- -**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways** - - -
| Windows Edition | -Supported? | -
|---|---|
| Home | - |
-
| Pro | - 4 |
-
| Business | -4 |
-
| Enterprise | -4 |
-
| Education | -4 |
-
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -> [!WARNING] -> Starting in the version 1809 of Windows, this policy is deprecated. - -Domain member: Digitally encrypt or sign secure channel data (always) - -This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: - -Domain member: Digitally encrypt secure channel data (when possible) -Domain member: Digitally sign secure channel data (when possible) - -Default: Enabled. - -Notes: - -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -If this policy is enabled, the policy Domain member: Digitally sign secure channel data (when possible) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. -Logon information transmitted over the secure channel is always encrypted regardless of whether encryption of ALL other secure channel traffic is negotiated or not. - - - -GP Info: -- GP English name: *Domain member: Digitally encrypt or sign secure channel data (always)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
- - -**LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible** - - -
| Windows Edition | -Supported? | -
|---|---|
| Home | - |
-
| Pro | -4 |
-
| Business | -4 |
-
| Enterprise | -4 |
-
| Education | -4 |
-
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -> [!WARNING] -> Starting in the version 1809 of Windows, this policy is deprecated. - -Domain member: Digitally encrypt secure channel data (when possible) - -This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. - -When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller for its domain. This secure channel is used to perform operations such as NTLM pass-through authentication, LSA SID/name Lookup etc. - -This setting determines whether or not the domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption. - -Default: Enabled. - -Important - -There is no known reason for disabling this setting. Besides unnecessarily reducing the potential confidentiality level of the secure channel, disabling this setting may unnecessarily reduce secure channel throughput, because concurrent API calls that use the secure channel are only possible when the secure channel is signed or encrypted. - -Note: Domain controllers are also domain members and establish secure channels with other domain controllers in the same domain as well as domain controllers in trusted domains. - - - -GP Info: -- GP English name: *Domain member: Digitally encrypt secure channel data (when possible)* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
- - -**LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges** - - -
| Windows Edition | -Supported? | -
|---|---|
| Home | - |
-
| Pro | -4 |
-
| Business | -4 |
-
| Enterprise | -4 |
-
| Education | -4 |
-
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - - -> [!WARNING] -> Starting in the version 1809 of Windows, this policy is deprecated. - -Domain member: Disable machine account password changes - -Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified by the setting for Domain Member: Maximum age for machine account password, which by default is every 30 days. - -Default: Disabled. - -Notes - -This security setting should not be enabled. Computer account passwords are used to establish secure channel communications between members and domain controllers and, within the domain, between the domain controllers themselves. Once it is established, the secure channel is used to transmit sensitive information that is necessary for making authentication and authorization decisions. -This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want to dual-boot two installations that are joined to the same domain, give the two installations different computer names. - - - -GP Info: -- GP English name: *Domain member: Disable machine account password changes* -- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* - - - - - - - - - - - - - -
- **LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked** @@ -2902,60 +2637,6 @@ GP Info:
- -**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon** - - -
| Windows Edition | -Supported? | -
|---|---|
| Home | - |
-
| Pro | -3 |
-
| Business | -3 |
-
| Enterprise | -3 |
-
| Education | -3 |
-
- - -Recovery console: Allow automatic administrative logon - -This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. - -Default: This policy is not defined and automatic administrative logon is not allowed. - -Value type is integer. Supported operations are Add, Get, Replace, and Delete. - - - -Valid values: -- 0 - disabled -- 1 - enabled (allow automatic administrative logon) - - - - -
- **LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn** @@ -3095,63 +2776,6 @@ GP Info:
- -**LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems** - - -
| Windows Edition | -Supported? | -
|---|---|
| Home | - |
-
| Pro | -4 |
-
| Business | -4 |
-
| Enterprise | -4 |
-
| Education | -4 |
-
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -System objects: Require case insensitivity for non-Windows subsystems - -This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. - -If this setting is enabled, case insensitivity is enforced for all directory objects, symbolic links, and IO objects, including file objects. Disabling this setting does not allow the Win32 subsystem to become case sensitive. - -Default: Enabled. - - - - -
- **LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation** diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 38e9dd4066..4eb6ccaccf 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -194,6 +194,9 @@ manager: dansimp
+ + +**Update/SetProxyBehaviorForUpdateDetection** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | +1 |
+
| Business | +1 |
+
| Enterprise | +1 |
+
| Education | +1 |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10, version 1607 and later. By default, HTTP WSUS servers scan only if system proxy is configured. This policy setting allows you to configure user proxy as a fallback for detecting updates while using an HTTP based intranet server despite the vulnerabilities it presents. + +This policy setting does not impact those customers who have, per Microsoft recommendation, secured their WSUS server with TLS/SSL protocol, thereby using HTTPS based intranet servers to keep systems secure. That said, if a proxy is required, we recommend configuring a system proxy to ensure the highest level of security. + + + +ADMX Info: +- GP English name: *Select the proxy behavior for Windows Update client for detecting updates with non-TLS (HTTP) based service* +- GP name: *Select the proxy behavior* +- GP element: *Select the proxy behavior* +- GP path: *Windows Components/Windows Update/Specify intranet Microsoft update service location* +- GP ADMX file name: *WindowsUpdate.admx* + + + +The following list shows the supported values: + +- 0 (default) - Allow system proxy only for HTTP scans. +- 1 - Allow user proxy to be used as a fallback if detection using system proxy fails. +> [!NOTE] +> Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure. + + + + +
+ **Update/TargetReleaseVersion** diff --git a/windows/client-management/mdm/policy-csps-supported-by-group-policy.md b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md index 328dfe2238..651f088e72 100644 --- a/windows/client-management/mdm/policy-csps-supported-by-group-policy.md +++ b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md @@ -533,9 +533,6 @@ ms.date: 07/18/2019 - [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia) - [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters) - [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly) -- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways) -- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible) -- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges) - [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked) - [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) - [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin) diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md index 617be22113..8e70dd707e 100644 --- a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md +++ b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md @@ -66,6 +66,7 @@ ms.date: 07/18/2019 - [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) - [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) - [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) +- [Update/SetProxyBehaviorForUpdateDetection](policy-csp-update.md#update-setproxybehaviorforupdatedetection) ## Related topics diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index 671e14612b..9274477150 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -131,4 +131,4 @@ This section contains advanced troubleshooting topics and links to help you reso ## Other Resources -### [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-support-solutions) +- [Troubleshooting Windows Server components](https://docs.microsoft.com/windows-server/troubleshoot/windows-server-troubleshooting) diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index de0fe72583..8aaf66d309 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -17,13 +17,14 @@ ms.topic: article # Manually Configuring Devices for Update Compliance -There are a number of requirements to consider when manually configuring Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. +There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows 10. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required. The requirements are separated into different categories: 1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured. 2. Devices in every network topography needs to send data to the [**required endpoints**](#required-endpoints) for Update Compliance, for example both devices in main and satellite offices, which may have different network configurations. 3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality. +4. [**Run a full Census sync**](#run-a-full-census-sync) on new devices to ensure that all necessary data points are collected. ## Required policies @@ -75,3 +76,14 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic ## Required services Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically. + + +## Run a full Census sync + +Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script does this. + +A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps: + +1. For every device you are manually configuring for Update Compliance, add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**. +2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required. +3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**. diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 92d589105d..58bd854855 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -17,11 +17,6 @@ ms.topic: article # Monitor Windows Updates with Update Compliance -> [!IMPORTANT] -> While [Windows Analytics was retired on January 31, 2020](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), support for Update Compliance has continued through the Azure Portal. Two planned feature removals for Update Compliance – Microsoft Defender Antivirus reporting and Perspectives – are now scheduled to be removed beginning Monday, May 11, 2020. -> * The retirement of Microsoft Defender Antivirus reporting will begin Monday, May 11, 2020. You can continue to for threats with [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) and [Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection). -> * The Perspectives feature of Update Compliance will be retired Monday, May 11, 2020. The Perspectives feature is part of the Log Search portal of Log Analytics, which was deprecated on February 15, 2019 in favor of [Azure Monitor Logs](https://docs.microsoft.com/azure/azure-monitor/log-query/log-search-transition). Your Update Compliance solution will be automatically upgraded to Azure Monitor Logs, and the data available in Perspectives will be migrated to a set of queries in the [Needs Attention section](update-compliance-need-attention.md) of Update Compliance. - ## Introduction Update Compliance enables organizations to: diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 32b31d106f..bf3f571358 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -115,7 +115,8 @@ If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_M You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: *.download.windowsupdate.com -*.dl.delivery.mp.microsoft.com +*.dl.delivery.mp.microsoft.com +*.delivery.mp.microsoft.com *.emdl.ws.microsoft.com If you cannot permit RANGE requests, keep in mind that this means you are downloading more content than needed in updates (as delta patching will not work). @@ -166,6 +167,10 @@ Check that your device can access these Windows Update endpoints: - `http://*.download.windowsupdate.com` - `http://wustat.windows.com` - `http://ntservicepack.microsoft.com` +- `https://*.prod.do.dsp.mp.microsoft.com` +- `http://*.dl.delivery.mp.microsoft.com` +- `https://*.delivery.mp.microsoft.com` +- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` Allow these endpoints for future use. diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md index 61f9a5cf61..fe1e8ae442 100644 --- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md +++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md @@ -64,10 +64,10 @@ A final set of changes includes two new policies that can help you fine-tune dia - The **Limit dump collection** policy is a new policy that can be used to limit the types of [crash dumps](https://docs.microsoft.com/windows/win32/dxtecharts/crash-dump-analysis) that can be sent back to Microsoft. If this policy is enabled, Windows Error Reporting will send only kernel mini dumps and user mode triage dumps. - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Dump Collection** - - MDM policy: System/ LimitDiagnosticLogCollection + - MDM policy: System/LimitDumpCollection - The **Limit diagnostic log collection** policy is another new policy that limits the number of diagnostic logs that are sent back to Microsoft. If this policy is enabled, diagnostic logs are not sent back to Microsoft. - Group Policy: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Limit Diagnostic Log Collection** - - MDM policy: System/LimitDumpCollection + - MDM policy: System/LimitDiagnosticLogCollection >[!Important] >All of the changes mentioned in this section will not be released on versions of Windows, version 1809 and earlier as well as Windows Server 2019 and earlier. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 6e1445768e..0686de8a9a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -44,11 +44,12 @@ Windows Hello for Business uses asymmetric keys as user credentials (rather than Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials. -1. Open an elevated command prompt. -2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. -3. To update the schema, type ```adprep /forestprep```. -4. Read the Adprep Warning. Type the letter **C** and press **Enter** to update the schema. -5. Close the Command Prompt and sign-out. +1. Mount the ISO file (or insert the DVD) containing the Windows Server 2016 or later installation media. +2. Open an elevated command prompt. +3. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. +4. To update the schema, type ```adprep /forestprep```. +5. Read the Adprep Warning. Type the letter **C** and press **Enter** to update the schema. +6. Close the Command Prompt and sign-out. ## Create the KeyCredential Admins Security Global Group diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index babc49afc3..390355cb33 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -77,9 +77,7 @@ Communicating with Azure Active Directory uses the following URLs: - login.windows.net If your environment uses Microsoft Intune, you need these additional URLs: -- enrollment.manage-beta.microsoft.com - enrollment.manage.microsoft.com -- portal.manage-beta.microsoft.com - portal.manage.microsoft.com ## What is the difference between non-destructive and destructive PIN reset? diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index 0a52de0945..028fdd4868 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -49,7 +49,7 @@ In this task you will ### Configure Active Directory to support Domain Administrator enrollment -The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy. +The designed Windows Hello for Business configuration gives the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy. Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 8df0ef33bb..d95d915f91 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -301,35 +301,32 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted Sign-in a workstation with access equivalent to a _domain user_. -1. Sign-in to the [Azure Portal](https://portal.azure.com/). -2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**. -3. Click **device enrollment**. -4. Click **Windows enrollment** -5. Under **Windows enrollment**, click **Windows Hello for Business**. -  -6. Under **Priority**, click **Default**. -7. Under **All users and all devices**, click **Settings**. -8. Select **Enabled** from the **Configure Windows Hello for Business** list. -9. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software based keys. -10. Type the desired **Minimum PIN length** and **Maximum PIN length**. +1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). +2. Select **Devices**. +3. Choose **Enroll devices**. +4. Select **Windows enrollment**. +5. Under **Windows enrollment**, select **Windows Hello for Business**. +  +6. Select **Enabled** from the **Configure Windows Hello for Business** list. +7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys. +8. Enter the desired **Minimum PIN length** and **Maximum PIN length**. > [!IMPORTANT] - > The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6. + > The default minimum PIN length for Windows Hello for Business on Windows 10 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six. - - -11. Select the appropriate configuration for the following settings. +9. Select the appropriate configuration for the following settings: * **Lowercase letters in PIN** * **Uppercase letters in PIN** * **Special characters in PIN** * **PIN expiration (days)** * **Remember PIN history** + > [!NOTE] > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature. -12. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. -13. Select **No** to **Allow phone sign-in**. This feature has been deprecated. -14. Click **Save** -15. Sign-out of the Azure portal. +10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. +11. Select **No** to **Allow phone sign-in**. This feature has been deprecated. +12. Choose **Save**. +13. Sign out of the Microsoft Endpoint Manager admin center. > [!IMPORTANT] > For more details about the actual experience after everything has been configured, please see [Windows Hello for Business and Authentication](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 00c8e2e6f2..8a9763ebcd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -71,7 +71,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva > 2. Right click "Scope Descriptions" and select "Add Scope Description". > 3. Under name type "ugs" and Click Apply > OK. > 4. Launch Powershell as Administrator. -> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier. +> 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier is equal to 38aa3b87-a06d-4817-b275-7a316988d93b and make a note of the ObjectIdentifier. > 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier
| Requirement | -Description | -
|---|---|
Hardware configuration |
-The computer must meet the minimum requirements for the supported Windows versions. |
-
Operating system |
-BitLocker is an optional feature which can be installed by Server Manager on Windows Server 2012 and later. |
-
Hardware TPM |
-TPM version 1.2 or 2.0 -A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication. |
-
BIOS configuration |
-
|
-
File system |
-For computers that boot natively with UEFI firmware, at least one FAT32 partition for the system drive and one NTFS partition for the operating system drive. -For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. -For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition. |
-
Hardware encrypted drive prerequisites (optional) |
-To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled. |
-
A TPM is not required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.| +|BIOS configuration|
For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive.
For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.| +|Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.| + Upon passing the initial configuration, users are required to enter a password for the volume. If the volume does not pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken. Once a strong password has been created for the volume, a recovery key will be generated. The BitLocker Drive Encryption Wizard will prompt for a location to save this key. A BitLocker recovery key is a special key that you can create when you turn on BitLocker Drive Encryption for the first time on each drive that you encrypt. You can use the recovery key to gain access to your computer if the drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption and BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up. A recovery key can also be used to gain access to your files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason you forget the password or your computer cannot access the drive. @@ -106,8 +72,9 @@ When the recovery key has been properly stored, the BitLocker Drive Encryption W It is recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option. -> **Note:** Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. - +> [!NOTE] +> Deleted files appear as free space to the file system, which is not encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools. + Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. It is recommended to run this system check before starting the encryption process. If the system check is not run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows. After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel. @@ -143,52 +110,20 @@ The following table shows the compatibility matrix for systems that have been Bi Table 1: Cross compatibility for Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes -
Encryption Type |
-Windows 10 and Windows 8.1 |
-Windows 8 |
-Windows 7 |
-
Fully encrypted on Windows 8 |
-Presents as fully encrypted |
-N/A |
-Presented as fully encrypted |
-
Used Disk Space Only encrypted on Windows 8 |
-Presents as encrypt on write |
-N/A |
-Presented as fully encrypted |
-
Fully encrypted volume from Windows 7 |
-Presents as fully encrypted |
-Presented as fully encrypted |
-N/A |
-
Partially encrypted volume from Windows 7 |
-Windows 10 and Windows 8.1 will complete encryption regardless of policy |
-Windows 8 will complete encryption regardless of policy |
-N/A |
-
Name |
-Parameters |
+Name |
+Parameters |
Add-BitLockerKeyProtector |
+Add-BitLockerKeyProtector |
-ADAccountOrGroup -ADAccountOrGroupProtector -Confirm @@ -279,26 +215,26 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us-WhatIf |
|
Backup-BitLockerKeyProtector |
+Backup-BitLockerKeyProtector |
-Confirm -KeyProtectorId -MountPoint -WhatIf |
|
Disable-BitLocker |
+Disable-BitLocker |
-Confirm -MountPoint -WhatIf |
|
Disable-BitLockerAutoUnlock |
+Disable-BitLockerAutoUnlock |
-Confirm -MountPoint -WhatIf |
|
Enable-BitLocker |
+Enable-BitLocker |
-AdAccountOrGroup -AdAccountOrGroupProtector -Confirm @@ -323,44 +259,44 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us-WhatIf |
|
Enable-BitLockerAutoUnlock |
+Enable-BitLockerAutoUnlock |
-Confirm -MountPoint -WhatIf |
|
Get-BitLockerVolume |
+Get-BitLockerVolume |
-MountPoint |
|
Lock-BitLocker |
+Lock-BitLocker |
-Confirm -ForceDismount -MountPoint -WhatIf |
|
Remove-BitLockerKeyProtector |
+Remove-BitLockerKeyProtector |
-Confirm -KeyProtectorId -MountPoint -WhatIf |
|
Resume-BitLocker |
+Resume-BitLocker |
-Confirm -MountPoint -WhatIf |
|
Suspend-BitLocker |
+Suspend-BitLocker |
-Confirm -MountPoint -RebootCount -WhatIf |
|
Unlock-BitLocker |
+Unlock-BitLocker |
-AdAccountOrGroup -Confirm -MountPoint @@ -372,28 +308,38 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us |
Get-BitLocker volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
-Occasionally, all protectors may not be shown when using Get-BitLockerVolume due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
-> **Note:** In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
-
-`Get-BitLockerVolume C: | fl`
+Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
+
+A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
+
+Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
+
+> [!NOTE]
+> In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
+
+```powershell
+Get-BitLockerVolume C: | fl
+```
If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below:
+
```powershell
$vol = Get-BitLockerVolume
$keyprotectors = $vol.KeyProtector
```
+
Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector.
Using this information, we can then remove the key protector for a specific volume using the command:
+
```powershell
Remove-BitLockerKeyProtector Policy description |
-With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices. |
-
Introduced |
-Windows 10, version 1703 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-This setting overrides the Require startup PIN with TPM option of the Require additional authentication at startup policy on compliant hardware. +||| +|--- |--- | +|Policy description|With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.| +|Introduced|Windows 10, version 1703| +|Drive type|Operating system drives| +|Policy path|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives| +|Conflicts|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware.| +|When enabled|Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.| +|When disabled or not configured|The options of the [Require additional authentication at startup](#bkmk-unlockpol1) policy apply.| - |
-
When enabled |
-Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication. |
-
When disabled or not configured |
-The options of the Require additional authentication at startup policy apply. |
-
Policy description |
-With this policy setting, you can control whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors. |
-
When disabled or not configured |
-Clients cannot create and use Network Key Protectors |
-
Policy description |
-With this policy setting, you can configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-If one authentication method is required, the other methods cannot be allowed. -Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. |
-
When enabled |
-Users can configure advanced startup options in the BitLocker Setup Wizard. |
-
When disabled or not configured |
-Users can configure only basic options on computers with a TPM. -Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs. |
-
Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.| -Reference +**Reference** If you want to use BitLocker on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive. @@ -276,101 +194,46 @@ There are four options for TPM-enabled computers or devices: This policy setting permits the use of enhanced PINs when you use an unlock method that includes a PIN. -
Policy description |
-With this policy setting, you can configure whether enhanced startup PINs are used with BitLocker. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs are not affected. |
-
When disabled or not configured |
-Enhanced PINs will not be used. |
-
Policy description |
-With this policy setting, you can configure a minimum length for a TPM startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-You can require that startup PINs set by users must have a minimum length you choose that is between 4 and 20 digits. |
-
When disabled or not configured |
-Users can configure a startup PIN of any length between 6 and 20 digits. |
-
Policy description |
-With this policy setting, you can configure whether standard users are allowed to change the PIN or password used to protect the operating system drive. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-Standard users are not allowed to change BitLocker PINs or passwords. |
-
When disabled or not configured |
-Standard users are permitted to change BitLocker PINs or passwords. |
-
Policy description |
-With this policy setting, you can specify the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-Passwords cannot be used if FIPS-compliance is enabled. -
-Note
-The System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled. -
-
- |
-
When enabled |
-Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select Require complexity. |
-
When disabled or not configured |
-The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur. |
-
**NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options** specifies whether FIPS-compliance is enabled.|
+|When enabled|Users can configure a password that meets the requirements you define. To enforce complexity requirements for the password, select **Require complexity**.|
+|When disabled or not configured|The default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.|
**Reference**
If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, the Group Policy setting **Password must meet complexity requirements**, which is located at **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\** must be also enabled.
->**Note:** These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
+> [!NOTE]
+> These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there is no password complexity validation.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
@@ -516,44 +318,17 @@ When this policy setting is enabled, you can set the option **Configure password
This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista.
