deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #793 from Microsoft/wdav-update-compl-pubprev

Browse Source 
Update compliace - publish on Thurs 6/1
This commit is contained in:
Elizabeth Ross 2017-06-01 10:09:18 -07:00 committed by GitHub
commit d78dae8ea8
15 changed files with 138 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/deployment/update/images/update-compliance-wdav-assessment.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-prot-status.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-add-filter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-filter.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-log.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-status-query.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.7 KiB

BIN
windows/deployment/update/images/update-compliance-wdav-threat-status.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 19 KiB

3
windows/deployment/update/update-compliance-get-started.md
View File

@ -32,6 +32,9 @@ Update Compliance has the following requirements:
<TR><TD>Online Crash Analysis <TD>oca.telemetry.microsoft.com
</TABLE>
4. To use Windows Defender Antivirus Assessment, devices must be protected by Windows Defender AV (and not a 3rd party AV program), and must have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). See the [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) content library for more information on enabling, configuring, and validating Windows Defender AV.
## Add Update Compliance to Microsoft Operations Management Suite
Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/).

131
windows/deployment/update/update-compliance-using.md
View File

@ -31,7 +31,8 @@ Update Compliance has the following primary blades:
3. [Latest and Previous Security Update Status](#latest-and-previous-security-update-status)
4. [Overall Feature Update Status](#overall-feature-update-status)
5. [CB, CBB, LTSB Deployment Status](#cb-cbb-ltsb-deployment-status)
6. [List of Queries](#list-of-queries)
6. [Windows Defender Antivirus Assessment](#wdav-assessment)
7. [List of Queries](#list-of-queries)
## OS Update Overview
@ -41,6 +42,7 @@ The first blade of OMS Update Compliance is the General **OS Update Overview** b
![OS Update Overview](images/uc-11.png)
This blade is divided into three sections:
- Device Summary:
- Needs Attention Summary
@ -139,6 +141,133 @@ The Overall Feature Update Status blade focuses around whether or not your devic
Devices are evaluated by OS Version (e.g., 1607) and the count of how many are Current, Not Current, and have Update Failures is displayed. Clicking on any of these counts will allow you to view all those devices, as well as select the **Update Deployment Status** perspective, described below.
<a id="wdav-assessment"></a>
## Windows Defender Antivirus Assessment
You'll notice some new tiles in the Overview blade which provide a summary of Windows Defender AV-related issues, highlighted in the following screenshot.
![verview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-overview.png)
The **AV Signature** chart shows the number of devices that either have up-to-date [protection updates (also known as signatures or definitions)](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus), while the **Windows Defender AV Status** tile indicates the percentage of all assessed devices that are not updated and do not have real-time protection enabled. The Windows Defender Antivirus Assessment section provides more information that lets you investigate potential issues.
If you're using [Windows Defender Antivirus in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) to protect devices in your organization and have enabled [cloud-delivered protection](/windows/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus), you can use this section to review the overall status of key protection features, including the number of devices that have [always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) and up-to-date definitions.
There are two blades in the Windows Defender AV Assessment section:
- Protection status
- Threats status
![Windows Defender Antivirus Assessment blade in Update Compliance](images/update-compliance-wdav-assessment.png)
The **Protection Status** blade shows three key measurements:
1. How many devices have old or current signatures (also known as protection updates or definitions)
2. How many devices have the core Windows Defender AV always-on scanning feature enabled, called real-time protection
![Windows Defender Antivirus protection status in Update Compliance](images/update-compliance-wdav-prot-status.png)
See the [Manage Windows Defender AV updates and apply baselines](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) topic for an overview on how updates work, and further information on applying updates.
The **Threats Status** blade shows the following measurements:
1. How many devices that have threats that have been remediated (removed or quarantined on the device)
2. How many devices that have threats where remediation was not successful (this may indicate a manual reboot or clean is required)
![Windows Defender Antivirus threat status in Update Compliance](images/update-compliance-wdav-threat-status.png)
Devices can be in multiple states at once, as one device may have multiple threats, some of which may or may not be remediated.
> [!IMPORTANT]
> The data reported in Update Compliance can be delayed by up to 24 hours.
See the [Customize, initiate, and review the results of Windows Defender AV scans and remediation](/windows/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus) topic for more information on how to perform scans and other manual remediation tasks.
As with other blades in Update Compliance, clicking on a specific measurement or item will open the associated query that you can use to investigate individual devices and issues, as described below.
### Investigate individual devices and threats
Click on any of the status measurements to be taken to a pre-built log query that shows the impacted devices for that status.
![Sample Windows Defender AV query in Update Compliance](images/update-compliance-wdav-status-log.png)
You can also find a pre-built query on the main Update Compliance screen, under the **Queries** blade, that lists devices that have not been assessed for Windows Defender AV.
![Overview blade showing a summary of key Windows Defender Antivirus issues](images/update-compliance-wdav-query-not-assessed.png)
You can further filter queries by clicking any of the measurement labels for each incident, changing the values in the query filter pane, and then clicking **Apply**.
![Click the Apply button on the left pane](images/update-compliance-wdav-status-filter-apply.png)
Click **+Add** at the bottom of the filter pane to open a list of filters you can apply.
![Click Add to add more filters](images/update-compliance-wdav-status-add-filter.png)
You can also click the **. . .** button next to each label to instantly filter by that label or value.
![Click the elipsis icon to instantly filter by the selected label](images/update-compliance-wdav-status-filter.png)
You can create your own queries by using a query string in the following format:
```
Type:<Group type> <Label>="<Value>"
```
You can use the following `<Group type>` options to scope your query:
- `Type:WDAVStatus` to query information related to signature and real-time protection status
- `Type:WDAVThreat` to query information about threat remediation and specific threats
The `<Label>`, and `<Value>` fields are listed in the following table. All labels and values are case sensitive and must be entered as written below (including spaces).
For queries that use `Type:WDAVStatus`, you can use the following labels and values.
Label | Value
---|---
`Computer`|\<computer name>
`ComputerID`|\<computer ID>
`OSName`|\<Operating system name>
`UpdateStatus`|`Not assessed` <br />`Signature up-to-date` <br />`Signature out-of-date`
`DetailedStatus`|`Unknown` <br />`Non-Microsoft AV` <br />`No AV` <br />`AV expired` <br />`Disabled by GP` <br />`Disabled by LP` <br />`Recently disappeared`
`ProtectionState`|`Real-time protection is off `<br />`Real-time protection is on`
`MoreInformation`| \<free text string>
`LastScan`| \<date and time of the last scan>
For queries that use `Type:WDAVThreat`, you can use the following labels and values.
Label | Value
---|---
`Computer`|\<computer name>
`ComputerID`|\<computer ID>
`ThreatName`|\<detected threat name>
`ThreatStatus`|`Remediation failed`<br/>`Remediated`
`ThreatAction`|`Remediation pending reboot`
`ThreatError`|`Disk full`<br/>`Network issue`<br/>`Operation aborted`
`MoreInformation`|\<free text string>
`LastScan`|\<date and time of the last scan>
You can add multiple label-value pairs in the same query to refine and filter the results.
![Add multiple value and name pairs in your query, separated by spaces](images/update-compliance-wdav-status-query.png)
## CB, CBB, LTSB Deployment Status

