deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 05:43:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into whfb-staging

Browse Source
This commit is contained in:
Mike Stephens
2018-02-23 06:22:34 -08:00
parent f0fb2acd7f 2109716896
commit d729864426
108 changed files with 2711 additions and 854 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
windows/security/identity-protection/TOC.md
View File

@ -67,6 +67,7 @@
### [VPN auto-triggered profile options](vpn\vpn-auto-trigger-profile.md)
### [VPN security features](vpn\vpn-security-features.md)
### [VPN profile options](vpn\vpn-profile-options.md)
### [How to configure Diffie Hellman protocol over IKEv2 VPN connections](vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md)
### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md)
### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)

44
windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md Normal file
View File

@ -0,0 +1,44 @@
---
title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10)
description: Explains how to secure VPN connections for Diffie Hellman Group 2
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: shortpatti
ms.author: pashort
ms.localizationpriority: medium
ms.date: 02/08/2018
---
# How to configure Diffie Hellman protocol over IKEv2 VPN connections
>Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10
In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
## VPN server
For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-VpnServerConfiguration](https://docs.microsoft.com/powershell/module/remoteaccess/set-vpnserverconfiguration?view=win10-ps) to configure the tunnel type. This makes all IKE exchanges on IKEv2 tunnel use the secure configuration.
```powershell
Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
```
On an earlier versions of Windows Server, run [Set-VpnServerIPsecConfiguration](https://technet.microsoft.com/library/hh918373(v=wps.620).aspx). Since `Set-VpnServerIPsecConfiguration` doesnt have `-TunnelType`, the configuration applies to all tunnel types on the server.
```powershell
Set-VpnServerIPsecConfiguration -CustomPolicy
```
## VPN client
For VPN client, you need to configure each VPN connection.
For example, run [Set-VpnConnectionIPsecConfiguration (version 4.0)](https://docs.microsoft.com/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=win10-ps) and specify the name of the connection:
```powershell
Set-VpnConnectionIPsecConfiguration -ConnectionName <String>
```