-
Policy description |
-With this policy setting, you can control whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts. |
-
Introduced |
-Windows Server 2008 and Windows Vista |
-
Drive type |
-Operating system drives (Windows Server 2008 and Windows Vista) |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-If you choose to require an additional authentication method, other authentication methods cannot be allowed. |
-
When enabled |
-The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. You can further configure setting options for computers with or without a TPM. |
-
When disabled or not configured |
-The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured. |
-
Policy description |
-With this policy setting, you can specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Fixed data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
-
When enabled |
-Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on fixed data drives check box. |
-
When disabled |
-Users cannot use smart cards to authenticate their access to BitLocker-protected fixed data drives. |
-
When not configured |
-Smart cards can be used to authenticate user access to a BitLocker-protected drive. |
-
Policy description |
-With this policy setting, you can specify whether a password is required to unlock BitLocker-protected fixed data drives. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Fixed data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-To use password complexity, the Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements policy setting must also be enabled. |
-
When enabled |
-Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for fixed data drive. To enforce complexity requirements on the password, select Require complexity. |
-
When disabled |
-The user is not allowed to use a password. |
-
When not configured |
-Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters. |
-
Policy description |
-With this policy setting, you can specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-To use smart cards with BitLocker, you may also need to modify the object identifier setting in the Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance policy setting to match the object identifier of your smart card certificates. |
-
When enabled |
-Smart cards can be used to authenticate user access to the drive. You can require smart card authentication by selecting the Require use of smart cards on removable data drives check box. |
-
When disabled or not configured |
-Users are not allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives. |
-
When not configured |
-Smart cards are available to authenticate user access to a BitLocker-protected removable data drive. |
-
Policy description |
-With this policy setting, you can specify whether a password is required to unlock BitLocker-protected removable data drives. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-To use password complexity, the Password must meet complexity requirements policy setting, which is located at Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy must also be enabled. |
-
When enabled |
-Users can configure a password that meets the requirements you define. To require the use of a password, select Require password for removable data drive. To enforce complexity requirements on the password, select Require complexity. |
-
When disabled |
-The user is not allowed to use a password. |
-
When not configured |
-Passwords are supported with the default settings, which do not include password complexity requirements and require only 8 characters. |
-
Policy description |
-With this policy setting, you can associate an object identifier from a smart card certificate to a BitLocker-protected drive. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Fixed and removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-None |
-
When enabled |
-The object identifier that is specified in the Object identifier setting must match the object identifier in the smart card certificate. |
-
When disabled or not configured |
-The default object identifier is used. |
-
Policy description |
-With this policy setting, you can allow users to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drive |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive |
-
Conflicts |
-None |
-
When enabled |
-Devices must have an alternative means of preboot input (such as an attached USB keyboard). |
-
When disabled or not configured |
-The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password. |
-
Policy description |
-With this policy setting, you can set whether BitLocker protection is required for fixed data drives to be writable on a computer. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Fixed data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-See the Reference section for a description of conflicts. |
-
When enabled |
-All fixed data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access. |
-
When disabled or not configured |
-All fixed data drives on the computer are mounted with Read and Write access. |
-
Policy description |
-With this policy setting, you can configure whether BitLocker protection is required for a computer to be able to write data to a removable data drive. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-See the Reference section for a description of conflicts. |
-
When enabled |
-All removable data drives that are not BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it is mounted with Read and Write access. |
-
When disabled or not configured |
-All removable data drives on the computer are mounted with Read and Write access. |
-
Policy description |
-With this policy setting, you can control the use of BitLocker on removable data drives. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-None |
-
When enabled |
-You can select property settings that control how users can configure BitLocker. |
-
When disabled |
-Users cannot use BitLocker on removable data drives. |
-
When not configured |
-Users can use BitLocker on removable data drives. |
-
Policy description |
-With this policy setting, you can control the encryption method and strength for drives. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-All drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-None |
-
When enabled |
-You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives. |
-
When disabled or not configured |
-Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy. |
-
Policy description |
-With this policy setting, you can manage BitLocker’s use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Fixed data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-None |
-
When enabled |
-You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-
When disabled |
-BitLocker cannot use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-
When not configured |
-BitLocker software-based encryption is used irrespective of hardware-based encryption ability. - |
-
Policy description |
-With this policy setting, you can manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-
When disabled |
-BitLocker cannot use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-
When not configured |
-BitLocker software-based encryption is used irrespective of hardware-based encryption ability. |
-
Policy description |
-With this policy setting, you can manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Removable data drive |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-None |
-
When enabled |
-You can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption. You can also specify whether you want to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption. |
-
When disabled |
-BitLocker cannot use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted. |
-
When not configured |
-BitLocker software-based encryption is used irrespective of hardware-based encryption ability. |
-
Policy description |
-With this policy setting, you can configure the encryption type that is used by BitLocker. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Fixed data drive |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-None |
-
When enabled |
-This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-
When disabled or not configured |
-The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
-
Policy description |
-With this policy setting, you can configure the encryption type that is used by BitLocker. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drive |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-
When disabled or not configured |
-The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
-
Policy description |
-With this policy setting, you can configure the encryption type that is used by BitLocker. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Removable data drive |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-None |
-
When enabled |
-The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option is not presented in the BitLocker Setup Wizard. |
-
When disabled or not configured |
-The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker. |
-
Policy description |
-With this policy setting, you can control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. -When using data recovery agents, you must enable the Provide the unique identifiers for your organization policy setting. |
-
When enabled |
-You can control the methods that are available to users to recover data from BitLocker-protected operating system drives. |
-
When disabled or not configured |
-The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
-
When using data recovery agents, you must enable the **Provide the unique identifiers for your organization** policy setting.| +|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected operating system drives.| +|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. @@ -1501,50 +805,24 @@ In **Save BitLocker recovery information to Active Directory Domain Services**, Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. ->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated. +> [!NOTE] +> If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated. ### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista) This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista. -
Policy description |
-With this policy setting, you can control whether the BitLocker Setup Wizard can display and specify BitLocker recovery options. |
-
Introduced |
-Windows Server 2008 and Windows Vista |
-
Drive type |
-Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If you choose the Do not allow option for both user recovery options, you must enable the Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista) policy setting to prevent a policy error. |
-
When enabled |
-You can configure the options that the Bitlocker Setup Wizard displays to users for recovering BitLocker encrypted data. |
-
When disabled or not configured |
-The BitLocker Setup Wizard presents users with ways to store recovery options. |
-
Policy description |
-With this policy setting, you can manage the AD DS backup of BitLocker Drive Encryption recovery information. |
-
Introduced |
-Windows Server 2008 and Windows Vista |
-
Drive type |
-Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista. |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-None |
-
When enabled |
-BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. |
-
When disabled or not configured |
-BitLocker recovery information is not backed up to AD DS. |
-
Policy description |
-With this policy setting, you can specify the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password. |
-
Introduced |
-Windows Vista |
-
Drive type |
-All drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-None |
-
When enabled |
-You can specify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can specify a fully qualified path or include the target computer's environment variables in the path. If the path is not valid, the BitLocker Setup Wizard displays the computer's top-level folder view. |
-
When disabled or not configured |
-The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder. |
-
Policy description |
-With this policy setting, you can control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Fixed data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. -When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
-
When enabled |
-You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives. |
-
When disabled or not configured |
-The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
-
When using data recovery agents, you must enable and configure the **Provide the unique identifiers for your organization** policy setting.| +|When enabled|You can control the methods that are available to users to recover data from BitLocker-protected fixed data drives.| +|When disabled or not configured|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS.| -Reference +**Reference** This policy setting is applied when you turn on BitLocker. @@ -1717,55 +916,29 @@ Select **Omit recovery options from the BitLocker setup wizard** to prevent user In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, you can use the **Repair-bde** command-line tool. If you select **Backup recovery password only**, only the recovery password is stored in AD DS. -For more information about the BitLocker repair tool, see [Repair-bde](https://technet.microsoft.com/library/ff829851.aspx). +For more information about the BitLocker repair tool, see [Repair-bde](/windows-server/administration/windows-commands/repair-bde). Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. ->**Note:** If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. +> [!NOTE] +> If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated. ### Choose how BitLocker-protected removable drives can be recovered This policy setting is used to configure recovery methods for removable data drives. -
Policy description |
-With this policy setting, you can control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-You must disallow the use of recovery keys if the Deny write access to removable drives not protected by BitLocker policy setting is enabled. -When using data recovery agents, you must enable and configure the Provide the unique identifiers for your organization policy setting. |
-
When enabled |
-You can control the methods that are available to users to recover data from BitLocker-protected removable data drives. |
-
When disabled or not configured |
-The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information is not backed up to AD DS. |
-
Policy description |
-With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL. |
-
Introduced |
-Windows 10 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL |
-
Conflicts |
-None |
-
When enabled |
-The customized message and URL are displayed on the pre-boot recovery screen. If you have previously enabled a custom recovery message and URL and want to revert to the default message and URL, you must keep the policy setting enabled and select the Use default recovery message and URL option. |
-
When disabled or not configured |
-If the setting has not been previously enabled the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is subsequently disabled the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message. |
-
Policy description |
-With this policy setting, you can configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-All drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-If you enable Allow Secure Boot for integrity validation, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting is not enabled or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation. -For more information about PCR 7, see Platform Configuration Register (PCR) in this topic. |
-
When enabled or not configured |
-BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation. |
-
When disabled |
-BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation. |
-
For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.| +|When enabled or not configured|BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.| +|When disabled|BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.| -Reference +**Reference** Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing preboot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8. When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored, and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker. ->**Warning:** Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. +> [!WARNING] +> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If you disable this policy, suspend BitLocker prior to applying firmware updates. ### Provide the unique identifiers for your organization This policy setting is used to establish an identifier that is applied to all drives that are encrypted in your organization. -
Policy description |
-With this policy setting, you can associate unique organizational identifiers to a new drive that is enabled with BitLocker. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-All drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it is identical to the value that is configured on the computer. |
-
When enabled |
-You can configure the identification field on the BitLocker-protected drive and any allowed identification field that is used by your organization. |
-
When disabled or not configured |
-The identification field is not required. |
-
Policy description |
-With this policy setting, you can control computer restart performance at the risk of exposing BitLocker secrets. |
-
Introduced |
-Windows Vista |
-
Drive type |
-All drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption |
-
Conflicts |
-None |
-
When enabled |
-The computer will not overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets. |
-
When disabled or not configured |
-BitLocker secrets are removed from memory when the computer restarts. |
-
Policy description |
-With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-
When disabled or not configured |
-The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
-
Policy description |
-With this policy setting, you can configure how the computer's TPM security hardware secures the BitLocker encryption key. |
-
Introduced |
-Windows Server 2008 and Windows Vista |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-You can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-
When disabled or not configured |
-The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
-
Policy description |
-With this policy setting, you can configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-Setting this policy with PCR 7 omitted, overrides the Allow Secure Boot for integrity validation Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation. -If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured. -For more information about PCR 7, see Platform Configuration Register (PCR) in this topic. |
-
When enabled |
-Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive. |
-
When disabled or not configured |
-BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
-
If your environments use TPM and Secure Boot for platform integrity checks, this policy should not be configured.
For more information about PCR 7, see [Platform Configuration Register (PCR)](#bkmk-pcr) in this topic.| +|When enabled|Before you turn on BitLocker, you can configure the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.| +|When disabled or not configured|BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.| -Reference +**Reference** This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker is already turned on with TPM protection. ->**Important:** This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled. +> [!IMPORTANT] +> This Group Policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11). @@ -2210,54 +1200,25 @@ The following list identifies all of the PCRs available: - PCR 14: Boot Authorities - PCR 15 – 23: Reserved for future use ->**Warning:** Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. +> [!WARNING] +> Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs. ### Reset platform validation data after BitLocker recovery This policy setting determines if you want platform validation data to refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23. -
Policy description |
-With this policy setting, you can control whether platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-None |
-
When enabled |
-Platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-
When disabled |
-Platform validation data is not refreshed when Windows is started following a BitLocker recovery. |
-
When not configured |
-Platform validation data is refreshed when Windows is started following a BitLocker recovery. |
-
Policy description |
-With this policy setting, you can specify Boot Configuration Data (BCD) settings to verify during platform validation. |
-
Introduced |
-Windows Server 2012 and Windows 8 |
-
Drive type |
-Operating system drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives |
-
Conflicts |
-When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the Use enhanced Boot Configuration Data validation profile Group Policy setting is ignored (as defined by the Allow Secure Boot for integrity validation Group Policy setting). |
-
When enabled |
-You can add additional BCD settings, exclude the BCD settings you specify, or combine inclusion and exclusion lists to create a customized BCD validation profile, which gives you the ability to verify those BCD settings. |
-
When disabled |
-The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7. |
-
When not configured |
-The computer verifies the default BCD settings in Windows. |
-
Policy description |
-With this policy setting, you can configure whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2). |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Fixed data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives |
-
Conflicts |
-None |
-
When enabled and When not configured |
-Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives. |
-
When disabled |
-Fixed data drives that are formatted with the FAT file system and are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed. |
-
Policy description |
-With this policy setting, you can configure whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. |
-
Introduced |
-Windows Server 2008 R2 and Windows 7 |
-
Drive type |
-Removable data drives |
-
Policy path |
-Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives |
-
Conflicts |
-None |
-
When enabled and When not configured |
-Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives. |
-
When disabled |
-Removable data drives that are formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) is not installed. |
-
Policy description |
-Notes |
-
Introduced |
-Windows Server 2003 with SP1 |
-
Drive type |
-System-wide |
-
Policy path |
-Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
-
Conflicts |
-Some applications, such as Terminal Services, do not support FIPS-140 on all operating systems. |
-
When enabled |
-Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password. |
-
When disabled or not configured |
-No BitLocker encryption key is generated |
-
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 771169d40b..59f32f84e6 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -17,6 +17,9 @@ manager: dansimp Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. MBSA was largely used in situations where neither Microsoft Update nor a local WSUS or Configuration Manager server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016. + +> [!NOTE] +> In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file. ## The Solution A script can help you with an alternative to MBSA’s patch-compliance checking: diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md index c8bcc9a9ad..6fca122159 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md @@ -13,7 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp -ms.date: 09/04/2020 +ms.date: 09/10/2020 --- # Manage Microsoft Defender Antivirus updates and apply baselines @@ -31,6 +31,10 @@ There are two types of updates related to keeping Microsoft Defender Antivirus u > Keeping Microsoft Defender Antivirus up to date is critical to assure your devices have the latest technology and features needed to protect against new malware and attack techniques. > This also applies to devices where Microsoft Defender Antivirus is running in [passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility). +> [!NOTE] +> You can use the below URL to find out what are the current versions: +> [https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info](https://www.microsoft.com/security/encyclopedia/adlpackages.aspx?action=info) + ## Security intelligence updates Microsoft Defender Antivirus uses [cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloads security intelligence updates to provide protection. @@ -59,11 +63,11 @@ All our updates contain: * integration improvements (Cloud, MTP)
-
`1` = Disabled
`2` = Forced (i.e. forces pages to only open in Incognito mode) | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default. +[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled
`true`, `1`, or not configured = Enabled | Disabled | This policy allows users to login as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default. +[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled
`true` or `1` = Enabled
**Note:** If this policy is not set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension. +[ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension. + +#### Firefox policies + +These policies can be found along the filepath, *Software\Policies\Mozilla\Firefox\\*, with each policy name corresponding to the file name (e.g., DisableSafeMode is located at *Software\Policies\Mozilla\Firefox\DisableSafeMode*). + +Policy name | Values | Recommended setting | Reason +-|-|-|- +[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled
`true` or `1` = Safe mode is disabled | True (i.e. the policy is enabled and Safe mode is *not* allowed to run) | Safe mode can allow users to circumvent Application Guard +[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to *about:config* is allowed
`true` or `1` = User access to *about:config* is not allowed | True (i.e. the policy is enabled and access to about:config is *not* allowed) | *About:config* is a special page within Firefox that offers control over many settings that may compromise security +[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions (these can be found by searching `extensions.webextensions.uuids` within the about:config page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user cannot disable or uninstall it. + +## Troubleshooting guide + + + +Error message | Cause | Actions +-|-|- +Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser +ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation +Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser 2. Check for updates in both the Microsoft store and the respective web store for the affected browser +Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation +Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Protocol out of sync | The extension and native app cannot communicate with each other. This is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser +Security patch level does not match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser +Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Edge is working 3. Retry the operation + +## Related articles + +- [Microsoft Defender Application Guard overview](md-app-guard-overview.md) +- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 9a278e3b9b..67723aa1a3 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -18,7 +18,7 @@ ms.custom: asr **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. +Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. ## What is Application Guard and how does it work? @@ -42,10 +42,11 @@ Application Guard has been created to target several types of systems: ## Related articles -|Article |Description | -|------|------------| +|Article | Description | +|--------|-------------| |[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.| |[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| |[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.| |[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| +| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a trouble-shooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index e2a6d3e0ec..9fb1380e27 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -15,36 +15,34 @@ ms.custom: asr # Application Guard testing scenarios +**Applies to:** -**Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. - ## Application Guard in standalone mode You can see how an employee would use standalone mode with Application Guard. ### To test Application Guard in Standalone mode -1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). 2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.  - + 3. Wait for Application Guard to set up the isolated environment. >[!NOTE] - >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. - + >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. + 4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.  -## Application Guard in Enterprise-managed mode +## Application Guard in Enterprise-managed mode How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode. @@ -59,7 +57,7 @@ Before you can use Application Guard in enterprise mode, you must install Window 3. Set up the Network Isolation settings in Group Policy: a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**. - + b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting. c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box. @@ -81,14 +79,14 @@ Before you can use Application Guard in enterprise mode, you must install Window >[!NOTE] >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. -6. Start Microsoft Edge and type www.microsoft.com. - +6. Start Microsoft Edge and type *https://www.microsoft.com*. + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.  7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists. - + After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.  @@ -108,6 +106,7 @@ Application Guard provides the following default behavior for your employees: You have the option to change each of these settings to work with your enterprise from within Group Policy. **Applies to:** + - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 @@ -116,24 +115,24 @@ You have the option to change each of these settings to work with your enterpris 1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**. 2. Click **Enabled** and click **OK**. - +  3. Choose how the clipboard works: - + - Copy and paste from the isolated session to the host PC - + - Copy and paste from the host PC to the isolated session - + - Copy and paste both directions 4. Choose what can be copied: - - - **1.** Only text can be copied between the host PC and the isolated container. - - **2.** Only images can be copied between the host PC and the isolated container. + - Only text can be copied between the host PC and the isolated container. - - **3.** Both text and images can be copied between the host PC and the isolated container. + - Only images can be copied between the host PC and the isolated container. + + - Both text and images can be copied between the host PC and the isolated container. 5. Click **OK**. @@ -156,21 +155,26 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**.  - + 3. Open Microsoft Edge and browse to an untrusted, but safe URL. - The website opens in the isolated session. + The website opens in the isolated session. 4. Add the site to your **Favorites** list and then close the isolated session. -5. Log out and back on to your device, opening Microsoft Edge in Application Guard again. +5. Log out and back on to your device, opening Microsoft Edge in Application Guard again. The previously added site should still appear in your **Favorites** list. - >[!NOTE] - >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. - + > [!NOTE] + > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10. + > + > If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data. + > + > **To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. + **Applies to:** + - Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 @@ -181,10 +185,10 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**.  - + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Download a file from Microsoft Defender Application Guard. +4. Download a file from Microsoft Defender Application Guard. 5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files. @@ -195,12 +199,13 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**.  - -3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. -4. Assess the visual experience and battery performance. +3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. + +4. Assess the visual experience and battery performance. **Applies to:** + - Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 @@ -210,11 +215,11 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, set **Options** to 2, and click **OK**. -  - +  + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Open a file in Edge, such an Office 365 file. +4. Open a file in Edge, such an Office 365 file. 5. Check to see that an antivirus scan completed before the file was opened. @@ -224,11 +229,11 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. -  - +  + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Open an application with video or audio capability in Edge. +4. Open an application with video or audio capability in Edge. 5. Check that the camera and microphone work as expected. @@ -238,7 +243,20 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**. -  - +  + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. +## Application Guard Extension for third-party web browsers + +The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer. + +Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios. + +1. Open either Firefox or Chrome — whichever browser you have the extension installed on. +1. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded. +  +1. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge. +  +1. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window** +  diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index d5802d8faf..96506eaa8d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -198,4 +198,4 @@ After configuring the [Security policy violation indicators](https://docs.micros - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications](configure-email-notifications.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index e605898b2f..893c9a3eaa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -95,5 +95,4 @@ This section lists various issues that you may encounter when using email notifi ## Related topics - [Update data retention settings](data-retention-settings.