Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into FromPrivateRepo

2025-05-13 13:57:22 +00:00 · 2019-07-22 15:44:11 -07:00 · 2019-07-22 15:44:11 -07:00 · d74a3d0846
commit d74a3d0846
parent 18e2b9c0aa 52bba83f89
8 changed files with 211 additions and 22 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -14156,6 +14156,116 @@
 "redirect_document_id": true
 },
 {
+"source_path": "windows/client-management/mdm/create-a-custom-configuration-service-provider.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/client-management/mdm/design-a-custom-windows-csp.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/iconfigserviceprovider2.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/iconfigserviceprovider2getnode.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnode.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodeadd.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodeclear.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodecopy.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodedeletechild.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodedeleteproperty.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodeexecute.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodegetchildnodenames.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodegetproperty.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodegetpropertyidentifiers.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodegetvalue.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodemove.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodesetproperty.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodesetvalue.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspnodetransactioning.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/icspvalidate.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md",
+"redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference",
+"redirect_document_id": false
+},
+{
 "source_path": "windows/keep-secure/collect-wip-audit-event-logs.md",
 "redirect_url": "/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs",
 "redirect_document_id": true
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -3,6 +3,19 @@
 ## [Overview]()
 ### [What is Microsoft Defender Advanced Threat Protection?](microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md)
 ### [Overview of Microsoft Defender ATP capabilities](microsoft-defender-atp/overview.md)
+### [Threat & Vulnerability Management]()
+#### [Next-generation capabilities](microsoft-defender-atp/next-gen-threat-and-vuln-mgt.md)
+#### [What's in the dashboard and what it means for my organization](microsoft-defender-atp/tvm-dashboard-insights.md)
+#### [Exposure score](microsoft-defender-atp/tvm-exposure-score.md)
+#### [Configuration score](microsoft-defender-atp/configuration-score.md)
+#### [Security recommendation](microsoft-defender-atp/tvm-security-recommendation.md)
+#### [Remediation](microsoft-defender-atp/tvm-remediation.md)
+#### [Software inventory](microsoft-defender-atp/tvm-software-inventory.md)
+#### [Weaknesses](microsoft-defender-atp/tvm-weaknesses.md)
+#### [Scenarios](microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md)
+
+
+
 ### [Attack surface reduction]()
 #### [Hardware-based isolation]()
 ##### [Hardware-based isolation in Windows 10](microsoft-defender-atp/overview-hardware-based-isolation.md)
@ -433,7 +446,6 @@

 #### [Configure managed security service provider (MSSP) support](microsoft-defender-atp/configure-mssp-support.md)

-### [Configure and manage Microsoft Threat Experts capabilities](microsoft-defender-atp/configure-microsoft-threat-experts.md)

 ### [Configure Microsoft threat protection integration]()
 #### [Configure conditional access](microsoft-defender-atp/configure-conditional-access.md)
--- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
+++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md
@ -6,11 +6,12 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-ms.author: dansimp
-author: dansimp
+ms.author: daniha
+author: danihalfin
 ms.date: 02/22/2019
 ms.reviewer: 
 manager: dansimp
+audience: ITPro
 ---

 # How to control USB devices and other removable media using Windows Defender ATP
@ -31,7 +32,7 @@ Microsoft recommends [a layered approach to securing removable media](https://ak
   - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination. 
   - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. 

-
+![Create device configuration profile]
 These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection.


@ -102,6 +103,72 @@ DMA attacks can lead to disclosure of sensitive information residing on a PC, or
   - [Block DMA until a user signs in](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess)
   - [Block all connections via the Thunderbolt ports (including USB devices)](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)