209
windows/security/threat-protection/TOC.md
View File

@ -16,12 +16,13 @@
## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
###Get started
#### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
#### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot subscription and portal access issues](windows-defender-atp\troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
#### [Preview features](windows-defender-atp\preview-windows-defender-advanced-threat-protection.md)
#### [Data storage and privacy](windows-defender-atp\data-storage-privacy-windows-defender-advanced-threat-protection.md)
#### [Assign user access to the portal](windows-defender-atp\assign-portal-access-windows-defender-advanced-threat-protection.md)
### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md)
#### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md)
##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
@ -30,25 +31,29 @@
###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune)
##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md)
##### [Configure non-persistent virtual desktop infrastructure (VDI) machines](windows-defender-atp\configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
#### [Configure server endpoints](windows-defender-atp\configure-server-endpoints-windows-defender-advanced-threat-protection.md)
#### [Configure non-Windows endpoints](windows-defender-atp\configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
#### [Run a detection test on a newly onboarded endpoint](windows-defender-atp\run-detection-test-windows-defender-advanced-threat-protection.md)
#### [Configure proxy and Internet connectivity settings](windows-defender-atp\configure-proxy-internet-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot onboarding issues](windows-defender-atp\troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
### [Use the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
### [Understand the Windows Defender ATP portal](windows-defender-atp\use-windows-defender-advanced-threat-protection.md)
#### [Portal overview](windows-defender-atp\portal-overview-windows-defender-advanced-threat-protection.md)
#### [View the Security operations dashboard](windows-defender-atp\dashboard-windows-defender-advanced-threat-protection.md)
#### [View the Security analytics dashboard](windows-defender-atp\security-analytics-dashboard-windows-defender-advanced-threat-protection.md)
#### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md)
#### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md)
##### [Alert process tree](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-process-tree)
##### [Incident graph](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#incident-graph)
##### [Alert timeline](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline)
#### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md)
#### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md)
#### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
#### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
#### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
###Investigate and remediate threats
####Alerts queue
##### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md)
##### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
##### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md)
##### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md)
##### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
##### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md)
##### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
##### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
####Machines list
##### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
@ -56,8 +61,8 @@
###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
#### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
#### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
#### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
@ -77,105 +82,111 @@
####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
####### [View deep analysis reports](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
####### [Troubleshoot deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
#### [Configure Splunk to pull alerts](windows-defender-atp\configure-splunk-windows-defender-advanced-threat-protection.md)
#### [Configure HP ArcSight to pull alerts](windows-defender-atp\configure-arcsight-windows-defender-advanced-threat-protection.md)
#### [Windows Defender ATP alert API fields](windows-defender-atp\api-portal-mapping-windows-defender-advanced-threat-protection.md)
#### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md)
### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
#### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md)
#### [PowerShell code examples](windows-defender-atp\powershell-example-code-windows-defender-advanced-threat-protection.md)
#### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
#### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
#### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
##### Actor
###### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md)
###### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
##### Alerts
###### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md)
###### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
###### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
###### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
###### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
###### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
###### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
##### Domain
###### [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md)
###### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md)
###### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
##### File
###### [Block file API](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md)
###### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md)
###### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md)
###### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md)
###### [Get FileActions collection API](windows-defender-atp\get-fileactions-collection-windows-defender-advanced-threat-protection.md)
###### [Unblock file API](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md)
###API and SIEM support
#### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
##### [Configure Splunk to pull alerts](windows-defender-atp\configure-splunk-windows-defender-advanced-threat-protection.md)
##### [Configure HP ArcSight to pull alerts](windows-defender-atp\configure-arcsight-windows-defender-advanced-threat-protection.md)
##### [Windows Defender ATP alert API fields](windows-defender-atp\api-portal-mapping-windows-defender-advanced-threat-protection.md)
##### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
##### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md)
##### IP
###### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md)
###### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md)
###### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md)
##### Machines
###### [Collect investigation package API](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md)
###### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
###### [Get FileMachineAction object API](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
###### [Get FileMachineActions collection API](windows-defender-atp\get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
###### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md)
###### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
###### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get MachineAction object API](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md)
###### [Get MachineActions collection API](windows-defender-atp\get-machineactions-collection-windows-defender-advanced-threat-protection.md)
###### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
###### [Get package SAS URI API](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md)
###### [Isolate machine API](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md)
###### [Release machine from isolation API](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md)
###### [Remove app restriction API](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
###### [Request sample API](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md)
###### [Restrict app execution API](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md)
###### [Run antivirus scan API](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md)
###### [Stop and quarantine file API](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md)
#### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
##### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md)
##### [PowerShell code examples](windows-defender-atp\powershell-example-code-windows-defender-advanced-threat-protection.md)
##### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
##### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
##### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
##### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
######Actor
####### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md)
####### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
######Alerts
####### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md)
####### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
####### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
####### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
####### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
####### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
####### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
######Domain
####### [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
####### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md)
####### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md)
####### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
######File
####### [Block file API](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md)
####### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md)
####### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md)
####### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md)
####### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md)
####### [Get FileActions collection API](windows-defender-atp\get-fileactions-collection-windows-defender-advanced-threat-protection.md)
####### [Unblock file API](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md)
######IP
####### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
####### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md)
####### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md)
####### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md)
######Machines
####### [Collect investigation package API](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md)
####### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
####### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
####### [Get FileMachineAction object API](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
####### [Get FileMachineActions collection API](windows-defender-atp\get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
####### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md)
####### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
####### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
####### [Get MachineAction object API](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md)
####### [Get MachineActions collection API](windows-defender-atp\get-machineactions-collection-windows-defender-advanced-threat-protection.md)
####### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
####### [Get package SAS URI API](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md)
####### [Isolate machine API](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md)
####### [Release machine from isolation API](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md)
####### [Remove app restriction API](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
####### [Request sample API](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md)
####### [Restrict app execution API](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md)
####### [Run antivirus scan API](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md)
####### [Stop and quarantine file API](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md)
##### User
###### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
###### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md)
###### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md)
###### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md)
######User
####### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
####### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md)
####### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md)
####### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md)
###Reporting
#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
#### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
###Check service health and sensor state
#### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
##### [Fix unhealthy sensors](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
##### [Inactive machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
##### [Misconfigured machines](windows-defender-atp\fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
#### [Check service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md)
### [Configure Windows Defender ATP preferences settings](windows-defender-atp\preferences-setup-windows-defender-advanced-threat-protection.md)
#### [Update general settings](windows-defender-atp\general-settings-windows-defender-advanced-threat-protection.md)
#### [Turn on advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
#### [Turn on preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md)
#### [Enable advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
#### [Enable preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md)
#### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md)
#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
#### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
#### [Enable Security Analytics security controls](windows-defender-atp\enable-security-analytics-windows-defender-advanced-threat-protection.md)
### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
### [Configure Windows Defender ATP time zone settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md)
### [Access the Windows Defender ATP Community Center](windows-defender-atp\community-windows-defender-advanced-threat-protection.md)
### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md)
### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
#### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md)
### [Windows Defender Antivirus compatibility with Windows Defender ATP](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md)
## [Windows Defender Antivirus in Windows 10](windows-defender-antivirus\windows-defender-antivirus-in-windows-10.md)
### [Windows Defender AV in the Windows Defender Security Center app](windows-defender-antivirus\windows-defender-security-center-antivirus.md)