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index 9cc9cb48ba..861f8c6cd2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -50,5 +50,4 @@ You can verify the data location by navigating to **Settings** > **Data retentio ## Related topics - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx index 84b5f2a664..bd35122350 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index f081c6ad4a..b54b1ac8a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -1,6 +1,6 @@ --- -title: Turning on network protection -description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager. +title: Turn on network protection +description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager. keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -14,7 +14,7 @@ ms.reviewer: manager: dansimp --- -# Turning on network protection +# Turn on network protection **Applies to:** @@ -22,6 +22,8 @@ manager: dansimp [Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it. +[Learn more about network filtering configuration options](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering) + ## Check if network protection is enabled Check if network protection has been enabled on a local device by using Registry editor. @@ -40,9 +42,8 @@ Check if network protection has been enabled on a local device by using Registry Enable network protection by using any of these methods: * [PowerShell](#powershell) -* [Microsoft Intune](#intune) * [Mobile Device Management (MDM)](#mobile-device-management-mdm) -* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) +* [Microsoft Endpoint Manager / Intune](#microsoft-endpoint-manager-formerly-intune) * [Group Policy](#group-policy) ### PowerShell @@ -62,41 +63,17 @@ Enable network protection by using any of these methods: Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature. -### Intune - -1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. - -2. Go to **Device configuration** > **Profiles** > **Create profile**. - -3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - -  - -4. Select **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. - -  - -5. Select **OK** to save each open section and **Create**. - -6. Select the profile called **Assignments**, assign to **All Users & All Devices**, and **Save**. - -### Mobile Device Management (MDM) +### Mobile device management (MDM) Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode. -## Microsoft Endpoint Configuration Manager +### Microsoft Endpoint Manager (formerly Intune) -1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. Sign into the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) -2. Then go to **Home** > **Create Exploit Guard Policy**. +2. Create or edit an [endpoint protection configuration profile](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure) -3. Enter a name and a description, select **Network protection**, and then **Next**. - -4. Choose whether to block or audit access to suspicious domains and select **Next**. - -5. Review the settings and select **Next** to create the policy. - -6. After the policy is created, **Close**. +3. Under "Configuration Settings" in the profile flow, go to **Microsoft Defender Exploit Guard** > **Network filtering** > **Network protection** > **Enable** or **Audit only** ### Group Policy @@ -112,6 +89,9 @@ Use the following procedure to enable network protection on domain-joined comput 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. +> [!NOTE] +> On older versions of Windows, the group policy path may say "Windows Defender Antivirus" instead of "Microsoft Defender Antivirus." + 4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options: * **Block** - Users can't access malicious IP addresses and domains * **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png b/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png new file mode 100644 index 0000000000..e1003dbe5c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png b/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png new file mode 100644 index 0000000000..d631a23a7a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png b/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png new file mode 100644 index 0000000000..624db40b02 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png b/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png new file mode 100644 index 0000000000..00757fde1a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png b/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png new file mode 100644 index 0000000000..3222b1f66d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png b/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png new file mode 100644 index 0000000000..8979120d8f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png b/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png new file mode 100644 index 0000000000..6b378bc697 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png b/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png new file mode 100644 index 0000000000..ac2634f33b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png b/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png new file mode 100644 index 0000000000..157e426bc0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png b/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png new file mode 100644 index 0000000000..32a776aef9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png b/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png new file mode 100644 index 0000000000..9f4126d345 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png b/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png new file mode 100644 index 0000000000..6ffdab3e67 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png b/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png new file mode 100644 index 0000000000..7f542a3c8c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png b/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png new file mode 100644 index 0000000000..d0679c71a7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png b/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png new file mode 100644 index 0000000000..2f6d99294b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png b/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png new file mode 100644 index 0000000000..88682c78a0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png b/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png new file mode 100644 index 0000000000..ca1ff72715 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png b/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png new file mode 100644 index 0000000000..72a6a9e334 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png b/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png new file mode 100644 index 0000000000..5e7cf47523 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png b/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png new file mode 100644 index 0000000000..026b643022 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png b/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png new file mode 100644 index 0000000000..2775ac9cda Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png b/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png new file mode 100644 index 0000000000..fa53f0826c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png b/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png new file mode 100644 index 0000000000..d4fd512845 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png b/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png new file mode 100644 index 0000000000..8db6715ccd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png b/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png new file mode 100644 index 0000000000..24eede07b8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png b/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png new file mode 100644 index 0000000000..2159bbe1ad Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png b/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png new file mode 100644 index 0000000000..7935e15763 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png b/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png new file mode 100644 index 0000000000..82c5aa9d19 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png b/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png new file mode 100644 index 0000000000..41be549fd6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png b/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png new file mode 100644 index 0000000000..be6531a2f0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png b/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png new file mode 100644 index 0000000000..2111e5ee9c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png b/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png new file mode 100644 index 0000000000..f0d844cbf7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png b/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png new file mode 100644 index 0000000000..696a84fc1b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png b/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png new file mode 100644 index 0000000000..feff40a8fa Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png b/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png new file mode 100644 index 0000000000..1b3302994b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png b/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png new file mode 100644 index 0000000000..b7a63ecc3e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png b/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png new file mode 100644 index 0000000000..7c2c572329 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png b/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png new file mode 100644 index 0000000000..2b44054fc5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png b/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png new file mode 100644 index 0000000000..85d6d6dd51 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png b/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png new file mode 100644 index 0000000000..e49c575125 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png b/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png new file mode 100644 index 0000000000..2dd6492036 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png b/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png new file mode 100644 index 0000000000..912ae2f634 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png b/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png new file mode 100644 index 0000000000..741d4af9b9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png b/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png new file mode 100644 index 0000000000..a588c74aae Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png b/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png new file mode 100644 index 0000000000..835c7fbd32 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md new file mode 100644 index 0000000000..1a7490d88e --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md @@ -0,0 +1,226 @@ +--- +title: Microsoft Defender ATP for iOS Application license terms +ms.reviewer: +description: Describes the Microsoft Defender ATP for iOS license terms +keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: sunasing +author: sunasing +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +hideEdit: true +--- + +# Microsoft Defender ATP for iOS application license terms + +## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP + +These license terms ("Terms") are an agreement between Microsoft Corporation (or +based on where you live, one of its affiliates) and you. Please read them. They +apply to the application named above. These Terms also apply to any Microsoft + +- updates, + +- supplements, + +- Internet-based services, and + +- support services + +for this application, unless other terms accompany those items. If so, those +terms apply. + +**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, +DO NOT USE THE APPLICATION.** + +**If you comply with these Terms, you have the perpetual rights below.** + +1. **INSTALLATION AND USE RIGHTS.** + + 1. **Installation and Use.** You may install and use any number of copies + of this application on iOS enabled device or devices which you own + or control. You may use this application with your company's valid + subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or + an online service that includes MDATP functionalities. + + 2. **Updates.** Updates or upgrades to MDATP may be required for full + functionality. Some functionality may not be available in all countries. + + 3. **Third Party Programs.** The application may include third party + programs that Microsoft, not the third party, licenses to you under this + agreement. Notices, if any, for the third-party program are included for + your information only. + +2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to + Internet access, data transfer and other services per the terms of the data + service plan and any other agreement you have with your network operator due + to use of the application. You are solely responsible for any network + operator charges. + +3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with + the application. It may change or cancel them at any time. + + 1. Consent for Internet-Based or Wireless Services. The application may + connect to Internet-based wireless services. Your use of the application + operates as your consent to the transmission of standard device + information (including but not limited to technical information about + your device, system and application software, and peripherals) for + Internet-based or wireless services. If other terms are provided in + connection with your use of the services, those terms also apply. + + - Data. Some online services require, or may be enhanced by, the + installation of local software like this one. At your, or your + admin's direction, this software may send data from a device to or + from an online service. + + - Usage Data. Microsoft automatically collects usage and performance + data over the internet. This data will be used to provide and + improve Microsoft products and services and enhance your experience. + You may limit or control collection of some usage and performance + data through your device settings. Doing so may disrupt your use of + certain features of the application. For additional information on + Microsoft's data collection and use, see the [Online Services + Terms](https://go.microsoft.com/fwlink/?linkid=2106777). + + 2. Misuse of Internet-based Services. You may not use any Internet-based + service in any way that could harm it or impair anyone else's use of it + or the wireless network. You may not use the service to try to gain + unauthorized access to any service, data, account or network by any + means. + +4. **FEEDBACK.** If you give feedback about the application to Microsoft, you + give to Microsoft, without charge, the right to use, share and commercialize + your feedback in any way and for any purpose. You also give to third + parties, without charge, any patent rights needed for their products, + technologies and services to use or interface with any specific parts of a + Microsoft software or service that includes the feedback. You will not give + feedback that is subject to a license that requires Microsoft to license its + software or documentation to third parties because we include your feedback + in them. These rights survive this agreement. + +5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement + only gives you some rights to use the application. Microsoft reserves all + other rights. Unless applicable law gives you more rights despite this + limitation, you may use the application only as expressly permitted in this + agreement. In doing so, you must comply with any technical limitations in + the application that only allow you to use it in certain ways. You may not + + - work around any technical limitations in the application; + + - reverse engineer, decompile or disassemble the application, except and + only to the extent that applicable law expressly permits, despite this + limitation; + + - make more copies of the application than specified in this agreement or + allowed by applicable law, despite this limitation; + + - publish the application for others to copy; + + - rent, lease or lend the application; or + + - transfer the application or this agreement to any third party. + +6. **EXPORT RESTRICTIONS.** The application is subject to United States export + laws and regulations. You must comply with all domestic and international + export laws and regulations that apply to the application. These laws + include restrictions on destinations, end users and end use. For additional + information, + see [www.microsoft.com/exporting](https://www.microsoft.com/exporting). + +7. **SUPPORT SERVICES.** Because this application is "as is," we may not + provide support services for it. If you have any issues or questions about + your use of this application, including questions about your company's + privacy policy, please contact your company's admin. Do not contact the + application store, your network operator, device manufacturer, or Microsoft. + The application store provider has no obligation to furnish support or + maintenance with respect to the application. + +8. **APPLICATION STORE.** + + 1. If you obtain the application through an application store (e.g., App + Store), please review the applicable application store terms to ensure + your download and use of the application complies with such terms. + Please note that these Terms are between you and Microsoft and not with + the application store. + + 2. The respective application store provider and its subsidiaries are third + party beneficiaries of these Terms, and upon your acceptance of these + Terms, the application store provider(s) will have the right to directly + enforce and rely upon any provision of these Terms that grants them a + benefit or rights. + +9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and + Microsoft 365 are registered or common-law trademarks of Microsoft + Corporation in the United States and/or other countries. + +10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates, + Internet-based services, and support services that you use are the entire + agreement for the application and support services. + +11. **APPLICABLE LAW.** + + 1. **United States.** If you acquired the application in the United States, + Washington state law governs the interpretation of this agreement and + applies to claims for breach of it, regardless of conflict of laws + principles. The laws of the state where you live govern all other + claims, including claims under state consumer protection laws, unfair + competition laws, and in tort. + + 2. **Outside the United States.** If you acquired the application in any + other country, the laws of that country apply. + +12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may + have other rights under the laws of your country. You may also have rights + with respect to the party from whom you acquired the application. This + agreement does not change your rights under the laws of your country if the + laws of your country do not permit it to do so. + +13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL + FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND + WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND + EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO + EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE + APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE + APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE + ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL + CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO + THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE + IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NON-INFRINGEMENT.** + + **FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.** + +14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT + PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO + ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER + DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR + INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.** + +This limitation applies to: + +- anything related to the application, services, content (including code) on + third party Internet sites, or third party programs; and + +- claims for breach of contract, warranty, guarantee or condition; consumer + protection; deception; unfair competition; strict liability, negligence, + misrepresentation, omission, trespass or other tort; violation of statute or + regulation; or unjust enrichment; all to the extent permitted by applicable + law. + +It also applies even if: + +a. Repair, replacement or refund for the application does not fully compensate + you for any losses; or + +b. Covered Parties knew or should have known about the possibility of the + damages. + +The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md index 022658e40b..1200b24369 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md @@ -15,6 +15,8 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.date: 09/04/2020 +ms.reviewer: chventou --- # Manage Microsoft Defender Advanced Threat Protection with Configuration Manager diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md index 1e7317f3e8..299b6b807e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md @@ -15,6 +15,8 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.date: 09/04/2020 +ms.reviewer: chventou --- # Manage Microsoft Defender Advanced Threat Protection with Group Policy Objects diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md index 6801853a3f..43b5a8c70c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md @@ -15,6 +15,8 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.date: 09/04/2020 +ms.reviewer: chventou --- # Manage Microsoft Defender Advanced Threat Protection with Intune diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md index 245b969459..8629492da7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md @@ -15,6 +15,8 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.date: 09/04/2020 +ms.reviewer: chventou --- # Manage Microsoft Defender Advanced Threat Protection with PowerShell, WMI, and MPCmdRun.exe diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md index f716c99579..f06086dbc1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md @@ -14,7 +14,9 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: article +ms.topic: conceptual +ms.date: 09/04/2020 +ms.reviewer: chventou --- # Manage Microsoft Defender Advanced Threat Protection, post migration diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md new file mode 100644 index 0000000000..9676eaf9e7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md @@ -0,0 +1,59 @@ +--- +title: Migrate from McAfee to Microsoft Defender ATP +description: Make the switch from McAfee to Microsoft Defender ATP. Read this article for an overview. +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365solution-mcafeemigrate +- m365solution-overview +ms.topic: conceptual +ms.custom: migrationguides +ms.date: 09/03/2020 +ms.reviewer: jesquive, chventou, jonix, chriggs, owtho +--- + +# Migrate from McAfee to Microsoft Defender Advanced Threat Protection + +If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP), you're in the right place. Use this article as a guide to plan your migration. + +## The migration process + +When you switch from McAfee to Microsoft Defender ATP, you follow a process that can be divided into three phases, as described in the following table: + +|Phase |Description | +|--|--| +|[](mcafee-to-microsoft-defender-prepare.md)
[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender ATP, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender ATP. | +|[](mcafee-to-microsoft-defender-setup.md)
[Set up Microsoft Defender ATP](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender ATP, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.| +|[](mcafee-to-microsoft-defender-onboard.md)
[Onboard to Microsoft Defender ATP](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender ATP and verify that those devices are communicating with Microsoft Defender ATP. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender ATP is in active mode. | + +## What's included in Microsoft Defender ATP? + +In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender ATP. However, Microsoft Defender ATP includes much more than antivirus and endpoint protection. Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender ATP. + +| Feature/Capability | Description | +|---|---| +| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). | +| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. | +| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. | +| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. | +| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. | +| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. | +| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. | +| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. | + +**Want to learn more? See [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection).** + +## Next step + +- Proceed to [Prepare for your migration](mcafee-to-microsoft-defender-prepare.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md new file mode 100644 index 0000000000..fcd726467f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md @@ -0,0 +1,92 @@ +--- +title: McAfee to Microsoft Defender ATP - Onboard +description: This is phase 3, Onboard, for migrating from McAfee to Microsoft Defender ATP. +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365solution-McAfeemigrate +ms.custom: migrationguides +ms.topic: article +ms.date: 09/03/2020 +ms.reviewer: jesquive, chventou, jonix, chriggs, owtho +--- + +# Migrate from McAfee - Phase 3: Onboard to Microsoft Defender ATP + +|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |
Phase 3: Onboard | +|--|--|--| +|| |*You are here!* | + + +**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps: + +1. [Onboard devices to Microsoft Defender ATP](#onboard-devices-to-microsoft-defender-atp). +2. [Run a detection test](#run-a-detection-test). +3. [Uninstall McAfee](#uninstall-mcafee). +4. [Make sure Microsoft Defender ATP is in active mode](#make-sure-microsoft-defender-atp-is-in-active-mode). + +## Onboard devices to Microsoft Defender ATP + +1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. + +2. Choose **Settings** > **Device management** > **Onboarding**. + +3. In the **Select operating system to start onboarding process** list, select an operating system. + +4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods). + +### Onboarding methods + +Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding. + +|Operating system |Method | +|---------|---------| +|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | +|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | +|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | +|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) | +|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
iOS
Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) | + +## Run a detection test + +To verify that your onboarded devices are properly connected to Microsoft Defender ATP, you can run a detection test. + + +|Operating system |Guidance | +|---------|---------| +|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | +|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). | +|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). | + +## Uninstall McAfee + +Now that you have onboarded your organization's devices to Microsoft Defender ATP, your next step is to uninstall McAfee. + +To get help with this step, go to your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)). + +## Make sure Microsoft Defender ATP is in active mode + +Now that you have uninstalled McAfee, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode. + +To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following: +- Cloud-delivered protection +- Potentially Unwanted Applications (PUA) +- Network Protection (NP) + +## Next steps + +**Congratulations**! You have completed your [migration from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)! + +- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). +- [Manage Microsoft Defender Advanced Threat Protection, post migration](manage-atp-post-migration.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md new file mode 100644 index 0000000000..257ff56b22 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md @@ -0,0 +1,119 @@ +--- +title: McAfee to Microsoft Defender ATP - Prepare +description: This is phase 1, Prepare, for migrating from McAfee to Microsoft Defender ATP. +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365solution-mcafeemigrate +ms.topic: article +ms.custom: migrationguides +ms.date: 09/03/2020 +ms.reviewer: jesquive, chventou, jonix, chriggs, owtho +--- + +# Migrate from McAfee - Phase 1: Prepare for your migration + +|
Phase 1: Prepare |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) | +|--|--|--| +|*You are here!*| | | + + +**Welcome to the Prepare phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. + +This migration phase includes the following steps: +1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices) +2. [Get Microsoft Defender ATP](#get-microsoft-defender-atp). +3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center). +4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings). + +## Get and deploy updates across your organization's devices + +As a best practice, keep your organization's devices and endpoints up to date. Make sure your McAfee Endpoint Security (McAfee) solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender ATP and Microsoft Defender Antivirus. + +### Make sure your McAfee solution is up to date + +Keep McAfee up to date, and make sure that your organization's devices have the latest security updates. Need help? Here are some McAfee resources: + +- [McAfee Enterprise Product Documentation: How Endpoint Security Works](https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-1207FF39-D1D2-481F-BBD9-E4079112A8DD.html) + +- [McAfee Knowledge Center Technical Article: Windows Security Center intermittently incorrectly reports that Endpoint Security is disabled when running on Windows 10](https://kc.mcafee.com/corporate/index?page=content&id=KB91830) + +- [McAfee Knowledge Center Technical Article: Windows Security Center reports Endpoint Security is disabled when Endpoint Security is running](https://kc.mcafee.com/corporate/index?page=content&id=KB91428) + +- Your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)) + +### Make sure your organization's devices are up to date + +Need help updating your organization's devices? See the following resources: + +|OS | Resource | +|:--|:--| +|Windows |[Microsoft Update](https://www.update.microsoft.com) | +|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)| +|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)| +|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) | +|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) | + +## Get Microsoft Defender ATP + +Now that you've updated your organization's devices, the next step is to get Microsoft Defender ATP, assign licenses, and make sure the service is provisioned. + +1. Buy or try Microsoft Defender ATP today. [Visit Microsoft Defender ATP to start a free trial or request a quote](https://aka.ms/mdatp). + +2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state). + +3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender ATP. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration). + +4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration). + +At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). + +> [!NOTE] +> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal. + +## Grant access to the Microsoft Defender Security Center + +The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). + +Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions. + +1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control). + +2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control). + + If your organization requires a method other than Intune, choose one of the following options: + - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration) + - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm) + - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview) + +3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)). + +## Configure device proxy and internet connectivity settings + +To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities: + +|Capabilities | Operating System | Resources | +|--|--|--| +|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | +|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | +|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
| +|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) + +## Next step + +**Congratulations**! You have completed the **Prepare** phase of [migrating from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)! + +- [Proceed to set up Microsoft Defender ATP](mcafee-to-microsoft-defender-setup.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md new file mode 100644 index 0000000000..9d3017e042 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md @@ -0,0 +1,242 @@ +--- +title: McAfee to Microsoft Defender ATP - Setup +description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defender ATP. +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365solution-mcafeemigrate +ms.topic: article +ms.custom: migrationguides +ms.date: 09/03/2020 +ms.reviewer: jesquive, chventou, jonix, chriggs, owtho +--- + +# Migrate from McAfee - Phase 2: Set up Microsoft Defender ATP + +|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |
Phase 2: Set up |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) | +|--|--|--| +||*You are here!* | | + + +**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps: +1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode). +2. [Add Microsoft Defender ATP to the exclusion list for McAfee](#add-microsoft-defender-atp-to-the-exclusion-list-for-mcafee). +3. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus). +4. [Add McAfee to the exclusion list for Microsoft Defender ATP](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-atp). +5. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units). +6. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection). + +## Enable Microsoft Defender Antivirus and confirm it's in passive mode + +On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).) + +This step of the migration process includes the following tasks: +- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) +- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server); +- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) +- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and +- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode). + +### Set DisableAntiSpyware to false on Windows Server + +The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false: + +1. On your Windows Server device, open Registry Editor. + +2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`. + +3. In that folder, look for a DWORD entry called **DisableAntiSpyware**. + + - If you do not see that entry, you're all set. + + - If you do see **DisableAntiSpyware**, proceed to step 4. + +4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**. + +5. Set the value to `0`. (This sets the registry key's value to *false*.) + +> [!TIP] +> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware). + +### Reinstall Microsoft Defender Antivirus on Windows Server + +> [!NOTE] +> The following procedure applies only to endpoints or devices that are running the following versions of Windows: +> - Windows Server 2019 +> - Windows Server, version 1803 (core-only mode) +> - Windows Server 2016 + +1. As a local administrator on the endpoint or device, open Windows PowerShell. + +2. Run the following PowerShell cmdlets:
+ + `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+ + `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+ +3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
+ + `Get-Service -Name windefend` + +> [!TIP] +> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016). + +### Set Microsoft Defender Antivirus to passive mode on Windows Server + +Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP. + +1. Open Registry Editor, and then navigate to
+ `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. + +2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: + + - Set the DWORD's value to **1**. + + - Under **Base**, select **Hexadecimal**. + +> [!NOTE] +> You can use other methods to set the registry key, such as the following: +>- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11)) +>- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool) +>- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs) + +### Enable Microsoft Defender Antivirus on your Windows client devices + +Because your organization has been using McAfee as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus. + +To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table: + +|Method |What to do | +|---------|---------| +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).| +|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | +|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | + +### Confirm that Microsoft Defender Antivirus is in passive mode + +Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table: + +|Method |What to do | +|---------|---------| +|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. | + +> [!NOTE] +> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. + +## Add Microsoft Defender ATP to the exclusion list for McAfee + +This step of the setup process involves adding Microsoft Defender ATP to the exclusion list for McAfee and any other security products your organization is using. + +> [!TIP] +> To get help configuring exclusions, refer to McAfee documentation, such as the following article: [McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows: Configuring exclusions](https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-71C5FB4B-A143-43E6-8BF0-8B2C16ABE6DA.html). + +The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table: + +|OS |Exclusions | +|--|--| +|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
| +|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | + +## Add McAfee to the exclusion list for Microsoft Defender Antivirus + +During this step of the setup process, you add McAfee and your other security solutions to the Microsoft Defender Antivirus exclusion list. + +When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind: +- Path exclusions exclude specific files and whatever those files access. +- Process exclusions exclude whatever a process touches, but does not exclude the process itself. +- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded. +- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.) + +You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table: + +|Method | What to do| +|--|--| +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. | +|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. | +|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. | +|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. | +|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` | + +## Add McAfee to the exclusion list for Microsoft Defender ATP + +To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files). + +1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. + +2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**. + +3. On the **File hashes** tab, choose **Add indicator**. + +3. On the **Indicator** tab, specify the following settings: + - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.) + - Under **Expires on (UTC)**, choose **Never**. + +4. On the **Action** tab, specify the following settings: + - **Response Action**: **Allow** + - Title and description + +5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**. + +6. On the **Summary** tab, review the settings, and then click **Save**. + +### Find a file hash using CMPivot + +CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview). + +To use CMPivot to get your file hash, follow these steps: + +1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites). + +2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot). + +3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`). + +4. Select the **Query** tab. + +5. In the **Device Collection** list, and choose **All Systems (default)**. + +6. In the query box, type the following query:
+ +```kusto +File(c:\\windows\\notepad.exe) +| project Hash +``` +> [!NOTE] +> In the query above, replace *notepad.exe* with the your third-party security product process name. + +## Set up your device groups, device collections, and organizational units + +| Collection type | What to do | +|--|--| +|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. | +|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | +|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). | + +## Configure antimalware policies and real-time protection + +Using Configuration Manager and your device collection(s), configure your antimalware policies. + +- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies). + +- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). + +> [!TIP] +> You can deploy the policies before your organization's devices on onboarded. + +## Next step + +**Congratulations**! You have completed the Setup phase of [migrating from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)! + +- [Proceed to Phase 3: Onboard to Microsoft Defender ATP](mcafee-to-microsoft-defender-onboard.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md new file mode 100644 index 0000000000..86914d9a44 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md @@ -0,0 +1,43 @@ +--- +title: Make the switch to Microsoft Defender ATP +description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender ATP +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/08/2020 +ms.prod: w10 +ms.localizationpriority: medium +ms.collection: +- M365-security-compliance +ms.custom: migrationguides +ms.reviewer: chriggs, depicker, yongrhee +f1.keywords: NOCSH +--- + +# Make the switch to Microsoft Defender ATP and Microsoft Defender Antivirus + +## Migration guides + +If you're considering switching from a non-Microsoft threat protection solution to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Microsoft Defender Antivirus, check out our migration guidance. + +- [McAfee Endpoint Security (McAfee) to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md) + +- [Symantec Endpoint Protection (Symantec) to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md) + +- [Manage Microsoft Defender Advanced Threat Protection, after you've migrated](manage-atp-post-migration.md) + + +## Got feedback? + +Let us know what you think! Submit your feedback at the bottom of the page. We'll take your feedback into account as we continue to improve and add to our migration guidance. + +## See also + +- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) + +- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) + +- [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md new file mode 100644 index 0000000000..5a3d023354 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md @@ -0,0 +1,355 @@ +--- +title: Onboarding using Microsoft Endpoint Configuration Manager +description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Configuration Manager +keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365solution-endpointprotect +ms.topic: article +--- + +# Onboarding using Microsoft Endpoint Configuration Manager +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Collection creation +To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the +deployment can target either and existing collection or a new collection can be +created for testing. The onboarding like group policy or manual method does +not install any agent on the system. Within the Configuration Manager console +the onboarding process will be configured as part of the compliance settings +within the console. Any system that receives this required configuration will +maintain that configuration for as long as the Configuration Manager client +continues to receive this policy from the management point. Follow the steps +below to onboard systems with Configuration Manager. + +1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. + +  + +2. Right Click **Device Collection** and select **Create Device Collection**. + +  + +3. Provide a **Name** and **Limiting Collection**, then select **Next**. + +  + +4. Select **Add Rule** and choose **Query Rule**. + +  + +5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**. + +  + +6. Select **Criteria** and then choose the star icon. + +  + +7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**. + +  + +8. Select **Next** and **Close**. + +  + +9. Select **Next**. + +  + +After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. + +## Endpoint detection and response +### Windows 10 +From within the Microsoft Defender Security Center it is possible to download +the '.onboarding' policy that can be used to create the policy in System Center Configuration +Manager and deploy that policy to Windows 10 devices. + +1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding). + + + +2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**. + +  + +3. Select **Download package**. + +  + +4. Save the package to an accessible location. +5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**. + +6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**. + +  + +7. Enter the name and description, verify **Onboarding** is selected, then select **Next**. + +  + +8. Click **Browse**. + +9. Navigate to the location of the downloaded file from step 4 above. + +10. Click **Next**. +11. Configure the Agent with the appropriate samples (**None** or **All file types**). + +  + +12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**. + +  + +14. Verify the configuration, then click **Next**. + +  + +15. Click **Close** when the Wizard completes. + +16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**. + +  + +17. On the right panel, select the previously created collection and click **OK**. + +  + + +### Previous versions of Windows Client (Windows 7 and Windows 8.1) +Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows. + +1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**. + +2. Under operating system choose **Windows 7 SP1 and 8.1**. + +3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process. + +  + +4. Install the Microsoft Monitoring Agent (MMA).