+### Restrict USB Drives and Other Peripherals
+
+To prevent malware infections or data loss, an organization may restrict USB drives and other peripherals. The following table describes the ways Microsoft Defender Advanced Threat Protection can help prevent installation and usage of USB drives and other peripherals.
+
+| Control  | Description |
+|----------|-------------|
+| Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types |
+| Prevent installation and usage of USB drives and other peripherals| Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types |
+
+All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/en-us/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates:
+
+![Admintemplates](https://github.com/MicrosoftDocs/windows-docs-pr/blob/v-jowirt-updates/windows/security/threat-protection/windows-defender-antivirus/images/admintemplates.png)
+
+>[!Note]
+>Using Intune, you can apply device configuration policies to AAD user and/or device groups.
+The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)).
+
+>[!Note]
+>Always test and refine these settings with a pilot group of users and devices first before applying them in production.
+For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://www.microsoft.com/security/blog/2018/12/19/windows-defender-atp-has-protections-for-usb-and-removable-devices/).
+
+### Allow installation and usage of USB drives and other peripherals
+
+One way to approach allowing installation and usage of USB drives and other peripherals is to start by allowing everything. Afterwards, you can start reducing the allowable USB drivers and other peripherals. 
+
+>[!Note]
+>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them.
+>1.	Enable **prevent installation of devices not described by other policy settings** to all users.
+>2.	Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors).
+To enforce the policy for already installed devices, apply the prevent policies that have this setting.
+
+If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device id that you want to add. For example,
+
+1.	Remove class USBDevice from the **allow installation of devices using drivers that match these device setup**
+2.	Add the VID/PID to allow in the **allow installation of device that match any of these device IDs**
+
+>[!Note]
+>How to locate the VID/PID: Using Device Manager; right click on the device and select properties.  Click details tab, click property drop down list, and choose hardware Ids. Right click the top ID value and select copy.
+
+>Using PowerShell: Get-WMIObject -Class Win32_DiskDrive |
+Select-Object -Property *  
+>For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers)
+
+### Prevent installation and usage of USB drives and other peripherals
+If you want to prevent a device class or certain devices, you can use the prevent device installation policies. 
+
+1.	Enable **Prevent installation of devices that match any of these device IDs**. 
+2.	Enable the **Prevent installation of devices that match these device setup classes policy**.
+
+>[!Note]
+>The prevent device installation policies take precedence over the allow device installation policies. 
+
+### Security Baseline
+
+The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, represent the recommended configuration for ATP.  Configuration settings for baseline are located here in the edit profile page of the configuration settings.
+
+![Baselines](https://github.com/MicrosoftDocs/windows-docs-pr/blob/v-jowirt-updates/windows/security/threat-protection/windows-defender-antivirus/images/baselines.png)
+
+### Bluetooth
+
+Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed.  As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked. 
+
+![Bluetooth](https://github.com/MicrosoftDocs/windows-docs-pr/blob/v-jowirt-updates/windows/security/threat-protection/windows-defender-antivirus/images/bluetooth.png)
+
+
+

 ## Detect plug and play connected events

@ -156,11 +223,6 @@ For more information about controlling USB devices, see the [Microsoft Secure bl

 ### Only allow installation and usage of specifically approved peripherals

-Windows Defender ATP allows installation and usage of only specifically approved peripherals by creating a custom profile in Intune and configuring [DeviceInstallation policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation).
-For example, this custom profile allows installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0".
-
-![Custom profile](images/custom-profile-allow-device-ids.png)
-
 Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one.

 For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses).
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@ -11,7 +11,6 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
-ms.date: 05/01/2019
 ms.reviewer: 
 manager: dansimp
 ---
@ -37,6 +36,9 @@ You can also [customize the message displayed on users' desktops](https://docs.m

 When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean.

+Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
+
 In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.

 Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@ -11,7 +11,6 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
-ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
 ---
@ -25,6 +24,9 @@ manager: dansimp
 >[!NOTE]
 >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.

+Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
+
 You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.

 See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection.
--- a/windows/security/threat-protection/windows-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png
+++ b/windows/security/threat-protection/windows-defender-antivirus/images/microsoft-defender-atp-next-generation-protection-engines.png
--- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md
@ -11,7 +11,6 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
-ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
 ---
@ -24,8 +23,10 @@ manager: dansimp

 Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.  

-To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. 
+Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  

+To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. 

 >[!NOTE]
 >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@ -11,7 +11,6 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
-ms.date: 09/03/2018
 ms.reviewer: 
 manager: dansimp
 ---
@ -29,6 +28,9 @@ Windows Defender Antivirus includes:
 - [Always-on scanning](configure-real-time-protection-windows-defender-antivirus.md), using advanced file and process behavior monitoring and other heuristics (also known as "real-time protection")
 - [Dedicated protection updates](manage-updates-baselines-windows-defender-antivirus.md) based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research

+Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
+![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)  
+
 You can configure and manage Windows Defender Antivirus with:
 - System Center Configuration Manager (as System Center Endpoint Protection, or SCEP) 
 - Microsoft Intune
@ -36,14 +38,6 @@ You can configure and manage Windows Defender Antivirus with:
 - Windows Management Instrumentation (WMI)
 - Group Policy

->[!TIP]
->You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
->- Cloud-delivered protection
->- Fast learning (including Block at first sight)
->- Potentially unwanted application blocking
-
-Check out [What's new in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp), including new features and capabilities in Windows Defender Antivirus.
-
 <a id="sysreq"></a>
 ## Minimum system requirements

@ -53,6 +47,12 @@ Windows Defender AV has the same hardware requirements as Windows 10. For more i

 Functionality, configuration, and management is largely the same when using Windows Defender AV on Windows Server 2016; however, [there are some differences](windows-defender-antivirus-on-windows-server-2016.md).

+>[!TIP]
+>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working and see how they work:
+>- Cloud-delivered protection
+>- Fast learning (including Block at first sight)
+>- Potentially unwanted application blocking
+
 ## Related topics

 - [Windows Defender AV in the Windows Security app](windows-defender-security-center-antivirus.md)