6
windows/security/threat-protection/auditing/audit-security-group-management.md
View File

@ -31,9 +31,9 @@ This subcategory allows you to audit events generated by changes to security gro
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
**Events List:**

7
windows/security/threat-protection/change-history-for-threat-protection.md
View File

@ -12,6 +12,13 @@ ms.date: 10/31/2017
# Change history for threat protection
This topic lists new and updated topics in the [Threat protection](index.md) documentation.
## February 2018
New or changed topic | Description
---------------------|------------
[Security Compliance Toolkit](security-compliance-toolkit-10.md) | Added Office 2016 Security Baseline.
[Audit security group management](auditing/audit-security-group-management.md)| Added recommendation to audit Failure events.
## January 2018
|New or changed topic |Description |
|---------------------|------------|

4
windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
View File

@ -70,13 +70,13 @@ RuleOption -Help** in a Windows PowerShell session. Table 2 describes each rule
| **2 Required:WHQL** | By default, legacy drivers that are not Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Going forward, every new Windows 10compatible driver must be WHQL certified. |
| **3 Enabled:Audit Mode (Default)** | Enables the execution of binaries outside of the WDAC policy but logs each occurrence in the CodeIntegrity event log, which can be used to update the existing policy before enforcement. To begin enforcing a WDAC policy, delete this option. |
| **4 Disabled:Flight Signing** | If enabled, WDAC policies will not trust flightroot-signed binaries. This would be used in the scenario in which organizations only want to run released binaries, not flighted builds. |
| **5 Enabled:Inherent Default Policy** | This option is not currently supported. |
| **5 Enabled:Inherit Default Policy** | This option is not currently supported. |
| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and have UpdatePolicySigners added to the policy to enable future policy modifications. |
| **7 Allowed:Debug Policy Augmented** | This option is not currently supported. |
| **8 Required:EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All future Windows 10 and later drivers will meet this requirement. |
| **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. |
| **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. |
| **11 Disabled:Script Enforcement** | WDAC policies also restrict scripts and MSIs, and PowerShell runs in constrained language mode. Enabling this rule option will allow unsigned scripts to run and will leave PowerShell in full language mode. |
| **11 Disabled:Script Enforcement** | This option is not currently supported. |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. |
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as System Center Configuration Manager, that has been defined as a managed installer. |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsofts Intelligent Security Graph (ISG). |