+ MMA is currently (as of January 2019) supported on the following Windows Operating + Systems: + + - Server SKUs: Windows Server 2008 SP1 or Newer + + - Client SKUs: Windows 7 SP1 and later + + The MMA agent will need to be installed on Windows devices. To install the + agent, some systems will need to download the [Update for customer experience + and diagnostic + telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) + in order to collect the data with MMA. These system versions include but may not + be limited to: + + - Windows 8.1 + + - Windows 7 + + - Windows Server 2016 + + - Windows Server 2012 R2 + + - Windows Server 2008 R2 + + Specifically, for Windows 7 SP1, the following patches must be installed: + + - Install + [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) + + - Install either [.NET Framework + 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or + later) **or** + [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). + Do not install both on the same system. + +5. If you're using a proxy to connect to the Internet see the Configure proxy settings section. + +Once completed, you should see onboarded endpoints in the portal within an hour. + +## Next generation protection +Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. + +1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**. + +  + +2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**. + +  + + In certain industries or some select enterprise customers might have specific +needs on how Antivirus is configured. + + + [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan) + + For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) + + +  + +  + +  + +  + +  + +  + +  + +  + +3. Right-click on the newly created antimalware policy and select **Deploy**. + +  + +4. Target the new antimalware policy to your Windows 10 collection and click **OK**. + +  + +After completing this task, you now have successfully configured Windows +Defender Antivirus. + +## Attack surface reduction +The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit +Protection. + +All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode. + +To set ASR rules in Audit mode: + +1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. + +  + + +2. Select **Attack Surface Reduction**. + + +3. Set rules to **Audit** and click **Next**. + +  + +4. Confirm the new Exploit Guard policy by clicking on **Next**. + +  + + +5. Once the policy is created click **Close**. + +  + + + +6. Right-click on the newly created policy and choose **Deploy**. + +  + +7. Target the policy to the newly created Windows 10 collection and click **OK**. + +  + +After completing this task, you now have successfully configured ASR rules in audit mode. + +Below are additional steps to verify whether ASR rules are correctly applied to +endpoints. (This may take few minutes) + + +1. From a web browser, navigate to.
+
+2. Select **Configuration management** from left side menu.
+
+3. Click **Go to attack surface management** in the Attack surface management panel.
+
+ 
+
+4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
+
+ 
+
+5. Click each device shows configuration details of ASR rules.
+
+ 
+
+See [Optimize ASR rule deployment and
+detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
+
+
+### To set Network Protection rules in Audit mode:
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+2. Select **Network protection**.
+
+3. Set the setting to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard Policy by clicking **Next**.
+
+ 
+
+5. Once the policy is created click on **Close**.
+
+ 
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Select the policy to the newly created Windows 10 collection and choose **OK**.
+
+ 
+
+After completing this task, you now have successfully configured Network
+Protection in audit mode.
+
+### To set Controlled Folder Access rules in Audit mode:
+
+1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
+
+ 
+
+2. Select **Controlled folder access**.
+
+3. Set the configuration to **Audit** and click **Next**.
+
+ 
+
+4. Confirm the new Exploit Guard Policy by clicking on **Next**.
+
+ 
+
+5. Once the policy is created click on **Close**.
+
+ 
+
+6. Right-click on the newly created policy and choose **Deploy**.
+
+ 
+
+7. Target the policy to the newly created Windows 10 collection and click **OK**.
+
+ 
+
+You have now successfully configured Controlled folder access in audit mode.
+
+## Related topic
+- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md
new file mode 100644
index 0000000000..4070425a77
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-manager.md
@@ -0,0 +1,364 @@
+---
+title: Onboarding using Microsoft Endpoint Manager
+description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Manager
+keywords: onboarding, configuration, deploy, deployment, endpoint manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection:
+- M365-security-compliance
+- m365solution-endpointprotect
+ms.topic: article
+---
+
+# Onboarding using Microsoft Endpoint Manager
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+
+In this section, we will be using Microsoft Endpoint Manager (MEM) to deploy
+Microsoft Defender ATP to your endpoints.
+
+For more information about MEM, check out these resources:
+- [Microsoft Endpoint Manager page](https://docs.microsoft.com/mem/)
+- [Blog post on convergence of Intune and ConfigMgr](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/)
+- [Introduction video on MEM](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace)
+
+
+This process is a multi-step process, you'll need to:
+
+- Identify target devices or users
+
+ - Create an Azure Active Directory group (User or Device)
+
+- Create a Configuration Profile
+
+ - In MEM, we'll guide you in creating a separate policy for each feature
+
+## Resources
+
+
+Here are the links you'll need for the rest of the process:
+
+- [MEM portal](https://aka.ms/memac)
+
+- [Security Center](https://securitycenter.windows.com/)
+
+- [Intune Security baselines](https://docs.microsoft.com/mem/intune/protect/security-baseline-settings-defender-atp#microsoft-defender)
+
+## Identify target devices or users
+In this section, we will create a test group to assign your configurations on.
+
+>[!NOTE]
+>Intune uses Azure Active Directory (Azure AD) groups to manage devices and
+users. As an Intune admin, you can set up groups to suit your organizational
+needs.
+> For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/mem/intune/fundamentals/groups-add). + +### Create a group + +1. Open the MEM portal. + +2. Open **Groups > New Group**. + +  + +3. Enter details and create a new group. + +  + +4. Add your test user or device. + +5. From the **Groups > All groups** pane, open your new group. + +6. Select **Members > Add members**. + +7. Find your test user or device and select it. + +  + +8. Your testing group now has a member to test. + +## Create configuration policies +In the following section, you'll create a number of configuration policies. +First is a configuration policy to select which groups of users or devices will +be onboarded to Microsoft Defender ATP. Then you will continue by creating several +different types of Endpoint security policies. + +### Endpoint detection and response + +1. Open the MEM portal. + +2. Navigate to **Endpoint security > Endpoint detection and response**. Click + on **Create Profile**. + +  + +3. Under **Platform, select Windows 10 and Later, Profile - Endpoint detection + and response > Create**. + +4. Enter a name and description, then select **Next**. + +  + +5. Select settings as required, then select **Next**. + +  + + >[!NOTE] + >In this instance, this has been auto populated as Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp).
+ + +  + +6. Add scope tags if necessary, then select **Next**. + +  + +7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**. + +  + +8. Review and accept, then select **Create**. + +  + +9. You can view your completed policy. + +  + +### Next-generation protection + +1. Open the MEM portal. + +2. Navigate to **Endpoint security > Antivirus > Create Policy**. + +  + +3. Select **Platform - Windows 10 and Later - Windows and Profile – Microsoft + Defender Antivirus > Create**. + +4. Enter name and description, then select **Next**. + +  + +5. In the **Configuration settings page**: Set the configurations you require for + Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time + Protection, and Remediation). + +  + +6. Add scope tags if necessary, then select **Next**. + +  + +7. Select groups to include, assign to your test group, then select **Next**. + +  + +8. Review and create, then select **Create**. + +  + +9. You'll see the configuration policy you created. + +  + +### Attack Surface Reduction – Attack surface reduction rules + +1. Open the MEM portal. + +2. Navigate to **Endpoint security > Attack surface reduction**. + +3. Select **Create Policy**. + +4. Select **Platform - Windows 10 and Later – Profile - Attack surface reduction + rules > Create**. + +  + +5. Enter a name and description, then select **Next**. + +  + +6. In the **Configuration settings page**: Set the configurations you require for + Attack surface reduction rules, then select **Next**. + + >[!NOTE] + >We will be configuring all of the Attack surface reduction rules to Audit. + + For more information, see [Attack surface reduction rules](attack-surface-reduction.md). + +  + +7. Add Scope Tags as required, then select **Next**. + +  + +8. Select groups to include and assign to test group, then select **Next**. + +  + +9. Review the details, then select **Create**. + +  + +10. View the policy. + +  + +### Attack Surface Reduction – Web Protection + +1. Open the MEM portal. + +2. Navigate to **Endpoint security > Attack surface reduction**. + +3. Select **Create Policy**. + +4. Select **Windows 10 and Later – Web protection > Create**. + +  + +5. Enter a name and description, then select **Next**. + +  + +6. In the **Configuration settings page**: Set the configurations you require for + Web Protection, then select **Next**. + + >[!NOTE] + >We are configuring Web Protection to Block. + + For more information, see [Web Protection](web-protection-overview.md). + +  + +7. Add **Scope Tags as required > Next**. + +  + +8. Select **Assign to test group > Next**. + +  + +9. Select **Review and Create > Create**. + +  + +10. View the policy. + +  + +## Validate configuration settings + + +### Confirm Policies have been applied + + +Once the Configuration policy has been assigned, it will take some time to apply. + +For information on timing, see [Intune configuration information](https://docs.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). + +To confirm that the configuration policy has been applied to your test device, follow the following process for each configuration policy. + +1. Open the MEM portal and navigate to the relevant policy as shown in the + steps above. The following example shows the next generation protection settings. + +  + +2. Select the **Configuration Policy** to view the policy status. + +  + +3. Select **Device Status** to see the status. + +  + +4. Select **User Status** to see the status. + +  + +5. Select **Per-setting status** to see the status. + + >[!TIP] + >This view is very useful to identify any settings that conflict with another policy. + +  + +### Endpoint detection and response + + +1. Before applying the configuration, the Microsoft Defender ATP + Protection service should not be started. + +  + +2. After the configuration has been applied, the Microsoft Defender ATP + Protection Service should be started. + +  + +3. After the services are running on the device, the device appears in Microsoft + Defender Security Center. + +  + +### Next-generation protection + +1. Before applying the policy on a test device, you should be able to manually + manage the settings as shown below. + +  + +2. After the policy has been applied, you should not be able to manually manage + the settings. + + >[!NOTE] + > In the following image **Turn on cloud-delivered protection** and + **Turn on real-time protection** are being shown as managed. + +  + +### Attack Surface Reduction – Attack surface reduction rules + + +1. Before applying the policy on a test device, pen a PowerShell Window and type `Get-MpPreference`. + +2. This should respond with the following lines with no content: + + AttackSurfaceReductionOnlyExclusions: + + AttackSurfaceReductionRules_Actions: + + AttackSurfaceReductionRules_Ids: + +  + +3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`. + +4. This should respond with the following lines with content as shown below: + +  + +### Attack Surface Reduction – Web Protection + +1. On the test device, open a PowerShell Windows and type + `(Get-MpPreference).EnableNetworkProtection`. + +2. This should respond with a 0 as shown below. + +  + +3. After applying the policy, open a PowerShell Windows and type + `(Get-MpPreference).EnableNetworkProtection`. + +4. This should respond with a 1 as shown below. + +  diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index 79394ceaf0..734f99dee0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -51,343 +51,21 @@ You are currently in the onboarding phase. -To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements. +To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. -The deployment guide uses Microsoft Endpoint Configuration Manager as the management tool to demonstrate an end-to-end deployment. +Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements. -This article will guide you on: -- Setting up Microsoft Endpoint Configuration Manager +After onboarding the devices, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction. + + +This article provides resources to guide you on: +- Using various management tools to onboard devices + - [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md) + - [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md) - Endpoint detection and response configuration - Next-generation protection configuration - Attack surface reduction configuration -## Onboarding using Microsoft Endpoint Configuration Manager -### Collection creation -To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the -deployment can target either and existing collection or a new collection can be -created for testing. The onboarding like group policy or manual method does -not install any agent on the system. Within the Configuration Manager console -the onboarding process will be configured as part of the compliance settings -within the console. Any system that receives this required configuration will -maintain that configuration for as long as the Configuration Manager client -continues to receive this policy from the management point. Follow the steps -below to onboard systems with Configuration Manager. - -1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. - -  - -2. Right Click **Device Collection** and select **Create Device Collection**. - -  - -3. Provide a **Name** and **Limiting Collection**, then select **Next**. - -  - -4. Select **Add Rule** and choose **Query Rule**. - -  - -5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**. - -  - -6. Select **Criteria** and then choose the star icon. - -  - -7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**. - -  - -8. Select **Next** and **Close**. - -  - -9. Select **Next**. - -  - -After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. - -## Endpoint detection and response -### Windows 10 -From within the Microsoft Defender Security Center it is possible to download -the '.onboarding' policy that can be used to create the policy in System Center Configuration -Manager and deploy that policy to Windows 10 devices. - -1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding). - - - -2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**. - -  - -3. Select **Download package**. - -  - -4. Save the package to an accessible location. -5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**. - -6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**. - -  - -7. Enter the name and description, verify **Onboarding** is selected, then select **Next**. - -  - -8. Click **Browse**. - -9. Navigate to the location of the downloaded file from step 4 above. - -10. Click **Next**. -11. Configure the Agent with the appropriate samples (**None** or **All file types**). - -  - -12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**. - -  - -14. Verify the configuration, then click **Next**. - -  - -15. Click **Close** when the Wizard completes. - -16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**. - -  - -17. On the right panel, select the previously created collection and click **OK**. - -  - - -### Previous versions of Windows Client (Windows 7 and Windows 8.1) -Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows. - -1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**. - -2. Under operating system choose **Windows 7 SP1 and 8.1**. - -3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process. - -  - -4. Install the Microsoft Monitoring Agent (MMA).
- MMA is currently (as of January 2019) supported on the following Windows Operating - Systems: - - - Server SKUs: Windows Server 2008 SP1 or Newer - - - Client SKUs: Windows 7 SP1 and later - - The MMA agent will need to be installed on Windows devices. To install the - agent, some systems will need to download the [Update for customer experience - and diagnostic - telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) - in order to collect the data with MMA. These system versions include but may not - be limited to: - - - Windows 8.1 - - - Windows 7 - - - Windows Server 2016 - - - Windows Server 2012 R2 - - - Windows Server 2008 R2 - - Specifically, for Windows 7 SP1, the following patches must be installed: - - - Install - [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) - - - Install either [.NET Framework - 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or - later) **or** - [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). - Do not install both on the same system. - -5. If you're using a proxy to connect to the Internet see the Configure proxy settings section. - -Once completed, you should see onboarded endpoints in the portal within an hour. - -## next-generation protection -Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. - -1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**. - -  - -2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**. - -  - - In certain industries or some select enterprise customers might have specific -needs on how Antivirus is configured. - - - [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan) - - For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) - - -  - -  - -  - -  - -  - -  - -  - -  - -3. Right-click on the newly created antimalware policy and select **Deploy**. - -  - -4. Target the new antimalware policy to your Windows 10 collection and click **OK**. - -  - -After completing this task, you now have successfully configured Windows -Defender Antivirus. - -## Attack surface reduction -The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit -Protection. - -All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode. - -To set ASR rules in Audit mode: - -1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. - -  - - -2. Select **Attack Surface Reduction**. - - -3. Set rules to **Audit** and click **Next**. - -  - -4. Confirm the new Exploit Guard policy by clicking on **Next**. - -  - - -5. Once the policy is created click **Close**. - -  - - - -6. Right-click on the newly created policy and choose **Deploy**. - -  - -7. Target the policy to the newly created Windows 10 collection and click **OK**. - -  - -After completing this task, you now have successfully configured ASR rules in audit mode. - -Below are additional steps to verify whether ASR rules are correctly applied to -endpoints. (This may take few minutes) - - -1. From a web browser, navigate to.
-
-2. Select **Configuration management** from left side menu.
-
-3. Click **Go to attack surface management** in the Attack surface management panel.
-
- 
-
-4. Click **Configuration** tab in Attack surface reduction rules reports. It shows ASR rules configuration overview and ASR rules status on each devices.
-
- 
-
-5. Click each device shows configuration details of ASR rules.
-
- 
-
-See [Optimize ASR rule deployment and
-detections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr) for more details.
-
-
-### To set Network Protection rules in Audit mode:
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-2. Select **Network protection**.
-
-3. Set the setting to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard Policy by clicking **Next**.
-
- 
-
-5. Once the policy is created click on **Close**.
-
- 
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Select the policy to the newly created Windows 10 collection and choose **OK**.
-
- 
-
-After completing this task, you now have successfully configured Network
-Protection in audit mode.
-
-### To set Controlled Folder Access rules in Audit mode:
-
-1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**.
-
- 
-
-2. Select **Controlled folder access**.
-
-3. Set the configuration to **Audit** and click **Next**.
-
- 
-
-4. Confirm the new Exploit Guard Policy by clicking on **Next**.
-
- 
-
-5. Once the policy is created click on **Close**.
-
- 
-
-6. Right-click on the newly created policy and choose **Deploy**.
-
- 
-
-7. Target the policy to the newly created Windows 10 collection and click **OK**.
-
- 
-
-You have now successfully configured Controlled folder access in audit mode.
-
+## Related topics
+- [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md)
+- [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md b/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
deleted file mode 100644
index dd83d08373..0000000000
--- a/windows/security/threat-protection/microsoft-defender-atp/powerbi-reports.md
+++ /dev/null
@@ -1,213 +0,0 @@
----
-title: Create and build Power BI reports using Microsoft Defender ATP data connectors
-description: Get security insights by creating and building Power BI dashboards using data from Microsoft Defender ATP and other data sources.
-keywords: settings, power bi, power bi service, power bi desktop, reports, dashboards, connectors, security insights, mashup
-search.product: eADQiWindows 10XVcnh
-search.appverid: met150
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: mjcaparas
-ms.author: macapara
-ms.localizationpriority: medium
-manager: dansimp
-audience: ITPro
-ms.collection: M365-security-compliance
-ms.topic: article
----
-
-
-# Create and build Power BI reports using Microsoft Defender ATP data connectors (Deprecated)
-
-**Applies to:**
-- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
-
-
->[!WARNING]
->This connector is being deprecated, learn how to [Create Power-BI reports using Microsoft Defender ATP APIs](api-power-bi.md).
-
-
-> Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-powerbireports-abovefoldlink)
-
-Understand the security status of your organization, including the status of devices, alerts, and investigations using the Microsoft Defender ATP reporting feature that integrates with Power BI.
-
-Microsoft Defender ATP supports the use of Power BI data connectors to enable you to connect and access Microsoft Defender ATP data using Microsoft Graph.
-
-Data connectors integrate seamlessly in Power BI, and make it easy for power users to query, shape and combine data to build reports and dashboards that meet the needs of your organization.
-
-You can easily get started by:
-- Creating a dashboard on the Power BI service
-- Building a custom dashboard on Power BI Desktop and tweaking it to fit the visual analytics and reporting requirements of your organization
-
-You can access these options from Microsoft Defender Security Center. Both the Power BI service and Power BI Desktop are supported.
-
-## Create a Microsoft Defender ATP dashboard on Power BI service
-Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal.
-
-1. In the navigation pane, select **Settings** > **General** > **Power BI reports**.
-
-2. Click **Create dashboard**.
-
- 
-
- You'll see a notification that things are being loaded.
-
- 
-
- >[!NOTE]
- >Loading your data in the Power BI service can take a few minutes.
-
-3. Specify the following details:
- - **extensionDataSourceKind**: WDATPConnector
- - **extensionDataSourcePath**: WDATPConnector
- - **Authentication method**: OAuth2
-
- 
-
-4. Click **Sign in**. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
-
- 
-
-5. Click **Accept**. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
-
- 
-
- >[!NOTE]
- >Depending on the number of onboarded devices, loading your data in the Power BI service can take several minutes. A larger number of devices might take longer to load.
-
- When importing data is completed and the dataset is ready, you’ll the following notification:
-
- 
-
-6. Click **View dataset** to explore your data.
-
-
-For more information, see [Create a Power BI dashboard from a report](https://powerbi.microsoft.com/en-us/documentation/powerbi-service-create-a-dashboard/).
-
-## Create a Power BI dashboard from the Power BI portal
-
-1. Login to [Power BI](https://powerbi.microsoft.com/).
-
-2. Click **Get Data**.
-
-3. Select **Microsoft AppSource** > **My Organization** > **Get**.
-
- 
-
-4. In the AppSource window, select **Apps** and search for Microsoft Defender Advanced Threat Protection.
-
- 
-
-5. Click **Get it now**.
-
-6. Specify the following details:
- - **extensionDataSourceKind**: WDATPConnector
- - **extensionDataSourcePath**: WDATPConnector
- - **Authentication method**: OAuth2
-
- 
-
-7. Click **Sign in**. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, access your data, and be used for report refresh.
-
- 
-
-8. Click **Accept**. Power BI service will start downloading your Microsoft Defender ATP data from Microsoft Graph. After a successful login, you'll see a notification that data is being imported:
-
- 
-
- >[!NOTE]
- >Depending on the number of onboarded devices, loading your data in the Power BI service can take several minutes. A larger number of devices might take longer to load.
-
- When importing data is completed and the dataset is ready, you’ll the following notification:
-
- 
-
-9. Click **View dataset** to explore your data.
-
-
-## Build a custom Microsoft Defender ATP dashboard in Power BI Desktop
-You can create a custom dashboard in Power BI Desktop to create visualizations that cater to the specific views that your organization requires.
-
-### Before you begin
-1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/).
