, type **windows defender**, and press **Enter** to open the Windows Defender client. + +1. Go to the **History** tab. + +1. Select **All detected items**. + +1. Click **View details**. + +Any detected items will display. Items that are detected by Windows Defender Offline will be listed as **Offline** in the **Detection source**: + +![Windows Defender detection source showing as Offline](images/defender/detection-source.png) + +## Related topics + - [Windows Defender in Windows 10](windows-defender-in-windows-10.md) \ No newline at end of file diff --git a/windows/manage/configure-windows-telemetry-in-your-organization.md b/windows/manage/configure-windows-telemetry-in-your-organization.md index 2642bdeb9e..9965ade8d5 100644 --- a/windows/manage/configure-windows-telemetry-in-your-organization.md +++ b/windows/manage/configure-windows-telemetry-in-your-organization.md @@ -16,7 +16,7 @@ author: brianlic-msft - Windows 10 - Windows 10 Mobile -- Windows Server 2016 Technical Preview +- Windows Server 2016 At Microsoft, we use Windows telemetry to inform our decisions and focus our efforts in providing the most robust, most valuable platform for your business and the people who count on Windows to enable them to be as productive as possible. Telemetry gives users a voice in the operating system’s development. This guide describes the importance of Windows telemetry and how we protect that data. Additionally, it differentiates between telemetry and functional data. It also describes the telemetry levels that Windows supports. Of course, you can choose how much telemetry is shared with Microsoft, and this guide demonstrates how. @@ -36,7 +36,7 @@ Use this article to make informed decisions about how you might configure teleme ## Overview -In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016 Technical Preview, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM. +In previous versions of Windows and Windows Server, Microsoft used telemetry to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server 2016, you can control telemetry streams by using the Privacy option in Settings, Group Policy, or MDM. For Windows 10, we invite IT pros to join the [Windows Insider Program](http://insider.windows.com) to give us feedback on what we can do to make Windows work better for your organization. @@ -159,7 +159,7 @@ Microsoft believes in and practices information minimization. We strive to gathe ## Telemetry levels -This section explains the different telemetry levels in Windows 10, Windows Server 2016 Technical Preview, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016 Technical Preview. +This section explains the different telemetry levels in Windows 10, Windows Server 2016, and System Center. These levels are available on all desktop and mobile editions of Windows 10, with the exception of the **Security** level which is limited to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. The telemetry data is categorized into four levels: @@ -171,7 +171,7 @@ The telemetry data is categorized into four levels: - **Full**. All data necessary to identify and help to fix problems, plus data from the **Security**, **Basic**, and **Enhanced** levels. -The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016 Technical Preview. +The levels are cumulative and are illustrated in the following diagram. Also, these levels apply to all editions of Windows Server 2016. ![breakdown of telemetry levels and types of administrative controls](images/priv-telemetry-levels.png) @@ -216,7 +216,7 @@ The Basic level gathers a limited set of data that’s critical for understandin The data gathered at this level includes: -- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 Technical Preview in the ecosystem. Examples include: +- **Basic device data**. Helps provide an understanding about the types of Windows devices and the configurations and types of native and virtualized Windows Server 2016 in the ecosystem. Examples include: - Device attributes, such as camera resolution and display type @@ -306,7 +306,7 @@ We do not recommend that you turn off telemetry in your organization as valuable You can turn on or turn off System Center telemetry gathering. The default is on and the data gathered at this level represents what is gathered by default when System Center telemetry is turned on. However, setting the operating system telemetry level to **Basic** will turn off System Center telemetry, even if the System Center telemetry switch is turned on. -The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 Technical Preview is **Enhanced**. +The lowest telemetry setting level supported through management policies is **Security**. The lowest telemetry setting supported through the Settings UI is **Basic**. The default telemetry setting for Windows Server 2016 is **Enhanced**. ### Configure the operating system telemetry level diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index f31f532c25..a8ef1aec6d 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -76,6 +76,11 @@ Several new features and management options have been added to Windows Defender - [Run a Windows Defender scan from the command line](../keep-secure/run-cmd-scan-windows-defender-for-windows-10.md). - [Detect and block Potentially Unwanted Applications with Windows Defender](../keep-secure/enable-pua-windows-defender-for-windows-10.md) during download and install times. +### Windows Defender Advanced Threat Protection (ATP) +With the growing threat from more sophisticated targeted attacks, a new security solution is imperative in securing an increasingly complex network ecosystem. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service, built into Windows 10 that enables enterprise customers detect, investigate, and respond to advanced threats on their networks. + +[Learn more about Windows Defender Advanced Threat Protection (ATP)](../keep-secure/windows-defender-advanced-threat-protection.md) + ## Management ### Use Remote Desktop Connection for PCs joined to Azure Active Directory