101
windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
View File

@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: high
author: brianlic-msft
ms.date: 11/02/2017
ms.date: 02/13/2018
---
# Steps to Deploy Windows Defender Application Control
@ -142,6 +142,12 @@ Microsoft recommends that you block the following Microsoft-signed applications
<Deny ID="ID_DENY_ADDINPROCESS" FriendlyName="AddInProcess.exe" FileName="AddInProcess.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_ADDINPROCESS32" FriendlyName="AddInProcess32.exe" FileName="AddInProcess32.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_ADDINUTIL" FriendlyName="AddInUtil.exe" FileName="AddInUtil.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WSL" FriendlyName="wsl.exe" FileName="wsl.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_WSLCONFIG" FriendlyName="wslconfig.exe" FileName="wslconfig.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_WSLHOST" FriendlyName="wslhost.exe" FileName="wslhost.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_PWRSHLCUSTOMHOST" FriendlyName="powershellcustomhost.exe" FileName="powershellcustomhost.exe" MinimumFileVersion = "65535.65535.65535.65535" />
<Deny ID="ID_DENY_D_1" FriendlyName="Powershell 1" Hash="02BE82F63EE962BCD4B8303E60F806F6613759C6" />
<Deny ID="ID_DENY_D_2" FriendlyName="Powershell 2" Hash="13765D9A16CC46B2113766822627F026A68431DF" />
@ -392,7 +398,58 @@ Microsoft recommends that you block the following Microsoft-signed applications
<Deny ID="ID_DENY_D_246" FriendlyName="PowerShell 246" Hash="0C4688AACD02829850DE0F792AC06D3C87895412A910EA76F7F9BF31B3B4A3E9"/>
<Deny ID="ID_DENY_D_247" FriendlyName="PowerShell 247" Hash="6DC048AFA50B5B1B0AD7DD3125AC83D46FED730A"/>
<Deny ID="ID_DENY_D_248" FriendlyName="PowerShell 248" Hash="432F666CCE8CD222484E263AE02F63E0038143DD6AD07B3EB1633CD3C498C13D"/>
<!--pubprn.vbs-->
<!--rs2 x86fre-->
<Deny ID="ID_DENY_D_249" FriendlyName="PubPrn 249" Hash="68E96BE23748AA680D5E1E557778901F332ED5D3" />
<Deny ID="ID_DENY_D_250" FriendlyName="PubPrn 250" Hash="8FA30B5931806565C2058E565C06AD5F1C5A48CDBE609975EB31207C25214063" />
<!--rs2 amd64fre-->
<Deny ID="ID_DENY_D_251" FriendlyName="PubPrn 251" Hash="32C4B29FE428B1DF473F3F4FECF519D285E93521" />
<Deny ID="ID_DENY_D_252" FriendlyName="PubPrn 252" Hash="D44FB563198D60DFDC91608949FE2FADAD6161854D084EB1968C558AA36513C7" />
<!--rs2 amd64chk-->
<Deny ID="ID_DENY_D_253" FriendlyName="PubPrn 253" Hash="9EDBEF086D350863F29175F5AB5178B88B142C75" />
<Deny ID="ID_DENY_D_254" FriendlyName="PubPrn 254" Hash="9B22C98351F2B6DEDDCED0D805C65F5B166FF519A8DF41EB242CB909471892EB" />
<!--rs2 x86chk-->
<Deny ID="ID_DENY_D_255" FriendlyName="PubPrn 255" Hash="8A3B30F345C43246B3500721CFEEADBAC6B9D9C6" />