-
-2. In the Microsoft Defender Security Center navigation pane, select **Settings** > **Power BI reports**.
-
- 
-
-3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it.
-
- 
-
-4. Create a new directory `[Documents]\Power BI Desktop\Custom Connectors`.
-
-5. Copy WDATPDataConnector.mez from the zip to the directory you just created.
-
-6. Open Power BI Desktop.
-
-7. Click **File** > **Options and settings** > **Custom data connectors**.
-
-8. Select **New table and matrix visuals** and **Custom data connectors** and click **OK**.
-
- > [!NOTE]
- > If you plan on using Custom Connectors or connectors that you or a third party has developed, you must select *(Not Recommended) Allow any extension to load without warning* under **Power BI Desktop** > **File** > **Options and settings** > **Options** > **Security** > **Data Extensions**".
-
- >[!NOTE]
- >If you are using Power BI Desktop July 2017 version (or later), you won't need to select **New table and matrix visuals**. You'll only need to select **Custom data connectors**.
-
- 
-
-9. Restart Power BI Desktop.
-
-## Customize the Microsoft Defender ATP Power BI dashboard
-After completing the steps in the Before you begin section, you can proceed with building your custom dashboard.
-
-1. Open WDATPPowerBI.pbit from the zip with Power BI Desktop.
-
-2. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
-
- 
-
-3. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
-
-
-
-## Mashup Microsoft Defender ATP data with other data sources
-You can use Power BI Desktop to analyze data from Microsoft Defender ATP and mash that data up with other data sources to gain better security perspective in your organization.
-
-1. In Power BI Desktop, in the Home ribbon, click **Get data** and search for **Microsoft Defender Advanced Threat Protection**.
-
-2. Click **Connect**.
-
-3. On the Preview Connector windows, click **Continue**.
-
-4. If this is the first time you’re using Power BI with Microsoft Defender ATP, you’ll need to sign in and give consent to Microsoft Defender ATP Power BI app. By providing consent, you’re allowing Microsoft Defender ATP Power BI to sign in and read your profile, and access your data.
-
- 
-
-5. Click **Accept**. Power BI Desktop will start downloading your Microsoft Defender ATP data from Microsoft Graph. When all data has been downloaded, you can proceed to customize your reports.
-
-6. In the Navigator dialog box, select the Microsoft Defender ATP feeds you'd like to download and use in your reports and click Load. Data will start to be downloaded from the Microsoft Graph.
-
-7. Load other data sources by clicking **Get data item** in the Home ribbon, and select another data source.
-
-8. Add visuals and select fields from the available data sources.
-
-## Using the Power BI reports
-There are a couple of tabs on the report that's generated:
-
-- Device and alerts
-- Investigation results and action center
-- Secure Score
-
-In general, if you know of a specific threat name, CVE, or KB, you can identify devices with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether device-level mitigations are configured correctly on the devices and prioritize those that might need attention.
-
-
-## Related topic
-- [Create custom Power BI reports](api-power-bi.md)
-
-
-
-
-
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
index 5aef332edd..eab6ea72ec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview-settings.md
@@ -37,5 +37,4 @@ Turn on the preview experience setting to be among the first to try upcoming fea
- [Turn on advanced features in Microsoft Defender ATP](advanced-features.md)
- [Configure email notifications in Microsoft Defender ATP](configure-email-notifications.md)
- [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md)
-- [Enable the custom threat intelligence API in Microsoft Defender ATP](enable-custom-ti.md)
-- [Create and build Power BI reports](powerbi-reports.md)
+
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 2586120da8..1963e74ca8 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -70,8 +70,6 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr
- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices. -- [Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. > [!TIP] > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md index 9e26a9fef5..119fa1005e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md @@ -1,6 +1,6 @@ --- title: Migrate from Symantec to Microsoft Defender ATP -description: Make the switch from Symantec to Microsoft Defender ATP +description: Get an overview of how to make the switch from Symantec to Microsoft Defender ATP keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,7 +17,10 @@ ms.collection: - M365-security-compliance - m365solution-symantecmigrate - m365solution-overview -ms.topic: article +ms.topic: conceptual +ms.date: 09/04/2020 +ms.custom: migrationguides +ms.reviewer: depicker, yongrhee, chriggs --- # Migrate from Symantec to Microsoft Defender Advanced Threat Protection @@ -40,7 +43,7 @@ In this migration guide, we focus on [next-generation protection](https://docs.m | Feature/Capability | Description | |---|---| -| [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & Vulnerability Management capabilities helps identify, assess, and remediate weaknesses across your endpoints (such as devices). | +| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). | | [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. | | [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. | | [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md index 6c7c329a2e..ef82adfcff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md @@ -1,6 +1,6 @@ --- title: Phase 3 - Onboard to Microsoft Defender ATP -description: Make the switch from Symantec to Microsoft Defender ATP +description: This is Phase 3, Onboarding, of making the switch from Symantec to Microsoft Defender ATP keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,6 +17,9 @@ ms.collection: - M365-security-compliance - m365solution-symantecmigrate ms.topic: article +ms.date: 09/04/2020 +ms.custom: migrationguides +ms.reviewer: depicker, yongrhee, chriggs --- # Migrate from Symantec - Phase 3: Onboard to Microsoft Defender ATP diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md index 2a678e94e4..e110562968 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md @@ -1,6 +1,6 @@ --- title: Phase 1 - Prepare for your migration to Microsoft Defender ATP -description: Phase 1 of "Make the switch from Symantec to Microsoft Defender ATP". Prepare for your migration. +description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft Defender ATP. keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,6 +17,9 @@ ms.collection: - M365-security-compliance - m365solution-symantecmigrate ms.topic: article +ms.date: 09/04/2020 +ms.custom: migrationguides +ms.reviewer: depicker, yongrhee, chriggs --- # Migrate from Symantec - Phase 1: Prepare for your migration diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md index a3c0638d1e..2c6253d565 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md @@ -1,6 +1,6 @@ --- -title: Phase 2 - Set up Microsoft Defender ATP -description: Phase 2 - Set up Microsoft Defender ATP +title: Symantec to Microsoft Defender ATP - Phase 2, Setting Up +description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Defender ATP keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,6 +17,9 @@ ms.collection: - M365-security-compliance - m365solution-symantecmigrate ms.topic: article +ms.date: 09/04/2020 +ms.custom: migrationguides +ms.reviewer: depicker, yongrhee, chriggs --- # Migrate from Symantec - Phase 2: Set up Microsoft Defender ATP @@ -102,7 +105,7 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def |Method |What to do | |---------|---------| |Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | -|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus?view=win10-ps) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. | > [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 11aa392b29..af31192f3b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -55,7 +55,7 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- **Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data. -[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP. +[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP. [**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. [**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs (security updates). [**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details. diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index cc9c36fae9..2c2ed8bfbc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -76,10 +76,18 @@ To add a new policy: 4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories. 5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices. +Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. + >[!NOTE] >If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment. ->ProTip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. +### Allow specific websites + +It is possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it is applied to the device group in question. + +1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item** +2. Enter the domain of the site +3. Set the policy action to **Allow**. ## Web content filtering cards and details
August-2020 (Platform: 4.18.2008.3 | Engine: 1.1.17400.5)
+August-2020 (Platform: 4.18.2008.9 | Engine: 1.1.17400.5)
Security intelligence update version: **1.323.9.0** Released: **August 27, 2020** - Platform: **4.18.2008.3** + Platform: **4.18.2008.9** Engine: **1.1.17400.5** Support phase: **Security and Critical Updates** @@ -72,6 +76,7 @@ All our updates contain: * Improved scan event telemetry * Improved behavior monitoring for memory scans * Improved macro streams scanning +* Added "AMRunningMode" to Get-MpComputerStatus Powershell CmdLet ### Known Issues No known issues diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md index 35f40da2a5..52b3bb034e 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.md @@ -4,4 +4,5 @@ ## [Install WDAG](install-md-app-guard.md) ## [Configure WDAG policies](configure-md-app-guard.md) ## [Test scenarios](test-scenarios-md-app-guard.md) +## [Microsoft Defender Application Guard Extension](md-app-guard-browser-extension.md) ## [FAQ](faq-md-app-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png new file mode 100644 index 0000000000..4ad77f8a06 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png new file mode 100644 index 0000000000..25e3ef533b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png new file mode 100644 index 0000000000..779f647b33 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png differ diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md new file mode 100644 index 0000000000..d01a2ef115 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md @@ -0,0 +1,98 @@ +--- +title: Microsoft Defender Application Guard Extension +description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: martyav +ms.author: v-maave +ms.date: 06/12/2020 +ms.reviewer: +manager: dansimp +ms.custom: asr +--- + +# Microsoft Defender Application Guard Extension + +**Applies to:** + +- Windows 10 + +[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). + +[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers. + +> [!TIP] +> Application Guard, by default, offers [native support](https://docs.microsoft.com/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them. + +Microsoft Defender Application Guard Extension defends devices in your organization from advanced attacks, by redirecting untrusted websites to an isolated version of [Microsoft Edge](https://www.microsoft.com/edge). If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device protected. + +## Prerequisites + +Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1803 or later: + +- Windows 10 Professional +- Windows 10 Enterprise +- Windows 10 Education + +Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already. + +## Installing the extension + +Application Guard can be run under [managed mode](install-md-app-guard.md#enterprise-managed-mode) or [standalone mode](install-md-app-guard.md#standalone-mode). The main difference between the two modes is whether policies have been set to define the organization's boundaries. + +Enterprise administrators running Application Guard under managed mode should first define Application Guard's [network isolation settings](configure-md-app-guard.md#network-isolation-settings), so a set of enterprise sites is already in place. + +From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode. + +1. On the local device, download and install the Application Guard extension for Google [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and/or Mozilla [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/). +1. Install the [Windows Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer. +1. Restart the device. + +### Recommended browser group policies + +Both Chrome and Firefox have their own browser-specific group policies. We recommend that admins use the following policy settings. + +#### Chrome policies + +These policies can be found along the filepath, *Software\Policies\Google\Chrome\\*, with each policy name corresponding to the file name (e.g., IncognitoModeAvailability is located at *Software\Policies\Google\Chrome\IncognitoModeAvailability*). + +Policy name | Values | Recommended setting | Reason +-|-|-|- +[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled`1` = Disabled
`2` = Forced (i.e. forces pages to only open in Incognito mode) | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default. +[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled
`true`, `1`, or not configured = Enabled | Disabled | This policy allows users to login as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default. +[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled
`true` or `1` = Enabled
**Note:** If this policy is not set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension. +[ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension. + +#### Firefox policies + +These policies can be found along the filepath, *Software\Policies\Mozilla\Firefox\\*, with each policy name corresponding to the file name (e.g., DisableSafeMode is located at *Software\Policies\Mozilla\Firefox\DisableSafeMode*). + +Policy name | Values | Recommended setting | Reason +-|-|-|- +[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled
`true` or `1` = Safe mode is disabled | True (i.e. the policy is enabled and Safe mode is *not* allowed to run) | Safe mode can allow users to circumvent Application Guard +[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to *about:config* is allowed
`true` or `1` = User access to *about:config* is not allowed | True (i.e. the policy is enabled and access to about:config is *not* allowed) | *About:config* is a special page within Firefox that offers control over many settings that may compromise security +[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions (these can be found by searching `extensions.webextensions.uuids` within the about:config page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user cannot disable or uninstall it. + +## Troubleshooting guide + + + +Error message | Cause | Actions +-|-|- +Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser +ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation +Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser 2. Check for updates in both the Microsoft store and the respective web store for the affected browser +Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Retry the operation +Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and re-install the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser +Protocol out of sync | The extension and native app cannot communicate with each other. This is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser +Security patch level does not match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser +Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) 2. Check if Edge is working 3. Retry the operation + +## Related articles + +- [Microsoft Defender Application Guard overview](md-app-guard-overview.md) +- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 9a278e3b9b..67723aa1a3 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -18,7 +18,7 @@ ms.custom: asr **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. +Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. ## What is Application Guard and how does it work? @@ -42,10 +42,11 @@ Application Guard has been created to target several types of systems: ## Related articles -|Article |Description | -|------|------------| +|Article | Description | +|--------|-------------| |[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.| |[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| |[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.| |[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| +| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a trouble-shooting guide | |[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index e2a6d3e0ec..9fb1380e27 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -15,36 +15,34 @@ ms.custom: asr # Application Guard testing scenarios +**Applies to:** -**Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. - ## Application Guard in standalone mode You can see how an employee would use standalone mode with Application Guard. ### To test Application Guard in Standalone mode -1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). +1. [Install Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). 2. Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.  - + 3. Wait for Application Guard to set up the isolated environment. >[!NOTE] - >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. - + >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. + 4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.  -## Application Guard in Enterprise-managed mode +## Application Guard in Enterprise-managed mode How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode. @@ -59,7 +57,7 @@ Before you can use Application Guard in enterprise mode, you must install Window 3. Set up the Network Isolation settings in Group Policy: a. Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**. - + b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting. c. For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box. @@ -81,14 +79,14 @@ Before you can use Application Guard in enterprise mode, you must install Window >[!NOTE] >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. -6. Start Microsoft Edge and type www.microsoft.com. - +6. Start Microsoft Edge and type *https://www.microsoft.com*. + After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.  7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists. - + After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.  @@ -108,6 +106,7 @@ Application Guard provides the following default behavior for your employees: You have the option to change each of these settings to work with your enterprise from within Group Policy. **Applies to:** + - Windows 10 Enterprise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 @@ -116,24 +115,24 @@ You have the option to change each of these settings to work with your enterpris 1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**. 2. Click **Enabled** and click **OK**. - +  3. Choose how the clipboard works: - + - Copy and paste from the isolated session to the host PC - + - Copy and paste from the host PC to the isolated session - + - Copy and paste both directions 4. Choose what can be copied: - - - **1.** Only text can be copied between the host PC and the isolated container. - - **2.** Only images can be copied between the host PC and the isolated container. + - Only text can be copied between the host PC and the isolated container. - - **3.** Both text and images can be copied between the host PC and the isolated container. + - Only images can be copied between the host PC and the isolated container. + + - Both text and images can be copied between the host PC and the isolated container. 5. Click **OK**. @@ -156,21 +155,26 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**.  - + 3. Open Microsoft Edge and browse to an untrusted, but safe URL. - The website opens in the isolated session. + The website opens in the isolated session. 4. Add the site to your **Favorites** list and then close the isolated session. -5. Log out and back on to your device, opening Microsoft Edge in Application Guard again. +5. Log out and back on to your device, opening Microsoft Edge in Application Guard again. The previously added site should still appear in your **Favorites** list. - >[!NOTE] - >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.
If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. - + > [!NOTE] + > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10. + > + > If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data. + > + > **To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data. + **Applies to:** + - Windows 10 Enterprise edition, version 1803 - Windows 10 Professional edition, version 1803 @@ -181,10 +185,10 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**.  - + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Download a file from Microsoft Defender Application Guard. +4. Download a file from Microsoft Defender Application Guard. 5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files. @@ -195,12 +199,13 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**.  - -3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. -4. Assess the visual experience and battery performance. +3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. + +4. Assess the visual experience and battery performance. **Applies to:** + - Windows 10 Enterprise edition, version 1809 - Windows 10 Professional edition, version 1809 @@ -210,11 +215,11 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, set **Options** to 2, and click **OK**. -  - +  + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Open a file in Edge, such an Office 365 file. +4. Open a file in Edge, such an Office 365 file. 5. Check to see that an antivirus scan completed before the file was opened. @@ -224,11 +229,11 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled** and click **OK**. -  - +  + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. -4. Open an application with video or audio capability in Edge. +4. Open an application with video or audio capability in Edge. 5. Check that the camera and microphone work as expected. @@ -238,7 +243,20 @@ You have the option to change each of these settings to work with your enterpris 2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**. -  - +  + 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. +## Application Guard Extension for third-party web browsers + +The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer. + +Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios. + +1. Open either Firefox or Chrome — whichever browser you have the extension installed on. +1. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded. +  +1. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge. +  +1. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window** +  diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md index d5802d8faf..96506eaa8d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md @@ -198,4 +198,4 @@ After configuring the [Security policy violation indicators](https://docs.micros - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications](configure-email-notifications.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md index e605898b2f..893c9a3eaa 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md @@ -95,5 +95,4 @@ This section lists various issues that you may encounter when using email notifi ## Related topics - [Update data retention settings](data-retention-settings.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md index 9cc9cb48ba..861f8c6cd2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/data-retention-settings.md @@ -50,5 +50,4 @@ You can verify the data location by navigating to **Settings** > **Data retentio ## Related topics - [Update data retention settings](data-retention-settings.md) - [Configure alert notifications in Microsoft Defender ATP](configure-email-notifications.md) -- [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md) - [Configure advanced features](advanced-features.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx index 84b5f2a664..bd35122350 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx and b/windows/security/threat-protection/microsoft-defender-atp/downloads/mdatp-urls.xlsx differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index f081c6ad4a..b54b1ac8a7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -1,6 +1,6 @@ --- -title: Turning on network protection -description: Enable Network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager. +title: Turn on network protection +description: Enable network protection with Group Policy, PowerShell, or Mobile Device Management and Configuration Manager. keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -14,7 +14,7 @@ ms.reviewer: manager: dansimp --- -# Turning on network protection +# Turn on network protection **Applies to:** @@ -22,6 +22,8 @@ manager: dansimp [Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it. +[Learn more about network filtering configuration options](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-windows-10#network-filtering) + ## Check if network protection is enabled Check if network protection has been enabled on a local device by using Registry editor. @@ -40,9 +42,8 @@ Check if network protection has been enabled on a local device by using Registry Enable network protection by using any of these methods: * [PowerShell](#powershell) -* [Microsoft Intune](#intune) * [Mobile Device Management (MDM)](#mobile-device-management-mdm) -* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) +* [Microsoft Endpoint Manager / Intune](#microsoft-endpoint-manager-formerly-intune) * [Group Policy](#group-policy) ### PowerShell @@ -62,41 +63,17 @@ Enable network protection by using any of these methods: Use `Disabled` instead of `AuditMode` or `Enabled` to turn off the feature. -### Intune - -1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. - -2. Go to **Device configuration** > **Profiles** > **Create profile**. - -3. Name the profile, choose **Windows 10 and later** and **Endpoint protection**. - -  - -4. Select **Configure** > **Windows Defender Exploit Guard** > **Network filtering** > **Enable**. - -  - -5. Select **OK** to save each open section and **Create**. - -6. Select the profile called **Assignments**, assign to **All Users & All Devices**, and **Save**. - -### Mobile Device Management (MDM) +### Mobile device management (MDM) Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode. -## Microsoft Endpoint Configuration Manager +### Microsoft Endpoint Manager (formerly Intune) -1. In Microsoft Endpoint Configuration Manager, go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**. +1. Sign into the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) -2. Then go to **Home** > **Create Exploit Guard Policy**. +2. Create or edit an [endpoint protection configuration profile](https://docs.microsoft.com/mem/intune/protect/endpoint-protection-configure) -3. Enter a name and a description, select **Network protection**, and then **Next**. - -4. Choose whether to block or audit access to suspicious domains and select **Next**. - -5. Review the settings and select **Next** to create the policy. - -6. After the policy is created, **Close**. +3. Under "Configuration Settings" in the profile flow, go to **Microsoft Defender Exploit Guard** > **Network filtering** > **Network protection** > **Enable** or **Audit only** ### Group Policy @@ -112,6 +89,9 @@ Use the following procedure to enable network protection on domain-joined comput 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. +> [!NOTE] +> On older versions of Windows, the group policy path may say "Windows Defender Antivirus" instead of "Microsoft Defender Antivirus." + 4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following options: * **Block** - Users can't access malicious IP addresses and domains * **Disable (Default)** - The Network protection feature won't work. Users won't be blocked from accessing malicious domains diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png b/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png new file mode 100644 index 0000000000..e1003dbe5c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/149cbfdf221cdbde8159d0ab72644cd0.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png b/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png new file mode 100644 index 0000000000..d631a23a7a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/165b9d4795388ab8481a2e6228fdefc0.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png b/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png new file mode 100644 index 0000000000..624db40b02 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/18a50df62cc38749000dbfb48e9a4c9b.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png b/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png new file mode 100644 index 0000000000..00757fde1a Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/196a8e194ac99d84221f405d0f684f8c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png b/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png new file mode 100644 index 0000000000..3222b1f66d Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2055e4f9b9141525c0eb681e7ba19381.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png b/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png new file mode 100644 index 0000000000..8979120d8f Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2466460812371ffae2d19a10c347d6f4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png b/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png new file mode 100644 index 0000000000..6b378bc697 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/289172dbd7bd34d55d24810d9d4d8158.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png b/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png new file mode 100644 index 0000000000..ac2634f33b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/2c2e87c5fedc87eba17be0cdeffdb17f.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png b/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png new file mode 100644 index 0000000000..157e426bc0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/38180219e632d6e4ec7bd25a46398da8.