2
windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md
View File

@ -84,6 +84,6 @@ Topic | Description
---|---
[Deploy and enable Windows Defender Antivirus protection](deploy-windows-defender-antivirus.md) | While the client is installed as a core part of Windows 10, and traditional deployment does not apply, you will still need to enable the client on your endpoints with System Center Configuration Manager, Microsoft Intune, or Group Policy Objects.
[Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) | There are two parts to updating Windows Defender Antivirus: updating the client on endpoints (product updates), and updating definitions (protection updates). You can update definitions in a number of ways, using System Center Configuration Manager, Group Policy, PowerShell, and WMI.
[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection
[Monitor and report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md) | You can use System Center Configuration Manager, the Update Compliance add-in for Microsoft Operations Management Suite, a third-party SIEM product (by consuming Windows event logs), or Microsoft Intune to monitor protection status and create reports about endpoint protection

2
windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
View File

@ -33,7 +33,7 @@ You can also apply [Windows security baselines](https://technet.microsoft.com/en
Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates".
The cloud-delivered protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
## Product updates

3
windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md
View File

@ -28,6 +28,9 @@ There are a number of ways you can review protection status and alerts, dependin
You can use System Center Configuration Manager to [monitor Windows Defender AV protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using the [Microsoft Intune console](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection).
Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender AV issues, including protection updates and real-time protection settings.
If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964766(v=vs.85).aspx).
Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md).