<Deny ID="ID_DENY_D_256" FriendlyName="PubPrn 256" Hash="37C20BF20A2BBACE50957F8D0AB3FD16174BC005E79D47E51E899AFD9E4B7724" />
<!--rs2 woafre-->
<Deny ID="ID_DENY_D_257" FriendlyName="PubPrn 257" Hash="C659DAD2B37375781E2D584E16AAE2A10B5A1156" />
<Deny ID="ID_DENY_D_258" FriendlyName="PubPRn 258" Hash="EBDACA86F10AC0446D60CC75628EC7A370B1E2236E6D20F22372F91033B6D429" />
<!--rs3 amd64chk-->
<Deny ID="ID_DENY_D_259" FriendlyName="PubPrn 259" Hash="C9D6394BBFF8CD9C6590F08C54EC6AFDEB5CFFB4" />
<Deny ID="ID_DENY_D_260" FriendlyName="PubPrn 260" Hash="518E4EA7A2B70713E1AEC6E7E75A488C39384B625C5F2779073E9294CBF2BD9F" />
<!--rs3 amd64fre-->
<Deny ID="ID_DENY_D_261" FriendlyName="PubPrn 261" Hash="C9D6394BBFF8CD9C6590F08C54EC6AFDEB5CFFB4" />
<Deny ID="ID_DENY_D_262" FriendlyName="PubPrn 262" Hash="518E4EA7A2B70713E1AEC6E7E75A488C39384B625C5F2779073E9294CBF2BD9F" />
<!--rs3 arm64chk-->
<Deny ID="ID_DENY_D_263" FriendlyName="PubPrn 263" Hash="763A652217A1E30F2D288B7F44E08346949A02CD" />
<Deny ID="ID_DENY_D_264" FriendlyName="PubPrn 264" Hash="FCDDA212B06602F642B29FC05316EF75E4EE9975E6E8A9526E842BE2EA237C5D" />
<!--rs3 arm64fre-->
<Deny ID="ID_DENY_D_265" FriendlyName="PubPrn 265" Hash="763A652217A1E30F2D288B7F44E08346949A02CD" />
<Deny ID="ID_DENY_D_266" FriendlyName="PubPrn 266" Hash="FCDDA212B06602F642B29FC05316EF75E4EE9975E6E8A9526E842BE2EA237C5D" />
<!--rs3 woachk-->
<Deny ID="ID_DENY_D_267" FriendlyName="PubPrn 267" Hash="60FD28D770B23A0477679311D247DA4D5C61074C" />
<Deny ID="ID_DENY_D_268" FriendlyName="PubPrn 268" Hash="D09A4B2EA611CDFDC6DCA44314289B622B2A5EDA09716EF4A16B91EC90BFBA8F" />
<!--rs3 woafre-->
<Deny ID="ID_DENY_D_269" FriendlyName="PubPrn 269" Hash="60FD28D770B23A0477679311D247DA4D5C61074C" />
<Deny ID="ID_DENY_D_270" FriendlyName="PubPrn 270" Hash="D09A4B2EA611CDFDC6DCA44314289B622B2A5EDA09716EF4A16B91EC90BFBA8F" />
<!--rs3 x86chk-->
<Deny ID="ID_DENY_D_271" FriendlyName="PubPrn 271" Hash="47CBE201ED224BF3F5C322F7A49EF64469AF2E1A" />
<Deny ID="ID_DENY_D_272" FriendlyName="PubPrn 272" Hash="24855B9CC420719D5AB93F4F1589CE09E4063E4FC98681BD91A1D18A3C8ACB43" />
<!--rs3 x86fre-->
<Deny ID="ID_DENY_D_273" FriendlyName="PubPrn 273" Hash="47CBE201ED224BF3F5C322F7A49EF64469AF2E1A" />
<Deny ID="ID_DENY_D_274" FriendlyName="PubPrn 274" Hash="24855B9CC420719D5AB93F4F1589CE09E4063E4FC98681BD91A1D18A3C8ACB43" />
<!--rs3 sxs amd64-->
<Deny ID="ID_DENY_D_275" FriendlyName="PubPrn 275" Hash="663D8E25BAE20510A882F6692BE2620FBABFB94E" />
<Deny ID="ID_DENY_D_276" FriendlyName="PubPrn 276" Hash="649A9E5A4867A28C7D0934793F33B545F9441EA23872715C84826D80CC8EC576" />
<!--rs3 sxs arm64-->
<Deny ID="ID_DENY_D_277" FriendlyName="PubPrn 277" Hash="226ABB2FBAEFC5A7E2A819D9D708F826C00FD215" />