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png b/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png new file mode 100644 index 0000000000..32a776aef9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/3840b1576d6f79a1d72eb14760ef5e8c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png b/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png new file mode 100644 index 0000000000..9f4126d345 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/42acc69d0128ed09804010bdbdf0a43c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png b/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png new file mode 100644 index 0000000000..6ffdab3e67 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/43ab6aa74471ee2977e154a4a5ef2d39.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png b/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png new file mode 100644 index 0000000000..7f542a3c8c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/45cefc8e4e474321b4d47b4626346597.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png b/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png new file mode 100644 index 0000000000..d0679c71a7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/48318a51adee06bff3908e8ad4944dc9.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png b/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png new file mode 100644 index 0000000000..2f6d99294b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/4e965749ff71178af8873bc91f9fe525.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png b/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png new file mode 100644 index 0000000000..88682c78a0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/522d9bb4288dc9c1a957392b51384fdd.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png b/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png new file mode 100644 index 0000000000..ca1ff72715 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/55ecaca0e4a022f0e29d45aeed724e6c.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png b/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png new file mode 100644 index 0000000000..72a6a9e334 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/58dcd48811147feb4ddc17212b7fe840.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png b/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png new file mode 100644 index 0000000000..5e7cf47523 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5a568b6878be8243ea2b9d82d41ed297.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png b/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png new file mode 100644 index 0000000000..026b643022 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/5be573a60cd4fa56a86a6668b62dd808.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png b/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png new file mode 100644 index 0000000000..2775ac9cda Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6104aa33a56fab750cf30ecabef9f5b6.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png b/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png new file mode 100644 index 0000000000..fa53f0826c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/619fb877791b1fc8bc7dfae1a579043d.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png b/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png new file mode 100644 index 0000000000..d4fd512845 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/66f724598d9c3319cba27f79dd4617a4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png b/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png new file mode 100644 index 0000000000..8db6715ccd Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6b728d6e0d71108d768e368b416ff8ba.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png b/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png new file mode 100644 index 0000000000..24eede07b8 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/6daa8d347c98fe94a0d9c22797ff6f28.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png b/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png new file mode 100644 index 0000000000..2159bbe1ad Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/7a631d17cc42500dacad4e995823ffef.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png b/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png new file mode 100644 index 0000000000..7935e15763 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/88efb4c3710493a53f2840c3eac3e3d3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png b/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png new file mode 100644 index 0000000000..82c5aa9d19 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/8ee0405f1a96c23d2eb6f737f11c1ae5.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png b/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png new file mode 100644 index 0000000000..41be549fd6 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/9341428b2d3164ca63d7d4eaa5cff642.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png b/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png new file mode 100644 index 0000000000..be6531a2f0 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a5a71fd73ec389f3cdce6d1a6bd1ff31.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png b/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png new file mode 100644 index 0000000000..2111e5ee9c Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a5b2d23bdd50b160fef4afd25dda28d4.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png b/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png new file mode 100644 index 0000000000..f0d844cbf7 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a621b699899f1b41db211170074ea59e.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png b/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png new file mode 100644 index 0000000000..696a84fc1b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/a7d738dd4509d65407b7d12beaa3e917.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png b/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png new file mode 100644 index 0000000000..feff40a8fa Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b1e0206d675ad07db218b63cd9b9abc3.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png b/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png new file mode 100644 index 0000000000..1b3302994b Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/b418a232a12b3d0a65fc98248dbb0e31.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png b/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png new file mode 100644 index 0000000000..b7a63ecc3e Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/c06fa3bbc2f70d59dfe1e106cd9a4683.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png b/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png new file mode 100644 index 0000000000..7c2c572329 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cb0260d4b2636814e37eee427211fe71.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png b/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png new file mode 100644 index 0000000000..2b44054fc5 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cd7b5a1cbc16cc05f878cdc99ba4c27f.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png b/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png new file mode 100644 index 0000000000..85d6d6dd51 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/cea7e288b5d42a9baf1aef0754ade910.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png b/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png new file mode 100644 index 0000000000..e49c575125 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dd0c00efe615a64a4a368f54257777d0.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png b/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png new file mode 100644 index 0000000000..2dd6492036 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/df0c64001b9219cfbd10f8f81a273190.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png b/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png new file mode 100644 index 0000000000..912ae2f634 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/dfdadab79112d61bd3693d957084b0ec.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png b/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png new file mode 100644 index 0000000000..741d4af9b9 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/e74f6f6c150d017a286e6ed3dffb7757.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png b/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png new file mode 100644 index 0000000000..a588c74aae Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/ef844f52ec2c0d737ce793f68b5e8408.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png b/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png new file mode 100644 index 0000000000..835c7fbd32 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-atp/images/fc3525e20752da026ec9f46ab4fec64f.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md new file mode 100644 index 0000000000..1a7490d88e --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-terms.md @@ -0,0 +1,226 @@ +--- +title: Microsoft Defender ATP for iOS Application license terms +ms.reviewer: +description: Describes the Microsoft Defender ATP for iOS license terms +keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: sunasing +author: sunasing +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +hideEdit: true +--- + +# Microsoft Defender ATP for iOS application license terms + +## MICROSOFT APPLICATION LICENSE TERMS: MICROSOFT DEFENDER ATP + +These license terms ("Terms") are an agreement between Microsoft Corporation (or +based on where you live, one of its affiliates) and you. Please read them. They +apply to the application named above. These Terms also apply to any Microsoft + +- updates, + +- supplements, + +- Internet-based services, and + +- support services + +for this application, unless other terms accompany those items. If so, those +terms apply. + +**BY USING THE APPLICATION, YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THEM, +DO NOT USE THE APPLICATION.** + +**If you comply with these Terms, you have the perpetual rights below.** + +1. **INSTALLATION AND USE RIGHTS.** + + 1. **Installation and Use.** You may install and use any number of copies + of this application on iOS enabled device or devices which you own + or control. You may use this application with your company's valid + subscription of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) or + an online service that includes MDATP functionalities. + + 2. **Updates.** Updates or upgrades to MDATP may be required for full + functionality. Some functionality may not be available in all countries. + + 3. **Third Party Programs.** The application may include third party + programs that Microsoft, not the third party, licenses to you under this + agreement. Notices, if any, for the third-party program are included for + your information only. + +2. **INTERNET ACCESS MAY BE REQUIRED.** You may incur charges related to + Internet access, data transfer and other services per the terms of the data + service plan and any other agreement you have with your network operator due + to use of the application. You are solely responsible for any network + operator charges. + +3. **INTERNET-BASED SERVICES.** Microsoft provides Internet-based services with + the application. It may change or cancel them at any time. + + 1. Consent for Internet-Based or Wireless Services. The application may + connect to Internet-based wireless services. Your use of the application + operates as your consent to the transmission of standard device + information (including but not limited to technical information about + your device, system and application software, and peripherals) for + Internet-based or wireless services. If other terms are provided in + connection with your use of the services, those terms also apply. + + - Data. Some online services require, or may be enhanced by, the + installation of local software like this one. At your, or your + admin's direction, this software may send data from a device to or + from an online service. + + - Usage Data. Microsoft automatically collects usage and performance + data over the internet. This data will be used to provide and + improve Microsoft products and services and enhance your experience. + You may limit or control collection of some usage and performance + data through your device settings. Doing so may disrupt your use of + certain features of the application. For additional information on + Microsoft's data collection and use, see the [Online Services + Terms](https://go.microsoft.com/fwlink/?linkid=2106777). + + 2. Misuse of Internet-based Services. You may not use any Internet-based + service in any way that could harm it or impair anyone else's use of it + or the wireless network. You may not use the service to try to gain + unauthorized access to any service, data, account or network by any + means. + +4. **FEEDBACK.** If you give feedback about the application to Microsoft, you + give to Microsoft, without charge, the right to use, share and commercialize + your feedback in any way and for any purpose. You also give to third + parties, without charge, any patent rights needed for their products, + technologies and services to use or interface with any specific parts of a + Microsoft software or service that includes the feedback. You will not give + feedback that is subject to a license that requires Microsoft to license its + software or documentation to third parties because we include your feedback + in them. These rights survive this agreement. + +5. **SCOPE OF LICENSE.** The application is licensed, not sold. This agreement + only gives you some rights to use the application. Microsoft reserves all + other rights. Unless applicable law gives you more rights despite this + limitation, you may use the application only as expressly permitted in this + agreement. In doing so, you must comply with any technical limitations in + the application that only allow you to use it in certain ways. You may not + + - work around any technical limitations in the application; + + - reverse engineer, decompile or disassemble the application, except and + only to the extent that applicable law expressly permits, despite this + limitation; + + - make more copies of the application than specified in this agreement or + allowed by applicable law, despite this limitation; + + - publish the application for others to copy; + + - rent, lease or lend the application; or + + - transfer the application or this agreement to any third party. + +6. **EXPORT RESTRICTIONS.** The application is subject to United States export + laws and regulations. You must comply with all domestic and international + export laws and regulations that apply to the application. These laws + include restrictions on destinations, end users and end use. For additional + information, + see [www.microsoft.com/exporting](https://www.microsoft.com/exporting). + +7. **SUPPORT SERVICES.** Because this application is "as is," we may not + provide support services for it. If you have any issues or questions about + your use of this application, including questions about your company's + privacy policy, please contact your company's admin. Do not contact the + application store, your network operator, device manufacturer, or Microsoft. + The application store provider has no obligation to furnish support or + maintenance with respect to the application. + +8. **APPLICATION STORE.** + + 1. If you obtain the application through an application store (e.g., App + Store), please review the applicable application store terms to ensure + your download and use of the application complies with such terms. + Please note that these Terms are between you and Microsoft and not with + the application store. + + 2. The respective application store provider and its subsidiaries are third + party beneficiaries of these Terms, and upon your acceptance of these + Terms, the application store provider(s) will have the right to directly + enforce and rely upon any provision of these Terms that grants them a + benefit or rights. + +9. **TRADEMARK NOTICES.** Microsoft, Microsoft Defender ATP, MDATP, and + Microsoft 365 are registered or common-law trademarks of Microsoft + Corporation in the United States and/or other countries. + +10. **ENTIRE AGREEMENT.** This agreement and the terms for supplements, updates, + Internet-based services, and support services that you use are the entire + agreement for the application and support services. + +11. **APPLICABLE LAW.** + + 1. **United States.** If you acquired the application in the United States, + Washington state law governs the interpretation of this agreement and + applies to claims for breach of it, regardless of conflict of laws + principles. The laws of the state where you live govern all other + claims, including claims under state consumer protection laws, unfair + competition laws, and in tort. + + 2. **Outside the United States.** If you acquired the application in any + other country, the laws of that country apply. + +12. **LEGAL EFFECT.** This agreement describes certain legal rights. You may + have other rights under the laws of your country. You may also have rights + with respect to the party from whom you acquired the application. This + agreement does not change your rights under the laws of your country if the + laws of your country do not permit it to do so. + +13. **DISCLAIMER OF WARRANTY. THE APPLICATION IS LICENSED "AS-IS." "WITH ALL + FAULTS," AND "AS AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND + WIRELESS CARRIERS OVER WHOSE NETWORK THE APPLICATION IS DISTRIBUTED, AND + EACH OF OUR RESPECTIVE AFFILIATES, AND SUPPLIERS ("COVERED PARTIES") GIVE NO + EXPRESS WARRANTIES, GUARANTEES OR CONDITIONS UNDER OR IN RELATION TO THE + APPLICATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE + APPLICATION IS WITH YOU. SHOULD THE APPLICATION BE DEFECTIVE, YOU ASSUME THE + ENTIRE COST OF ALL NECESSARY SERVICING OR REPAIR. YOU MAY HAVE ADDITIONAL + CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO + THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, COVERED PARTIES EXCLUDE THE + IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND + NON-INFRINGEMENT.** + + **FOR AUSTRALIA - YOU HAVE STATUTORY GUARANTEES UNDER THE AUSTRALIAN CONSUMER LAW AND NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS.** + +14. **LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. TO THE EXTENT NOT + PROHIBITED BY LAW, YOU CAN RECOVER FROM MICROSOFT ONLY DIRECT DAMAGES UP TO + ONE U.S. DOLLAR (\$1.00). YOU AGREE NOT TO SEEK TO RECOVER ANY OTHER + DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR + INCIDENTAL DAMAGES FROM ANY COVERED PARTIES.** + +This limitation applies to: + +- anything related to the application, services, content (including code) on + third party Internet sites, or third party programs; and + +- claims for breach of contract, warranty, guarantee or condition; consumer + protection; deception; unfair competition; strict liability, negligence, + misrepresentation, omission, trespass or other tort; violation of statute or + regulation; or unjust enrichment; all to the extent permitted by applicable + law. + +It also applies even if: + +a. Repair, replacement or refund for the application does not fully compensate + you for any losses; or + +b. Covered Parties knew or should have known about the possibility of the + damages. + +The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md index 022658e40b..1200b24369 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-configuration-manager.md @@ -15,6 +15,8 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.date: 09/04/2020 +ms.reviewer: chventou --- # Manage Microsoft Defender Advanced Threat Protection with Configuration Manager diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md index 1e7317f3e8..299b6b807e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-group-policy-objects.md @@ -15,6 +15,8 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.date: 09/04/2020 +ms.reviewer: chventou --- # Manage Microsoft Defender Advanced Threat Protection with Group Policy Objects diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md index 6801853a3f..43b5a8c70c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-intune.md @@ -15,6 +15,8 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.date: 09/04/2020 +ms.reviewer: chventou --- # Manage Microsoft Defender Advanced Threat Protection with Intune diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md index 245b969459..8629492da7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration-other-tools.md @@ -15,6 +15,8 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: article +ms.date: 09/04/2020 +ms.reviewer: chventou --- # Manage Microsoft Defender Advanced Threat Protection with PowerShell, WMI, and MPCmdRun.exe diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md index f716c99579..f06086dbc1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-atp-post-migration.md @@ -14,7 +14,9 @@ ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance -ms.topic: article +ms.topic: conceptual +ms.date: 09/04/2020 +ms.reviewer: chventou --- # Manage Microsoft Defender Advanced Threat Protection, post migration diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md new file mode 100644 index 0000000000..9676eaf9e7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-migration.md @@ -0,0 +1,59 @@ +--- +title: Migrate from McAfee to Microsoft Defender ATP +description: Make the switch from McAfee to Microsoft Defender ATP. Read this article for an overview. +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365solution-mcafeemigrate +- m365solution-overview +ms.topic: conceptual +ms.custom: migrationguides +ms.date: 09/03/2020 +ms.reviewer: jesquive, chventou, jonix, chriggs, owtho +--- + +# Migrate from McAfee to Microsoft Defender Advanced Threat Protection + +If you are planning to switch from McAfee Endpoint Security (McAfee) to [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP), you're in the right place. Use this article as a guide to plan your migration. + +## The migration process + +When you switch from McAfee to Microsoft Defender ATP, you follow a process that can be divided into three phases, as described in the following table: + +|Phase |Description | +|--|--| +|[](mcafee-to-microsoft-defender-prepare.md)
[Prepare for your migration](mcafee-to-microsoft-defender-prepare.md) |During [the **Prepare** phase](mcafee-to-microsoft-defender-prepare.md), you update your organization's devices, get Microsoft Defender ATP, plan your roles and permissions, and grant access to the Microsoft Defender Security Center. You also configure your device proxy and internet settings to enable communication between your organization's devices and Microsoft Defender ATP. | +|[](mcafee-to-microsoft-defender-setup.md)
[Set up Microsoft Defender ATP](mcafee-to-microsoft-defender-setup.md) |During [the **Setup** phase](mcafee-to-microsoft-defender-setup.md), you enable Microsoft Defender Antivirus and make sure it's in passive mode, and you configure settings & exclusions for Microsoft Defender Antivirus, Microsoft Defender ATP, and McAfee. You also create device groups, collections, and organizational units. Finally, you configure your antimalware policies and real-time protection settings.| +|[](mcafee-to-microsoft-defender-onboard.md)
[Onboard to Microsoft Defender ATP](mcafee-to-microsoft-defender-onboard.md) |During [the **Onboard** phase](mcafee-to-microsoft-defender-onboard.md), you onboard your devices to Microsoft Defender ATP and verify that those devices are communicating with Microsoft Defender ATP. Last, you uninstall McAfee and make sure that protection through Microsoft Defender Antivirus & Microsoft Defender ATP is in active mode. | + +## What's included in Microsoft Defender ATP? + +In this migration guide, we focus on [next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) and [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) capabilities as a starting point for moving to Microsoft Defender ATP. However, Microsoft Defender ATP includes much more than antivirus and endpoint protection. Microsoft Defender ATP is a unified platform for preventative protection, post-breach detection, automated investigation, and response. The following table summarizes features and capabilities in Microsoft Defender ATP. + +| Feature/Capability | Description | +|---|---| +| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). | +| [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. | +| [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. | +| [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. | +| [Advanced hunting](advanced-hunting-overview.md) | Advanced hunting capabilities enable your security operations team to locate indicators and entities of known or potential threats. | +| [Behavioral blocking and containment](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment) | Behavioral blocking and containment capabilities help identify and stop threats, based on their behaviors and process trees even when the threat has started execution. | +| [Automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) | Automated investigation and response capabilities examine alerts and take immediate remediation action to resolve breaches. | +| [Threat hunting service](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-threat-experts) (Microsoft Threat Experts) | Threat hunting services provide security operations teams with expert level monitoring and analysis, and to help ensure that critical threats aren't missed. | + +**Want to learn more? See [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection).** + +## Next step + +- Proceed to [Prepare for your migration](mcafee-to-microsoft-defender-prepare.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md new file mode 100644 index 0000000000..fcd726467f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-onboard.md @@ -0,0 +1,92 @@ +--- +title: McAfee to Microsoft Defender ATP - Onboard +description: This is phase 3, Onboard, for migrating from McAfee to Microsoft Defender ATP. +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365solution-McAfeemigrate +ms.custom: migrationguides +ms.topic: article +ms.date: 09/03/2020 +ms.reviewer: jesquive, chventou, jonix, chriggs, owtho +--- + +# Migrate from McAfee - Phase 3: Onboard to Microsoft Defender ATP + +|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |
Phase 3: Onboard | +|--|--|--| +|| |*You are here!* | + + +**Welcome to Phase 3 of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This migration phase includes the following steps: + +1. [Onboard devices to Microsoft Defender ATP](#onboard-devices-to-microsoft-defender-atp). +2. [Run a detection test](#run-a-detection-test). +3. [Uninstall McAfee](#uninstall-mcafee). +4. [Make sure Microsoft Defender ATP is in active mode](#make-sure-microsoft-defender-atp-is-in-active-mode). + +## Onboard devices to Microsoft Defender ATP + +1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. + +2. Choose **Settings** > **Device management** > **Onboarding**. + +3. In the **Select operating system to start onboarding process** list, select an operating system. + +4. Under **Deployment method**, select an option. Follow the links and prompts to onboard your organization's devices. Need help? See [Onboarding methods](#onboarding-methods). + +### Onboarding methods + +Deployment methods vary, depending on which operating system is selected. Refer to the resources listed in the table below to get help with onboarding. + +|Operating system |Method | +|---------|---------| +|Windows 10 |- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [Mobile Device Management (Intune)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm)
- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | +|- Windows 8.1 Enterprise
- Windows 8.1 Pro
- Windows 7 SP1 Enterprise
- Windows 7 SP1 Pro | [Microsoft Monitoring Agent](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#install-and-configure-microsoft-monitoring-agent-mma-to-report-sensor-data-to-microsoft-defender-atp)
**NOTE**: Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent). | +|- Windows Server 2019 and later
- Windows Server 2019 core edition
- Windows Server version 1803 and later |- [Local script](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-script)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp)
- [Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm)
- [System Center Configuration Manager](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-sccm#onboard-windows-10-devices-using-earlier-versions-of-system-center-configuration-manager)
- [VDI onboarding scripts for non-persistent devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-vdi)
**NOTE**: A local script is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. | +|- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2 SP1 |- [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#option-1-onboard-servers-through-microsoft-defender-security-center)
- [Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-wdatp) | +|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra)
iOS
Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Onboard non-Windows devices](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-non-windows) | + +## Run a detection test + +To verify that your onboarded devices are properly connected to Microsoft Defender ATP, you can run a detection test. + + +|Operating system |Guidance | +|---------|---------| +|- Windows 10
- Windows Server 2019
- Windows Server, version 1803
- Windows Server 2016
- Windows Server 2012 R2 |See [Run a detection test](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/run-detection-test).
Visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)) and try one or more of the scenarios. For example, try the **Cloud-delivered protection** demo scenario. | +|macOS
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |Download and use the DIY app at [https://aka.ms/mdatpmacosdiy](https://aka.ms/mdatpmacosdiy).
For more information, see [Microsoft Defender Advanced Threat Protection for Mac](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac). | +|Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |1. Run the following command, and look for a result of **1**:
`mdatp health --field real_time_protection_enabled`.
2. Open a Terminal window, and run the following command:
`curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt`.
3. Run the following command to list any detected threats:
`mdatp threat list`.
For more information, see [Microsoft Defender ATP for Linux](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux). | + +## Uninstall McAfee + +Now that you have onboarded your organization's devices to Microsoft Defender ATP, your next step is to uninstall McAfee. + +To get help with this step, go to your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)). + +## Make sure Microsoft Defender ATP is in active mode + +Now that you have uninstalled McAfee, your next step is to make sure that Microsoft Defender Antivirus and endpoint detection and response are enabled and in active mode. + +To do this, visit the Microsoft Defender ATP demo scenarios site ([https://demo.wd.microsoft.com](https://demo.wd.microsoft.com)). Try one or more of the demo scenarios on that page, including at least the following: +- Cloud-delivered protection +- Potentially Unwanted Applications (PUA) +- Network Protection (NP) + +## Next steps + +**Congratulations**! You have completed your [migration from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)! + +- [Visit your security operations dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) in the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). +- [Manage Microsoft Defender Advanced Threat Protection, post migration](manage-atp-post-migration.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md new file mode 100644 index 0000000000..257ff56b22 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-prepare.md @@ -0,0 +1,119 @@ +--- +title: McAfee to Microsoft Defender ATP - Prepare +description: This is phase 1, Prepare, for migrating from McAfee to Microsoft Defender ATP. +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365solution-mcafeemigrate +ms.topic: article +ms.custom: migrationguides +ms.date: 09/03/2020 +ms.reviewer: jesquive, chventou, jonix, chriggs, owtho +--- + +# Migrate from McAfee - Phase 1: Prepare for your migration + +|
Phase 1: Prepare |[](mcafee-to-microsoft-defender-setup.md)
[Phase 2: Set up](mcafee-to-microsoft-defender-setup.md) |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) | +|--|--|--| +|*You are here!*| | | + + +**Welcome to the Prepare phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. + +This migration phase includes the following steps: +1. [Get and deploy updates across your organization's devices](#get-and-deploy-updates-across-your-organizations-devices) +2. [Get Microsoft Defender ATP](#get-microsoft-defender-atp). +3. [Grant access to the Microsoft Defender Security Center](#grant-access-to-the-microsoft-defender-security-center). +4. [Configure device proxy and internet connectivity settings](#configure-device-proxy-and-internet-connectivity-settings). + +## Get and deploy updates across your organization's devices + +As a best practice, keep your organization's devices and endpoints up to date. Make sure your McAfee Endpoint Security (McAfee) solution is up to date, and that the operating systems and apps your organization is also have the latest updates. Doing this now can help prevent problems later as you migrate to Microsoft Defender ATP and Microsoft Defender Antivirus. + +### Make sure your McAfee solution is up to date + +Keep McAfee up to date, and make sure that your organization's devices have the latest security updates. Need help? Here are some McAfee resources: + +- [McAfee Enterprise Product Documentation: How Endpoint Security Works](https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-1207FF39-D1D2-481F-BBD9-E4079112A8DD.html) + +- [McAfee Knowledge Center Technical Article: Windows Security Center intermittently incorrectly reports that Endpoint Security is disabled when running on Windows 10](https://kc.mcafee.com/corporate/index?page=content&id=KB91830) + +- [McAfee Knowledge Center Technical Article: Windows Security Center reports Endpoint Security is disabled when Endpoint Security is running](https://kc.mcafee.com/corporate/index?page=content&id=KB91428) + +- Your McAfee support ServicePortal ([http://mysupport.mcafee.com](http://mysupport.mcafee.com)) + +### Make sure your organization's devices are up to date + +Need help updating your organization's devices? See the following resources: + +|OS | Resource | +|:--|:--| +|Windows |[Microsoft Update](https://www.update.microsoft.com) | +|macOS | [How to update the software on your Mac](https://support.apple.com/HT201541)| +|iOS |[Update your iPhone, iPad, or iPod touch](https://support.apple.com/HT204204)| +|Android |[Check & update your Android version](https://support.google.com/android/answer/7680439) | +|Linux | [Linux 101: Updating Your System](https://www.linux.com/training-tutorials/linux-101-updating-your-system) | + +## Get Microsoft Defender ATP + +Now that you've updated your organization's devices, the next step is to get Microsoft Defender ATP, assign licenses, and make sure the service is provisioned. + +1. Buy or try Microsoft Defender ATP today. [Visit Microsoft Defender ATP to start a free trial or request a quote](https://aka.ms/mdatp). + +2. Verify that your licenses are properly provisioned. [Check your license state](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#check-license-state). + +3. As a global administrator or security administrator, set up your dedicated cloud instance of Microsoft Defender ATP. See [Microsoft Defender ATP setup: Tenant configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#tenant-configuration). + +4. If endpoints (such as devices) in your organization use a proxy to access the internet, see [Microsoft Defender ATP setup: Network configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/production-deployment#network-configuration). + +At this point, you are ready to grant access to your security administrators and security operators who will use the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)). + +> [!NOTE] +> The Microsoft Defender Security Center is sometimes referred to as the Microsoft Defender ATP portal. + +## Grant access to the Microsoft Defender Security Center + +The Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) is where you access and configure features and capabilities of Microsoft Defender ATP. To learn more, see [Overview of the Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/use). + +Permissions to the Microsoft Defender Security Center can be granted by using either basic permissions or role-based access control (RBAC). We recommend using RBAC so that you have more granular control over permissions. + +1. Plan the roles and permissions for your security administrators and security operators. See [Role-based access control](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/prepare-deployment#role-based-access-control). + +2. Set up and configure RBAC. We recommend using [Intune](https://docs.microsoft.com/mem/intune/fundamentals/what-is-intune) to configure RBAC, especially if your organization is using a combination of Windows 10, macOS, iOS, and Android devices. See [setting up RBAC using Intune](https://docs.microsoft.com/mem/intune/fundamentals/role-based-access-control). + + If your organization requires a method other than Intune, choose one of the following options: + - [Configuration Manager](https://docs.microsoft.com/mem/configmgr/core/servers/deploy/configure/configure-role-based-administration) + - [Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm) + - [Windows Admin Center](https://docs.microsoft.com/windows-server/manage/windows-admin-center/overview) + +3. Grant access to the Microsoft Defender Security Center. (Need help? See [Manage portal access using RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac)). + +## Configure device proxy and internet connectivity settings + +To enable communication between your devices and Microsoft Defender ATP, configure proxy and internet settings. The following table includes links to resources you can use to configure your proxy and internet settings for various operating systems and capabilities: + +|Capabilities | Operating System | Resources | +|--|--|--| +|[Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |[Configure machine proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet) | +|EDR |- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |[Configure proxy and internet connectivity settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-downlevel#configure-proxy-and-internet-connectivity-settings) | +|EDR |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) |- [Windows 10](https://docs.microsoft.com/windows/release-information)
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server 1803 or later](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803)
- [Windows Server 2016](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-2016) |[Configure and validate Microsoft Defender Antivirus network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus)
| +|Antivirus |macOS:
- 10.15 (Catalina)
- 10.14 (Mojave)
- 10.13 (High Sierra) |[Microsoft Defender ATP for Mac: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-mac#network-connections) | +|Antivirus |Linux:
- RHEL 7.2+
- CentOS Linux 7.2+
- Ubuntu 16 LTS, or higher LTS
- SLES 12+
- Debian 9+
- Oracle Linux 7.2 |[Microsoft Defender ATP for Linux: Network connections](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux#network-connections) + +## Next step + +**Congratulations**! You have completed the **Prepare** phase of [migrating from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)! + +- [Proceed to set up Microsoft Defender ATP](mcafee-to-microsoft-defender-setup.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md new file mode 100644 index 0000000000..9d3017e042 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/mcafee-to-microsoft-defender-setup.md @@ -0,0 +1,242 @@ +--- +title: McAfee to Microsoft Defender ATP - Setup +description: This is phase 2, Setup, for migrating from McAfee to Microsoft Defender ATP. +keywords: migration, windows defender advanced threat protection, atp, edr +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: deniseb +author: denisebmsft +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365solution-mcafeemigrate +ms.topic: article +ms.custom: migrationguides +ms.date: 09/03/2020 +ms.reviewer: jesquive, chventou, jonix, chriggs, owtho +--- + +# Migrate from McAfee - Phase 2: Set up Microsoft Defender ATP + +|[](mcafee-to-microsoft-defender-prepare.md)
[Phase 1: Prepare](mcafee-to-microsoft-defender-prepare.md) |
Phase 2: Set up |[](mcafee-to-microsoft-defender-onboard.md)
[Phase 3: Onboard](mcafee-to-microsoft-defender-onboard.md) | +|--|--|--| +||*You are here!* | | + + +**Welcome to the Setup phase of [migrating from McAfee Endpoint Security (McAfee) to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](mcafee-to-microsoft-defender-migration.md#the-migration-process)**. This phase includes the following steps: +1. [Enable Microsoft Defender Antivirus and confirm it's in passive mode](#enable-microsoft-defender-antivirus-and-confirm-its-in-passive-mode). +2. [Add Microsoft Defender ATP to the exclusion list for McAfee](#add-microsoft-defender-atp-to-the-exclusion-list-for-mcafee). +3. [Add McAfee to the exclusion list for Microsoft Defender Antivirus](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-antivirus). +4. [Add McAfee to the exclusion list for Microsoft Defender ATP](#add-mcafee-to-the-exclusion-list-for-microsoft-defender-atp). +5. [Set up your device groups, device collections, and organizational units](#set-up-your-device-groups-device-collections-and-organizational-units). +6. [Configure antimalware policies and real-time protection](#configure-antimalware-policies-and-real-time-protection). + +## Enable Microsoft Defender Antivirus and confirm it's in passive mode + +On certain versions of Windows, such as Windows Server, Microsoft Defender Antivirus might have been uninstalled or disabled when your McAfee solution was installed. This is because Microsoft Defender Antivirus does not enter passive or disabled mode when you install a third-party antivirus product, such as McAfee. (To learn more about this, see [Microsoft Defender Antivirus compatibility](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility).) + +This step of the migration process includes the following tasks: +- [Setting DisableAntiSpyware to false on Windows Server](#set-disableantispyware-to-false-on-windows-server) +- [Reinstalling Microsoft Defender Antivirus on Windows Server](#reinstall-microsoft-defender-antivirus-on-windows-server); +- [Setting Microsoft Defender Antivirus to passive mode on Windows Server](#set-microsoft-defender-antivirus-to-passive-mode-on-windows-server) +- [Enabling Microsoft Defender Antivirus on your Windows client devices](#enable-microsoft-defender-antivirus-on-your-windows-client-devices); and +- [Confirming that Microsoft Defender Antivirus is set to passive mode](#confirm-that-microsoft-defender-antivirus-is-in-passive-mode). + +### Set DisableAntiSpyware to false on Windows Server + +The [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware) registry key was used in the past to disable Microsoft Defender Antivirus, and deploy another antivirus product, such as McAfee. In general, you should not have this registry key on your Windows devices and endpoints; however, if you do have `DisableAntiSpyware` configured, here's how to set its value to false: + +1. On your Windows Server device, open Registry Editor. + +2. Navigate to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender`. + +3. In that folder, look for a DWORD entry called **DisableAntiSpyware**. + + - If you do not see that entry, you're all set. + + - If you do see **DisableAntiSpyware**, proceed to step 4. + +4. Right-click the DisableAntiSpyware DWORD, and then choose **Modify**. + +5. Set the value to `0`. (This sets the registry key's value to *false*.) + +> [!TIP] +> To learn more about this registry key, see [DisableAntiSpyware](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware). + +### Reinstall Microsoft Defender Antivirus on Windows Server + +> [!NOTE] +> The following procedure applies only to endpoints or devices that are running the following versions of Windows: +> - Windows Server 2019 +> - Windows Server, version 1803 (core-only mode) +> - Windows Server 2016 + +1. As a local administrator on the endpoint or device, open Windows PowerShell. + +2. Run the following PowerShell cmdlets:
+ + `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender-Features`
+ + `Dism /online /Get-FeatureInfo /FeatureName:Windows-Defender`
+ +3. To verify Microsoft Defender Antivirus is running, use the following PowerShell cmdlet:
+ + `Get-Service -Name windefend` + +> [!TIP] +> Need help? See [Microsoft Defender Antivirus on Windows Server 2016 and 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016). + +### Set Microsoft Defender Antivirus to passive mode on Windows Server + +Because your organization is still using McAfee, you must set Microsoft Defender Antivirus to passive mode. That way, McAfee and Microsoft Defender Antivirus can run side by side until you have finished onboarding to Microsoft Defender ATP. + +1. Open Registry Editor, and then navigate to
+ `Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Windows Advanced Threat Protection`. + +2. Edit (or create) a DWORD entry called **ForceDefenderPassiveMode**, and specify the following settings: + + - Set the DWORD's value to **1**. + + - Under **Base**, select **Hexadecimal**. + +> [!NOTE] +> You can use other methods to set the registry key, such as the following: +>- [Group Policy Preference](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn581922(v=ws.11)) +>- [Local Group Policy Object tool](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10#what-is-the-local-group-policy-object-lgpo-tool) +>- [A package in Configuration Manager](https://docs.microsoft.com/mem/configmgr/apps/deploy-use/packages-and-programs) + +### Enable Microsoft Defender Antivirus on your Windows client devices + +Because your organization has been using McAfee as your primary antivirus solution, Microsoft Defender Antivirus is most likely disabled on your organization's Windows devices. This step of the migration process involves enabling Microsoft Defender Antivirus. + +To enable Microsoft Defender Antivirus, we recommend using Intune. However, you can any of the methods that are listed in the following table: + +|Method |What to do | +|---------|---------| +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile type you want to configure.
If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
3. Select **Properties**, and then select **Configuration settings: Edit**.
4. Expand **Microsoft Defender Antivirus**.
5. Enable **Cloud-delivered protection**.
6. In the **Prompt users before sample submission** dropdown, select **Send all samples automatically**.
7. In the **Detect potentially unwanted applications** dropdown, select **Enable** or **Audit**.
8. Select **Review + save**, and then choose **Save**.
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles).| +|Control Panel in Windows |Follow the guidance here: [Turn on Microsoft Defender Antivirus](https://docs.microsoft.com/mem/intune/user-help/turn-on-defender-windows).
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | +|[Advanced Group Policy Management](https://docs.microsoft.com/microsoft-desktop-optimization-pack/agpm/)
or
[Group Policy Management Console](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus) |1. Go to `Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus`.
2. Look for a policy called **Turn off Microsoft Defender Antivirus**.
3. Choose **Edit policy setting**, and make sure that policy is disabled. This enables Microsoft Defender Antivirus.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. | + +### Confirm that Microsoft Defender Antivirus is in passive mode + +Microsoft Defender Antivirus can run alongside McAfee if you set Microsoft Defender Antivirus to passive mode. You can use either Command Prompt or PowerShell to perform this task, as described in the following table: + +|Method |What to do | +|---------|---------| +|Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. | + +> [!NOTE] +> You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. + +## Add Microsoft Defender ATP to the exclusion list for McAfee + +This step of the setup process involves adding Microsoft Defender ATP to the exclusion list for McAfee and any other security products your organization is using. + +> [!TIP] +> To get help configuring exclusions, refer to McAfee documentation, such as the following article: [McAfee Endpoint Security 10.5.0 - Threat Prevention Module Product Guide (McAfee ePolicy Orchestrator) - Windows: Configuring exclusions](https://docs.mcafee.com/bundle/endpoint-security-10.5.0-threat-prevention-product-guide-epolicy-orchestrator-windows/page/GUID-71C5FB4B-A143-43E6-8BF0-8B2C16ABE6DA.html). + +The specific exclusions to configure depend on which version of Windows your endpoints or devices are running, and are listed in the following table: + +|OS |Exclusions | +|--|--| +|- Windows 10, [version 1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803) or later (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information))
- Windows 10, version 1703 or [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709) with [KB4493441](https://support.microsoft.com/help/4493441) installed
- [Windows Server 2019](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019)
- [Windows Server, version 1803](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) |`C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe`
`C:\Program Files\Windows Defender Advanced Threat Protection\SenseIR.exe`
| +|- [Windows 8.1](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows 7](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1)
- [Windows Server 2016](https://docs.microsoft.com/windows/release-information/status-windows-10-1607-and-windows-server-2016)
- [Windows Server 2012 R2](https://docs.microsoft.com/windows/release-information/status-windows-8.1-and-windows-server-2012-r2)
- [Windows Server 2008 R2 SP1](https://docs.microsoft.com/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1) |`C:\Program Files\Microsoft Monitoring Agent\Agent\Health Service State\Monitoring Host Temporary Files 6\45\MsSenseS.exe`
**NOTE**: Where Monitoring Host Temporary Files 6\45 can be different numbered subfolders.
`C:\Program Files\Microsoft Monitoring Agent\Agent\AgentControlPanel.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HealthService.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\HSLockdown.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MOMPerfSnapshotHelper.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe`
`C:\Program Files\Microsoft Monitoring Agent\Agent\TestCloudConnection.exe` | + +## Add McAfee to the exclusion list for Microsoft Defender Antivirus + +During this step of the setup process, you add McAfee and your other security solutions to the Microsoft Defender Antivirus exclusion list. + +When you add [exclusions to Microsoft Defender Antivirus scans](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus), you should add path and process exclusions. Keep the following points in mind: +- Path exclusions exclude specific files and whatever those files access. +- Process exclusions exclude whatever a process touches, but does not exclude the process itself. +- If you list each executable (.exe) as both a path exclusion and a process exclusion, the process and whatever it touches are excluded. +- List your process exclusions using their full path and not by their name only. (The name-only method is less secure.) + +You can choose from several methods to add your exclusions to Microsoft Defender Antivirus, as listed in the following table: + +|Method | What to do| +|--|--| +|[Intune](https://docs.microsoft.com/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager)
**NOTE**: Intune is now Microsoft Endpoint Manager. |1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and sign in.
2. Select **Devices** > **Configuration profiles**, and then select the profile that you want to configure.
3. Under **Manage**, select **Properties**.
4. Select **Configuration settings: Edit**.
5. Expand **Microsoft Defender Antivirus**, and then expand **Microsoft Defender Antivirus Exclusions**.
6. Specify the files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. For reference, see [Microsoft Defender Antivirus exclusions](https://docs.microsoft.com/mem/intune/configuration/device-restrictions-windows-10#microsoft-defender-antivirus-exclusions).
7. Choose **Review + save**, and then choose **Save**. | +|[Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/mem/configmgr/) |1. Using the [Configuration Manager console](https://docs.microsoft.com/mem/configmgr/core/servers/manage/admin-console), go to **Assets and Compliance** > **Endpoint Protection** > **Antimalware Policies**, and then select the policy that you want to modify.
2. Specify exclusion settings for files and folders, extensions, and processes to exclude from Microsoft Defender Antivirus scans. | +|[Group Policy Object](https://docs.microsoft.com/previous-versions/windows/desktop/Policy/group-policy-objects) | 1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you specify a file, make sure to enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**. | +|Local group policy object |1. On the endpoint or device, open the Local Group Policy Editor.
2. Go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Exclusions**.
**NOTE**: You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows.
3. Specify your path and process exclusions. | +|Registry key |1. Export the following registry key: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\exclusions`.
2. Import the registry key. Here are two examples:
- Local path: `regedit.exe /s c:\temp\ MDAV_Exclusion.reg`
- Network share: `regedit.exe /s \\FileServer\ShareName\MDAV_Exclusion.reg` | + +## Add McAfee to the exclusion list for Microsoft Defender ATP + +To add exclusions to Microsoft Defender ATP, you create [indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators#create-indicators-for-files). + +1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)) and sign in. + +2. In the navigation pane, choose **Settings** > **Rules** > **Indicators**. + +3. On the **File hashes** tab, choose **Add indicator**. + +3. On the **Indicator** tab, specify the following settings: + - File hash (Need help? See [Find a file hash using CMPivot](#find-a-file-hash-using-cmpivot) in this article.) + - Under **Expires on (UTC)**, choose **Never**. + +4. On the **Action** tab, specify the following settings: + - **Response Action**: **Allow** + - Title and description + +5. On the **Scope** tab, under **Device groups**, select either **All devices in my scope** or **Select from list**. + +6. On the **Summary** tab, review the settings, and then click **Save**. + +### Find a file hash using CMPivot + +CMPivot is an in-console utility for Configuration Manager. CMPivot provides access to the real-time state of devices in your environment. It immediately runs a query on all currently connected devices in the target collection and returns the results. To learn more, see [CMPivot overview](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot-overview). + +To use CMPivot to get your file hash, follow these steps: + +1. Review the [prerequisites](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#prerequisites). + +2. [Start CMPivot](https://docs.microsoft.com/mem/configmgr/core/servers/manage/cmpivot#start-cmpivot). + +3. Connect to Configuration Manager (`SCCM_ServerName.DomainName.com`). + +4. Select the **Query** tab. + +5. In the **Device Collection** list, and choose **All Systems (default)**. + +6. In the query box, type the following query:
+ +```kusto +File(c:\\windows\\notepad.exe) +| project Hash +``` +> [!NOTE] +> In the query above, replace *notepad.exe* with the your third-party security product process name. + +## Set up your device groups, device collections, and organizational units + +| Collection type | What to do | +|--|--| +|[Device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups) (formerly called machine groups) enable your security operations team to configure security capabilities, such as automated investigation and remediation.
Device groups are also useful for assigning access to those devices so that your security operations team can take remediation actions if needed.
Device groups are created in the Microsoft Defender Security Center. |1. Go to the Microsoft Defender Security Center ([https://aka.ms/MDATPportal](https://aka.ms/MDATPportal)).
2. In the navigation pane on the left, choose **Settings** > **Permissions** > **Device groups**.
3. Choose **+ Add device group**.
4. Specify a name and description for the device group.
5. In the **Automation level** list, select an option. (We recommend **Full - remediate threats automatically**.) To learn more about the various automation levels, see [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated).
6. Specify conditions for a matching rule to determine which devices belong to the device group. For example, you can choose a domain, OS versions, or even use [device tags](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-tags).
7. On the **User access** tab, specify roles that should have access to the devices that are included in the device group.
8. Choose **Done**. | +|[Device collections](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/introduction-to-collections) enable your security operations team to manage applications, deploy compliance settings, or install software updates on the devices in your organization.
Device collections are created by using [Configuration Manager](https://docs.microsoft.com/mem/configmgr/). |Follow the steps in [Create a collection](https://docs.microsoft.com/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_create). | +|[Organizational units](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou) enable you to logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific organizational units, and apply group policy to enforce targeted configuration settings.
Organizational units are defined in [Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services). | Follow the steps in [Create an Organizational Unit in an Azure Active Directory Domain Services managed domain](https://docs.microsoft.com/azure/active-directory-domain-services/create-ou). | + +## Configure antimalware policies and real-time protection + +Using Configuration Manager and your device collection(s), configure your antimalware policies. + +- See [Create and deploy antimalware policies for Endpoint Protection in Configuration Manager](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies). + +- While you create and configure your antimalware policies, make sure to review the [real-time protection settings](https://docs.microsoft.com/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) and [enable block at first sight](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus). + +> [!TIP] +> You can deploy the policies before your organization's devices on onboarded. + +## Next step + +**Congratulations**! You have completed the Setup phase of [migrating from McAfee to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md#the-migration-process)! + +- [Proceed to Phase 3: Onboard to Microsoft Defender ATP](mcafee-to-microsoft-defender-onboard.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md new file mode 100644 index 0000000000..86914d9a44 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/migration-guides.md @@ -0,0 +1,43 @@ +--- +title: Make the switch to Microsoft Defender ATP +description: Learn how to make the switch from a non-Microsoft threat protection solution to Microsoft Defender ATP +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/08/2020 +ms.prod: w10 +ms.localizationpriority: medium +ms.collection: +- M365-security-compliance +ms.custom: migrationguides +ms.reviewer: chriggs, depicker, yongrhee +f1.keywords: NOCSH +--- + +# Make the switch to Microsoft Defender ATP and Microsoft Defender Antivirus + +## Migration guides + +If you're considering switching from a non-Microsoft threat protection solution to Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) with Microsoft Defender Antivirus, check out our migration guidance. + +- [McAfee Endpoint Security (McAfee) to Microsoft Defender ATP](mcafee-to-microsoft-defender-migration.md) + +- [Symantec Endpoint Protection (Symantec) to Microsoft Defender ATP](symantec-to-microsoft-defender-atp-migration.md) + +- [Manage Microsoft Defender Advanced Threat Protection, after you've migrated](manage-atp-post-migration.md) + + +## Got feedback? + +Let us know what you think! Submit your feedback at the bottom of the page. We'll take your feedback into account as we continue to improve and add to our migration guidance. + +## See also + +- [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) + +- [Office 365 Advanced Threat Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) + +- [Microsoft Threat Protection](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection?) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md new file mode 100644 index 0000000000..5a3d023354 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding-endpoint-configuration-manager.md @@ -0,0 +1,355 @@ +--- +title: Onboarding using Microsoft Endpoint Configuration Manager +description: Learn how to onboard to Microsoft Defender ATP using Microsoft Endpoint Configuration Manager +keywords: onboarding, configuration, deploy, deployment, endpoint configuration manager, mdatp, advanced threat protection, collection creation, endpoint detection response, next generation protection, attack surface reduction +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: +- M365-security-compliance +- m365solution-endpointprotect +ms.topic: article +--- + +# Onboarding using Microsoft Endpoint Configuration Manager +**Applies to:** +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Collection creation +To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the +deployment can target either and existing collection or a new collection can be +created for testing. The onboarding like group policy or manual method does +not install any agent on the system. Within the Configuration Manager console +the onboarding process will be configured as part of the compliance settings +within the console. Any system that receives this required configuration will +maintain that configuration for as long as the Configuration Manager client +continues to receive this policy from the management point. Follow the steps +below to onboard systems with Configuration Manager. + +1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. + +  + +2. Right Click **Device Collection** and select **Create Device Collection**. + +  + +3. Provide a **Name** and **Limiting Collection**, then select **Next**. + +  + +4. Select **Add Rule** and choose **Query Rule**. + +  + +5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**. + +  + +6. Select **Criteria** and then choose the star icon. + +  + +7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**. + +  + +8. Select **Next** and **Close**. + +  + +9. Select **Next**. + +  + +After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. + +## Endpoint detection and response +### Windows 10 +From within the Microsoft Defender Security Center it is possible to download +the '.onboarding' policy that can be used to create the policy in System Center Configuration +Manager and deploy that policy to Windows 10 devices. + +1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding). + + + +2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**. + +  + +3. Select **Download package**. + +  + +4. Save the package to an accessible location. +5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**. + +6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**. + +  + +7. Enter the name and description, verify **Onboarding** is selected, then select **Next**. + +  + +8. Click **Browse**. + +9. Navigate to the location of the downloaded file from step 4 above. + +10. Click **Next**. +11. Configure the Agent with the appropriate samples (**None** or **All file types**). + +  + +12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**. + +  + +14. Verify the configuration, then click **Next**. + +  + +15. Click **Close** when the Wizard completes. + +16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**. + +  + +17. On the right panel, select the previously created collection and click **OK**. + +  + + +### Previous versions of Windows Client (Windows 7 and Windows 8.1) +Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows. + +1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**. + +2. Under operating system choose **Windows 7 SP1 and 8.1**. + +3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process. + +  + +4. Install the Microsoft Monitoring Agent (MMA).