<Deny ID="ID_DENY_D_278" FriendlyName="PubPrn 278" Hash="AC6B35C904D388FD12C07C2F6A1A07F337D31895713BF01DCCE7A7F187D7F4D9" />
<!--rs3 sxs woa-->
<Deny ID="ID_DENY_D_279" FriendlyName="PubPrn 279" Hash="071D7849941E43144839988971255FE34690A747" />
<Deny ID="ID_DENY_D_280" FriendlyName="PubPrn 280" Hash="5AF75895BDC11A6B68C816A8677D7CF9692BF25A95C4378A43FBDE740B18EEB1" />
<!--rs3 sxs x86-->
<Deny ID="ID_DENY_D_281" FriendlyName="PubPrn 281" Hash="9FBFF074C201BFEBE37710CB453EFF9A14AE3BFF" />
<Deny ID="ID_DENY_D_282" FriendlyName="PubPrn 282" Hash="A0C71A925850D2D481C7E520F5D5A83305EC169EEA4C5B8DC20C8D8AFCD8A512" />
</FileRules>
<!--Signers-->
<Signers />
@ -430,6 +487,12 @@ Microsoft recommends that you block the following Microsoft-signed applications
<FileRuleRef RuleID="ID_DENY_ADDINPROCESS"/>
<FileRuleRef RuleID="ID_DENY_ADDINPROCESS32"/>
<FileRuleRef RuleID="ID_DENY_ADDINUTIL"/>
<FileRuleRef RuleID="ID_DENY_WSL"/>
<FileRuleRef RuleID="ID_DENY_WSLCONFIG"/>
<FileRuleRef RuleID="ID_DENY_WSLHOST"/>
<FileRuleRef RuleID="ID_DENY_INFINSTALL"/>
<FileRuleRef RuleID="ID_DENY_LXRUN"/>
<FileRuleRef RuleID="ID_DENY_PWRSHLCUSTOMHOST"/>
<FileRuleRef RuleID="ID_DENY_D_1" />
<FileRuleRef RuleID="ID_DENY_D_2" />
<FileRuleRef RuleID="ID_DENY_D_3" />
@ -678,6 +741,40 @@ Microsoft recommends that you block the following Microsoft-signed applications
<FileRuleRef RuleID="ID_DENY_D_246"/>
<FileRuleRef RuleID="ID_DENY_D_247"/>
<FileRuleRef RuleID="ID_DENY_D_248"/>
<FileRuleRef RuleID="ID_DENY_D_249"/>
<FileRuleRef RuleID="ID_DENY_D_250"/>
<FileRuleRef RuleID="ID_DENY_D_251"/>
<FileRuleRef RuleID="ID_DENY_D_252"/>
<FileRuleRef RuleID="ID_DENY_D_253"/>
<FileRuleRef RuleID="ID_DENY_D_254"/>
<FileRuleRef RuleID="ID_DENY_D_255"/>
<FileRuleRef RuleID="ID_DENY_D_256"/>
<FileRuleRef RuleID="ID_DENY_D_257"/>
<FileRuleRef RuleID="ID_DENY_D_258"/>
<FileRuleRef RuleID="ID_DENY_D_259"/>
<FileRuleRef RuleID="ID_DENY_D_260"/>
<FileRuleRef RuleID="ID_DENY_D_261"/>
<FileRuleRef RuleID="ID_DENY_D_262"/>
<FileRuleRef RuleID="ID_DENY_D_263"/>
<FileRuleRef RuleID="ID_DENY_D_264"/>
<FileRuleRef RuleID="ID_DENY_D_265"/>
<FileRuleRef RuleID="ID_DENY_D_266"/>
<FileRuleRef RuleID="ID_DENY_D_267"/>
<FileRuleRef RuleID="ID_DENY_D_268"/>
<FileRuleRef RuleID="ID_DENY_D_269"/>
<FileRuleRef RuleID="ID_DENY_D_270"/>
<FileRuleRef RuleID="ID_DENY_D_271"/>
<FileRuleRef RuleID="ID_DENY_D_272"/>
<FileRuleRef RuleID="ID_DENY_D_273"/>
<FileRuleRef RuleID="ID_DENY_D_274"/>
<FileRuleRef RuleID="ID_DENY_D_275"/>
<FileRuleRef RuleID="ID_DENY_D_276"/>
<FileRuleRef RuleID="ID_DENY_D_277"/>
<FileRuleRef RuleID="ID_DENY_D_278"/>
<FileRuleRef RuleID="ID_DENY_D_279"/>
<FileRuleRef RuleID="ID_DENY_D_280"/>
<FileRuleRef RuleID="ID_DENY_D_281"/>
<FileRuleRef RuleID="ID_DENY_D_282"/>
</FileRulesRef>
</ProductSigners>
</SigningScenario>