+ MMA is currently (as of January 2019) supported on the following Windows Operating + Systems: + + - Server SKUs: Windows Server 2008 SP1 or Newer + + - Client SKUs: Windows 7 SP1 and later + + The MMA agent will need to be installed on Windows devices. To install the + agent, some systems will need to download the [Update for customer experience + and diagnostic + telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) + in order to collect the data with MMA. These system versions include but may not + be limited to: + + - Windows 8.1 + + - Windows 7 + + - Windows Server 2016 + + - Windows Server 2012 R2 + + - Windows Server 2008 R2 + + Specifically, for Windows 7 SP1, the following patches must be installed: + + - Install + [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) + + - Install either [.NET Framework + 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or + later) **or** + [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). + Do not install both on the same system. + +5. If you're using a proxy to connect to the Internet see the Configure proxy settings section. + +Once completed, you should see onboarded endpoints in the portal within an hour. + +## Next generation protection +Microsoft Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. + +1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**. + +  + +2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**. + +  + + In certain industries or some select enterprise customers might have specific +needs on how Antivirus is configured. + + + [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan) + + For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) + + +  + +  + +  + +  + +  + +  + +  + +  + +3. Right-click on the newly created antimalware policy and select **Deploy**. + +  + +4. Target the new antimalware policy to your Windows 10 collection and click **OK**. + +  + +After completing this task, you now have successfully configured Windows +Defender Antivirus. + +## Attack surface reduction +The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit +Protection. + +All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode. + +To set ASR rules in Audit mode: + +1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. + +  + + +2. Select **Attack Surface Reduction**. + + +3. Set rules to **Audit** and click **Next**. + +  + +4. Confirm the new Exploit Guard policy by clicking on **Next**. + +  + + +5. Once the policy is created click **Close**. + +  + + + +6. Right-click on the newly created policy and choose **Deploy**. + +  + +7. Target the policy to the newly created Windows 10 collection and click **OK**. + +  + +After completing this task, you now have successfully configured ASR rules in audit mode. + +Below are additional steps to verify whether ASR rules are correctly applied to +endpoints. (This may take few minutes) + + +1. From a web browser, navigate to
+> For more information, see [Add groups to organize users and devices](https://docs.microsoft.com/mem/intune/fundamentals/groups-add). + +### Create a group + +1. Open the MEM portal. + +2. Open **Groups > New Group**. + +  + +3. Enter details and create a new group. + +  + +4. Add your test user or device. + +5. From the **Groups > All groups** pane, open your new group. + +6. Select **Members > Add members**. + +7. Find your test user or device and select it. + +  + +8. Your testing group now has a member to test. + +## Create configuration policies +In the following section, you'll create a number of configuration policies. +First is a configuration policy to select which groups of users or devices will +be onboarded to Microsoft Defender ATP. Then you will continue by creating several +different types of Endpoint security policies. + +### Endpoint detection and response + +1. Open the MEM portal. + +2. Navigate to **Endpoint security > Endpoint detection and response**. Click + on **Create Profile**. + +  + +3. Under **Platform, select Windows 10 and Later, Profile - Endpoint detection + and response > Create**. + +4. Enter a name and description, then select **Next**. + +  + +5. Select settings as required, then select **Next**. + +  + + >[!NOTE] + >In this instance, this has been auto populated as Microsoft Defender ATP has already been integrated with Intune. For more information on the integration, see [Enable Microsoft Defender ATP in Intune](https://docs.microsoft.com/mem/intune/protect/advanced-threat-protection-configure#to-enable-microsoft-defender-atp).
+ + +  + +6. Add scope tags if necessary, then select **Next**. + +  + +7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**. + +  + +8. Review and accept, then select **Create**. + +  + +9. You can view your completed policy. + +  + +### Next-generation protection + +1. Open the MEM portal. + +2. Navigate to **Endpoint security > Antivirus > Create Policy**. + +  + +3. Select **Platform - Windows 10 and Later - Windows and Profile – Microsoft + Defender Antivirus > Create**. + +4. Enter name and description, then select **Next**. + +  + +5. In the **Configuration settings page**: Set the configurations you require for + Microsoft Defender Antivirus (Cloud Protection, Exclusions, Real-Time + Protection, and Remediation). + +  + +6. Add scope tags if necessary, then select **Next**. + +  + +7. Select groups to include, assign to your test group, then select **Next**. + +  + +8. Review and create, then select **Create**. + +  + +9. You'll see the configuration policy you created. + +  + +### Attack Surface Reduction – Attack surface reduction rules + +1. Open the MEM portal. + +2. Navigate to **Endpoint security > Attack surface reduction**. + +3. Select **Create Policy**. + +4. Select **Platform - Windows 10 and Later – Profile - Attack surface reduction + rules > Create**. + +  + +5. Enter a name and description, then select **Next**. + +  + +6. In the **Configuration settings page**: Set the configurations you require for + Attack surface reduction rules, then select **Next**. + + >[!NOTE] + >We will be configuring all of the Attack surface reduction rules to Audit. + + For more information, see [Attack surface reduction rules](attack-surface-reduction.md). + +  + +7. Add Scope Tags as required, then select **Next**. + +  + +8. Select groups to include and assign to test group, then select **Next**. + +  + +9. Review the details, then select **Create**. + +  + +10. View the policy. + +  + +### Attack Surface Reduction – Web Protection + +1. Open the MEM portal. + +2. Navigate to **Endpoint security > Attack surface reduction**. + +3. Select **Create Policy**. + +4. Select **Windows 10 and Later – Web protection > Create**. + +  + +5. Enter a name and description, then select **Next**. + +  + +6. In the **Configuration settings page**: Set the configurations you require for + Web Protection, then select **Next**. + + >[!NOTE] + >We are configuring Web Protection to Block. + + For more information, see [Web Protection](web-protection-overview.md). + +  + +7. Add **Scope Tags as required > Next**. + +  + +8. Select **Assign to test group > Next**. + +  + +9. Select **Review and Create > Create**. + +  + +10. View the policy. + +  + +## Validate configuration settings + + +### Confirm Policies have been applied + + +Once the Configuration policy has been assigned, it will take some time to apply. + +For information on timing, see [Intune configuration information](https://docs.microsoft.com/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). + +To confirm that the configuration policy has been applied to your test device, follow the following process for each configuration policy. + +1. Open the MEM portal and navigate to the relevant policy as shown in the + steps above. The following example shows the next generation protection settings. + +  + +2. Select the **Configuration Policy** to view the policy status. + +  + +3. Select **Device Status** to see the status. + +  + +4. Select **User Status** to see the status. + +  + +5. Select **Per-setting status** to see the status. + + >[!TIP] + >This view is very useful to identify any settings that conflict with another policy. + +  + +### Endpoint detection and response + + +1. Before applying the configuration, the Microsoft Defender ATP + Protection service should not be started. + +  + +2. After the configuration has been applied, the Microsoft Defender ATP + Protection Service should be started. + +  + +3. After the services are running on the device, the device appears in Microsoft + Defender Security Center. + +  + +### Next-generation protection + +1. Before applying the policy on a test device, you should be able to manually + manage the settings as shown below. + +  + +2. After the policy has been applied, you should not be able to manually manage + the settings. + + >[!NOTE] + > In the following image **Turn on cloud-delivered protection** and + **Turn on real-time protection** are being shown as managed. + +  + +### Attack Surface Reduction – Attack surface reduction rules + + +1. Before applying the policy on a test device, pen a PowerShell Window and type `Get-MpPreference`. + +2. This should respond with the following lines with no content: + + AttackSurfaceReductionOnlyExclusions: + + AttackSurfaceReductionRules_Actions: + + AttackSurfaceReductionRules_Ids: + +  + +3. After applying the policy on a test device, open a PowerShell Windows and type `Get-MpPreference`. + +4. This should respond with the following lines with content as shown below: + +  + +### Attack Surface Reduction – Web Protection + +1. On the test device, open a PowerShell Windows and type + `(Get-MpPreference).EnableNetworkProtection`. + +2. This should respond with a 0 as shown below. + +  + +3. After applying the policy, open a PowerShell Windows and type + `(Get-MpPreference).EnableNetworkProtection`. + +4. This should respond with a 1 as shown below. + +  diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index 79394ceaf0..734f99dee0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -51,343 +51,21 @@ You are currently in the onboarding phase. -To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements. +To deploy Microsoft Defender ATP, you'll need to onboard devices to the service. -The deployment guide uses Microsoft Endpoint Configuration Manager as the management tool to demonstrate an end-to-end deployment. +Depending on the architecture of your environment, you'll need to use the appropriate management tool that best suites your requirements. -This article will guide you on: -- Setting up Microsoft Endpoint Configuration Manager +After onboarding the devices, you'll then configure the various capabilities such as endpoint detection and response, next-generation protection, and attack surface reduction. + + +This article provides resources to guide you on: +- Using various management tools to onboard devices + - [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md) + - [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md) - Endpoint detection and response configuration - Next-generation protection configuration - Attack surface reduction configuration -## Onboarding using Microsoft Endpoint Configuration Manager -### Collection creation -To onboard Windows 10 devices with Microsoft Endpoint Configuration Manager, the -deployment can target either and existing collection or a new collection can be -created for testing. The onboarding like group policy or manual method does -not install any agent on the system. Within the Configuration Manager console -the onboarding process will be configured as part of the compliance settings -within the console. Any system that receives this required configuration will -maintain that configuration for as long as the Configuration Manager client -continues to receive this policy from the management point. Follow the steps -below to onboard systems with Configuration Manager. - -1. In Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. - -  - -2. Right Click **Device Collection** and select **Create Device Collection**. - -  - -3. Provide a **Name** and **Limiting Collection**, then select **Next**. - -  - -4. Select **Add Rule** and choose **Query Rule**. - -  - -5. Click **Next** on the **Direct Membership Wizard** and click on **Edit Query Statement**. - -  - -6. Select **Criteria** and then choose the star icon. - -  - -7. Keep criterion type as **simple value**, choose where as **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and click on **OK**. - -  - -8. Select **Next** and **Close**. - -  - -9. Select **Next**. - -  - -After completing this task, you now have a device collection with all the Windows 10 endpoints in the environment. - -## Endpoint detection and response -### Windows 10 -From within the Microsoft Defender Security Center it is possible to download -the '.onboarding' policy that can be used to create the policy in System Center Configuration -Manager and deploy that policy to Windows 10 devices. - -1. From a Microsoft Defender Security Center Portal, select [Settings and then Onboarding](https://securitycenter.windows.com/preferences2/onboarding). - - - -2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**. - -  - -3. Select **Download package**. - -  - -4. Save the package to an accessible location. -5. In Microsoft Endpoint Configuration Manager, navigate to: **Assets and Compliance > Overview > Endpoint Protection > Microsoft Defender ATP Policies**. - -6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**. - -  - -7. Enter the name and description, verify **Onboarding** is selected, then select **Next**. - -  - -8. Click **Browse**. - -9. Navigate to the location of the downloaded file from step 4 above. - -10. Click **Next**. -11. Configure the Agent with the appropriate samples (**None** or **All file types**). - -  - -12. Select the appropriate telemetry (**Normal** or **Expedited**) then click **Next**. - -  - -14. Verify the configuration, then click **Next**. - -  - -15. Click **Close** when the Wizard completes. - -16. In the Microsoft Endpoint Configuration Manager console, right-click the Microsoft Defender ATP policy you just created and select **Deploy**. - -  - -17. On the right panel, select the previously created collection and click **OK**. - -  - - -### Previous versions of Windows Client (Windows 7 and Windows 8.1) -Follow the steps below to identify the Microsoft Defender ATP Workspace ID and Workspace Key, that will be required for the onboarding of previous versions of Windows. - -1. From a Microsoft Defender Security Center Portal, select **Settings > Onboarding**. - -2. Under operating system choose **Windows 7 SP1 and 8.1**. - -3. Copy the **Workspace ID** and **Workspace Key** and save them. They will be used later in the process. - -  - -4. Install the Microsoft Monitoring Agent (MMA).
- MMA is currently (as of January 2019) supported on the following Windows Operating - Systems: - - - Server SKUs: Windows Server 2008 SP1 or Newer - - - Client SKUs: Windows 7 SP1 and later - - The MMA agent will need to be installed on Windows devices. To install the - agent, some systems will need to download the [Update for customer experience - and diagnostic - telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) - in order to collect the data with MMA. These system versions include but may not - be limited to: - - - Windows 8.1 - - - Windows 7 - - - Windows Server 2016 - - - Windows Server 2012 R2 - - - Windows Server 2008 R2 - - Specifically, for Windows 7 SP1, the following patches must be installed: - - - Install - [KB4074598](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) - - - Install either [.NET Framework - 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or - later) **or** - [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework). - Do not install both on the same system. - -5. If you're using a proxy to connect to the Internet see the Configure proxy settings section. - -Once completed, you should see onboarded endpoints in the portal within an hour. - -## next-generation protection -Microsoft Defender Antivirus is a built-in antimalware solution that provides next-generation protection for desktops, portable computers, and servers. - -1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Antimalware Polices** and choose **Create Antimalware Policy**. - -  - -2. Select **Scheduled scans**, **Scan settings**, **Default actions**, **Real-time protection**, **Exclusion settings**, **Advanced**, **Threat overrides**, **Cloud Protection Service** and **Security intelligence updates** and choose **OK**. - -  - - In certain industries or some select enterprise customers might have specific -needs on how Antivirus is configured. - - - [Quick scan versus full scan and custom scan](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus#quick-scan-versus-full-scan-and-custom-scan) - - For more details, see [Windows Security configuration framework](https://docs.microsoft.com/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework) - - -  - -  - -  - -  - -  - -  - -  - -  - -3. Right-click on the newly created antimalware policy and select **Deploy**. - -  - -4. Target the new antimalware policy to your Windows 10 collection and click **OK**. - -  - -After completing this task, you now have successfully configured Windows -Defender Antivirus. - -## Attack surface reduction -The attack surface reduction pillar of Microsoft Defender ATP includes the feature set that is available under Exploit Guard. Attack surface reduction (ASR) rules, Controlled Folder Access, Network Protection and Exploit -Protection. - -All these features provide an audit mode and a block mode. In audit mode there is no end-user impact. All it does is collect additional telemetry and make it available in the Microsoft Defender Security Center. The goal with a deployment is to step-by-step move security controls into block mode. - -To set ASR rules in Audit mode: - -1. In the Microsoft Endpoint Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Endpoint Protection \> Windows Defender Exploit Guard** and choose **Create Exploit Guard Policy**. - -  - - -2. Select **Attack Surface Reduction**. - - -3. Set rules to **Audit** and click **Next**. - -  - -4. Confirm the new Exploit Guard policy by clicking on **Next**. - -  - - -5. Once the policy is created click **Close**. - -  - - - -6. Right-click on the newly created policy and choose **Deploy**. - -  - -7. Target the policy to the newly created Windows 10 collection and click **OK**. - -  - -After completing this task, you now have successfully configured ASR rules in audit mode. - -Below are additional steps to verify whether ASR rules are correctly applied to -endpoints. (This may take few minutes) - - -1. From a web browser, navigate to
Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices. -- [Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)
-Microsoft Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. > [!TIP] > Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md index 9e26a9fef5..119fa1005e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-migration.md @@ -1,6 +1,6 @@ --- title: Migrate from Symantec to Microsoft Defender ATP -description: Make the switch from Symantec to Microsoft Defender ATP +description: Get an overview of how to make the switch from Symantec to Microsoft Defender ATP keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,7 +17,10 @@ ms.collection: - M365-security-compliance - m365solution-symantecmigrate - m365solution-overview -ms.topic: article +ms.topic: conceptual +ms.date: 09/04/2020 +ms.custom: migrationguides +ms.reviewer: depicker, yongrhee, chriggs --- # Migrate from Symantec to Microsoft Defender Advanced Threat Protection @@ -40,7 +43,7 @@ In this migration guide, we focus on [next-generation protection](https://docs.m | Feature/Capability | Description | |---|---| -| [Threat & Vulnerability Management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & Vulnerability Management capabilities helps identify, assess, and remediate weaknesses across your endpoints (such as devices). | +| [Threat & vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Threat & vulnerability management capabilities help identify, assess, and remediate weaknesses across your endpoints (such as devices). | | [Attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction) | Attack surface reduction rules help protect your organization's devices and applications from cyberthreats and attacks. | | [Next-generation protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) | Next-generation protection includes Microsoft Defender Antivirus to help block threats and malware. | | [Endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) | Endpoint detection and response capabilities detect, investigate, and respond to intrusion attempts and active breaches. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md index 6c7c329a2e..ef82adfcff 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-onboard.md @@ -1,6 +1,6 @@ --- title: Phase 3 - Onboard to Microsoft Defender ATP -description: Make the switch from Symantec to Microsoft Defender ATP +description: This is Phase 3, Onboarding, of making the switch from Symantec to Microsoft Defender ATP keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,6 +17,9 @@ ms.collection: - M365-security-compliance - m365solution-symantecmigrate ms.topic: article +ms.date: 09/04/2020 +ms.custom: migrationguides +ms.reviewer: depicker, yongrhee, chriggs --- # Migrate from Symantec - Phase 3: Onboard to Microsoft Defender ATP diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md index 2a678e94e4..e110562968 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-prepare.md @@ -1,6 +1,6 @@ --- title: Phase 1 - Prepare for your migration to Microsoft Defender ATP -description: Phase 1 of "Make the switch from Symantec to Microsoft Defender ATP". Prepare for your migration. +description: This is Phase 1, Prepare, of migrating from Symantec to Microsoft Defender ATP. keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,6 +17,9 @@ ms.collection: - M365-security-compliance - m365solution-symantecmigrate ms.topic: article +ms.date: 09/04/2020 +ms.custom: migrationguides +ms.reviewer: depicker, yongrhee, chriggs --- # Migrate from Symantec - Phase 1: Prepare for your migration diff --git a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md index a3c0638d1e..2c6253d565 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md +++ b/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup.md @@ -1,6 +1,6 @@ --- -title: Phase 2 - Set up Microsoft Defender ATP -description: Phase 2 - Set up Microsoft Defender ATP +title: Symantec to Microsoft Defender ATP - Phase 2, Setting Up +description: This is Phase 2, Setup, of migrating from Symantec to Microsoft Defender ATP keywords: migration, windows defender advanced threat protection, atp, edr search.product: eADQiWindows 10XVcnh search.appverid: met150 @@ -17,6 +17,9 @@ ms.collection: - M365-security-compliance - m365solution-symantecmigrate ms.topic: article +ms.date: 09/04/2020 +ms.custom: migrationguides +ms.reviewer: depicker, yongrhee, chriggs --- # Migrate from Symantec - Phase 2: Set up Microsoft Defender ATP @@ -102,7 +105,7 @@ Microsoft Defender Antivirus can run alongside Symantec if you set Microsoft Def |Method |What to do | |---------|---------| |Command Prompt |1. On a Windows device, open Command Prompt as an administrator.
2. Type `sc query windefend`, and then press Enter.
3. Review the results to confirm that Microsoft Defender Antivirus is running in passive mode. | -|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus?view=win10-ps) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. | +|PowerShell |1. On a Windows device, open Windows PowerShell as an administrator.
2. Run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/Get-MpComputerStatus) cmdlet.
3. In the list of results, look for **AntivirusEnabled: True**. | > [!NOTE] > You might see *Windows Defender Antivirus* instead of *Microsoft Defender Antivirus* in some versions of Windows. diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md index 11aa392b29..af31192f3b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-dashboard-insights.md @@ -55,7 +55,7 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- **Dashboard** | Get a high-level view of the organization exposure score, Microsoft Secure Score for Devices, device exposure distribution, top security recommendations, top vulnerable software, top remediation activities, and top exposed device data. -[**Security recommendations**](tvm-remediation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP. +[**Security recommendations**](tvm-security-recommendation.md) | See the list of security recommendations, their related components, whether software or software versions in your network have reached end-of-support, insights, number or exposed devices, impact, and request for remediation. When you select an item from the list, a flyout panel opens with vulnerability details, a link to open the software page, and remediation and exception options. You can also open a ticket in Intune if your devices are joined through Azure Active Directory and you've enabled your Intune connections in Microsoft Defender ATP. [**Remediation**](tvm-remediation.md) | See the remediation activity, related component, remediation type, status, due date, option to export the remediation and process data to CSV, and active exceptions. [**Software inventory**](tvm-software-inventory.md) | See the list of software, versions, weaknesses, whether there's an exploit found on the software, whether the software or software version has reached end-of-support, prevalence in the organization, how many were installed, how many exposed devices there are, and the numerical value of the impact. You can select each item in the list and opt to open the software page that shows the associated vulnerabilities, misconfigurations, affected device, version distribution details, and missing KBs (security updates). [**Weaknesses**](tvm-weaknesses.md) | See the list of common vulnerabilities and exposures, the severity, the common vulnerability scoring system (CVSS) V3 score, related software, age, when it was published, related threat alerts, and how many exposed devices there are. You can select each item in the list to see a flyout panel with the vulnerability description and other details. diff --git a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md index cc9c36fae9..2c2ed8bfbc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md +++ b/windows/security/threat-protection/microsoft-defender-atp/web-content-filtering.md @@ -76,10 +76,18 @@ To add a new policy: 4. Specify the policy scope. Select the device groups to specify where to apply the policy. Only devices in the selected device groups will be prevented from accessing websites in the selected categories. 5. Review the summary and save the policy. The policy may take up to 15 minutes to apply to your selected devices. +Tip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. + >[!NOTE] >If you are removing a policy or changing device groups at the same time, this might cause a delay in policy deployment. ->ProTip: You can deploy a policy without selecting any category on a device group. This action will create an audit only policy, to help you understand user behavior before creating a block policy. +### Allow specific websites + +It is possible to override the blocked category in web content filtering to allow a single site by creating a custom indicator policy. The custom indicator policy will supersede the web content filtering policy when it is applied to the device group in question. + +1. Create a custom indicator in the Microsoft Defender Security Center by going to **Settings** > **Indicators** > **URL/Domain** > **Add Item** +2. Enter the domain of the site +3. Set the policy action to **Allow**. ## Web content filtering cards and details