2
windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -16,7 +16,7 @@ ms.date: 11/28/2017
- Windows 10
- Windows Server 2016
Virtualization-based protection of code integrity (herein referred to as Hypervisor-protected Code Integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.
Virtualization-based protection of code integrity (herein referred to as hypervisor-protected code integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.
Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor.
Some applications, including device drivers, may be incompatible with HVCI.

5
windows/security/threat-protection/security-compliance-toolkit-10.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.author: sagaudre
author: brianlic-msft
ms.date: 10/16/2017
ms.date: 02/16/2018
---
# Microsoft Security Compliance Toolkit 1.0
@ -32,6 +32,9 @@ The Security Compliance Toolkit consists of:
- Windows Server 2016
- Windows Server 2012 R2
- Microsoft Office Security Baselines
- Office 2016
- Tools
- Policy Analyzer tool
- Local Group Policy Object (LGPO) tool

2
windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md
View File

@ -34,7 +34,7 @@ The **Interactive logon: Prompt user to change password before expiration** poli
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options
### Default values

6
windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: tedhardyMSFT
ms.date: 10/27/2017
ms.date: 02/16/2018
---
# Use Windows Event Forwarding to help with intrusion detection
@ -636,9 +636,9 @@ Here are the minimum steps for WEF to operate:
<!-- Detect User-Mode drivers loaded - for potential BadUSB detection. -->
<Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[(EventID=2004)]]</Select>
</Query>
<Query Id="14" Path=" Windows PowerShell">
<Query Id="14" Path="Windows PowerShell">
<!-- Legacy PowerShell pipeline execution details (800) -->
<Select Path=" Windows PowerShell">*[System[(EventID=800)]]</Select>
<Select Path="Windows PowerShell">*[System[(EventID=800)]]</Select>
</Query>
</QueryList>
```

10
windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
View File

@ -9,9 +9,9 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: iaanw
ms.author: iawilt
ms.date: 11/20/2017
author: andreabichsel
ms.author: v-anbic
ms.date: 02/08/2018
---
@ -38,7 +38,9 @@ Block at first sight is a feature of Windows Defender Antivirus cloud-delivered
It is enabled by default when certain pre-requisite settings are also enabled. In most cases, these pre-requisite settings are also enabled by default, so the feature is running without any intervention. You can use group policy settings to confirm the feature is enabled.
You can also [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file.
You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file.
You can also [customize the message displayed on users' desktops](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
> [!IMPORTANT]
> There is no specific individual setting in System Center Configuration Manager to enable or disable Block at First Sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature.

2
windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md
View File

@ -57,8 +57,8 @@ For more information, see [Pull Windows Defender ATP alerts using REST API](pull
Topic | Description
:---|:---
[Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)| Learn about enabling the SIEM integration feature in the **Preferences setup** page in the portal so that you can use and generate the required information to configure supported SIEM tools.
[Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
[Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)| Learn about installing the REST API Modular Input app and other configuration settings to enable Splunk to pull Windows Defender ATP alerts.
[Configure HP ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)| Learn about installing the HP ArcSight REST FlexConnector package and the files you need to configure ArcSight to pull Windows Defender ATP alerts.
[Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md) | Understand what data fields are exposed as part of the alerts API and how they map to the Windows Defender ATP portal.
[Pull Windows Defender ATP alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md) | Use the Client credentials OAuth 2.0 flow to pull alerts from Windows Defender ATP using REST API.
[Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md) | Address issues you might encounter when using the SIEM integration feature.

BIN
windows/security/threat-protection/windows-defender-atp/images/atp-time-zone.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 851 B

2
windows/security/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md
View File

@ -72,7 +72,7 @@ The numbers beside the green triangle icon on each recommended action represents
>[!IMPORTANT]
>Recommendations that do not display a green triangle icon are informational only and no action is required.
Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
Clicking **View machines** in a specific recommendation opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice.
The following image shows an example list of machines where the EDR sensor is not turned on.

17
windows/security/threat-protection/windows-defender-atp/settings-windows-defender-advanced-threat-protection.md
View File

@ -1,5 +1,5 @@
---
title: Windows Defender Advanced Threat Protection settings
title: Windows Defender Advanced Threat Protection time zone settings
description: Use the menu to configure the time zone and view license information.
keywords: Windows Defender ATP settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license
search.product: eADQiWindows 10XVcnh
@ -8,12 +8,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: DulceMV
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/30/2017
ms.date: 02/13/2018
---
# Windows Defender Advanced Threat Protection settings
# Windows Defender Advanced Threat Protection time zone settings
**Applies to:**
@ -27,7 +27,7 @@ ms.date: 10/30/2017
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-settings-abovefoldlink)
Use the **Settings** menu ![Settings icon](images/settings.png) to configure the time zone and view license information.
Use the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png) to configure the time zone and view license information.
## Time zone settings
The aspect of time is important in the assessment and analysis of perceived and actual cyberattacks.
@ -36,7 +36,7 @@ Cyberforensic investigations often rely on time stamps to piece together the seq
Windows Defender ATP can display either Coordinated Universal Time (UTC) or local time.
Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the **Settings** menu ![Settings icon](images/settings.png).
Your current time zone setting is shown in the Windows Defender ATP menu. You can change the displayed time zone in the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png).
### UTC time zone
Windows Defender ATP uses UTC time by default.
@ -55,7 +55,7 @@ The Windows Defender ATP time zone is set by default to UTC.
Setting the time zone also changes the times for all Windows Defender ATP views.
To set the time zone:
1. Click the **Settings** menu ![Settings icon](images/settings.png).
1. Click the **Time zone** menu ![Time zone settings icon](images/atp-time-zone.png).
2. Select the **Timezone UTC** indicator.
3. Select **Timezone UTC** or your local time zone, for example -7:00.
@ -88,5 +88,4 @@ The following date and time formats are currently not supported:
**Decimal symbol used in numbers**<br>
Decimal symbol used is always a dot, even if a comma is selected in the **Numbers** format settings in **Region** settings. For example, 15,5K is displayed as 15.5K.
## License
Click the license link in the **Settings** menu to view the license agreement information for Windows Defender ATP.

1
windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -307,5 +307,6 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us
## Related topics
- [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
- [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md)
- [Configure endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)

23
windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
ms.date: 02/13/2018
---
# Troubleshoot SIEM tool integration issues
@ -36,7 +36,7 @@ If your client secret expires or if you've misplaced the copy provided when you
1. Login to the [Azure management portal](https://ms.portal.azure.com).
2. Select **Active Directory**.
2. Select **Azure Active Directory**.
3. Select your tenant.
@ -48,10 +48,27 @@ If your client secret expires or if you've misplaced the copy provided when you
7. Copy the value and save it in a safe place.
## Error when getting a refresh access token
If you encounter an error when trying to get a refresh token when using the threat intelligence API or SIEM tools, you'll need to add reply URL for relevant application in Azure Active Directory.
1. Login to the [Azure management portal](https://ms.portal.azure.com).
2. Select **Azure Active Directory**.
3. Select your tenant.
4. Click **App Registrations**. Then in the applications list, select the application:
- For SIEM: `https://WindowsDefenderATPSiemConnector`
- For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
5. Add the following URL:
- For US: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
- For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
6. Click **Save**.
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink)
## Related topics
- [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md)
- [Configure ArcSight to pull Windows Defender ATP alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)

2
windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md
View File

@ -71,6 +71,6 @@ Support of use of comma as a separator in numbers are not supported. Regions whe
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshoot-belowfoldlink)
### Related topic
## Related topics
- [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
- [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)

1
windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
View File

@ -40,4 +40,5 @@ Topic | Description
[Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md) | Create custom threat intelligence alerts so that you can generate specific alerts that are applicable to your organization.
[PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md) | Use the PowerShell code examples to guide you in using the custom threat intelligence API.
[Python code examples](python-example-code-windows-defender-advanced-threat-protection.md) | Use the Python code examples to guide you in using the custom threat intelligence API.
[Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md) | This article demonstrates an end-to-end usage of the threat intelligence API to get you started in using the threat intelligence API.
[Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md) | Learn how to address possible issues you might encounter while using the threat intelligence API.

27
windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 10/16/2017
ms.date: 02/13/2018
---
# Use the Windows Defender Advanced Threat Protection portal
@ -27,32 +27,19 @@ ms.date: 10/16/2017
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink)
A typical security breach investigation requires a member of a security operations team to:
You can use the Windows Defender ATP portal to carry out an end-to-end security breach investigation through the dashboards.
1. View an alert on the **Security operations dashboard** or **Alerts queue**
2. Review the indicators of compromise (IOC) or indications of attack (IOAs)
3. Review a timeline of alerts, behaviors, and events from the machine
4. Manage alerts, understand the threat or potential breach, collect information to support taking action, and resolve the alert
Use the **Security operations** dashboard to gain insight on the various alerts on machines and users in your network.
![Flowchart describing the four stages of investigation](images/overview.png)
Use the **Security analytics** dashboard to expand your visibility on the overall security posture of your organization. You'll see machines that require attention and recommendations that can help you reduce the attack surface in your organization.
Security operation teams can use Windows Defender ATP portal to carry out this end-to-end process without having to leave the portal.
Teams can monitor the overall status of enterprise endpoints from the **Security operations dashboard**, gain insight on the various alerts, their category, when they were observed, and how long theyve been in the network at a glance.
### In this section
Topic | Description
:---|:---
[Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the portal layout and area descriptions.
[View the Windows Defender Advanced Threat Protection Security operations dashboard](dashboard-windows-defender-advanced-threat-protection.md) | The Windows Defender ATP **Security operations dashboard** provides a snapshot of your network. You can view aggregates of alerts, the overall status of the service of the endpoints on your network, investigate machines, files, and URLs, and see snapshots of threats seen on machines.
[View the Windows Defender Advanced Threat Protection Security analytics dashboard](security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | The **Security Analytics dashboard** expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place.
[View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) | You can sort and filter alerts across your network, and drill down on individual alert queues such as new, in progress, or resolved queues.
[Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)| Investigate alerts in Windows Defender ATP which might indicate possible security breaches on endpoints in your organization.
[Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach.
[Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses.
[Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain.
[View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list.
[Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines list** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats.
[Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts.
[Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert.
[Take response actions](response-actions-windows-defender-advanced-threat-protection.md)| Take action on a machine or file to quickly respond to detected attacks.